LayerSync – Conversion Tracking, Pixel Manager, and Server-Side API

Isbeddellada

1.24.0

• Admin information architecture rewrite. The single tabbed page is replaced by 11 native WordPress submenus under the LayerSync sidebar entry — Overview, Setup, Platforms, Events & Quality, Campaign Truth, Recovery & Revenue, Audiences & Identity, Leads & Forms, Scripts & Integrations, Diagnostics & Logs, and Settings. Every existing ?tab= URL 301-redirects to its new location with a one-shot “We moved this page” notice; bookmarks keep working.
• Action Scheduler queue dispatch with dead-letter status, manual replay controls, configurable retention (default 30 days), and full audit log of every queue state transition. Replaces the prior WP-Cron loop without changing the deterministic event_id formula or browser/server pairing guarantees.
• Microsoft Advertising (Bing UET) support — UET browser events for view_item / add_to_cart / begin_checkout / purchase / lead / sign_up, msclkid capture, SHA-256 enhanced-conversions field hashing, consent-gated dispatch.
• Google Analytics 4 Data API reconciliation. Compares WooCommerce orders, LayerSync queue rows, and GA4 purchases and classifies each into match / missing in GA4 / duplicate in GA4 / value mismatch buckets, configurable lag window default 48h.
• WP Consent API bridge with auto-detection for 7 popular CMPs (Complianz, Cookiebot, CookieYes, Borlabs, iubenda, OneTrust, Moove). Resolved Consent Mode v2 state rides every event and gates server-side dispatch + PII stripping.
• Form-submission lead tracking added for Gravity Forms, Fluent Forms, and Elementor Forms (in addition to the existing CF7 / WPForms / Ninja / Formidable support).
• Identity Quality scoring with per-platform weighted identifier tables for 10 ad platforms.
• Bot detection scoring with 7 reason codes (datacenter IP, Apple Private Relay, bad user-agent, velocity spike, no-JS, impossible journey, repeated event_id), merchant safe-list, and reporting that excludes bot traffic from ad-platform dispatch.
• Historical backfill worker with 30 / 90 / 180 / 365-day windows, dry-run mode, and Action Scheduler-batched processing.
• Safe External Scripts manager — page targeting (all / product / category / cart / checkout / thank-you / custom), consent targeting, trigger rules, and 7 hard-blocked dangerous patterns (eval, new Function, document.write, innerHTML=, document.cookie, LayerSync REST URLs, layersync_ identifiers).
• Signal Doctor — per-event weak-match diagnosis with actionable fix copy per ad platform.
• Platform Overclaim Shield — multi-platform claim-conflict detection on the same order with evidence-based confidence scoring.
• Consent-Recovery Graph — every conversion classified into 7 buckets (browser/server matched, server-only recovered, consent limited, bot excluded, failed then retried, missing identity, platform rejected).
• Accessibility — WAI-ARIA tablist on every sub-tab nav, skip-to-main-content link, breadcrumbs with aria-current="page", status badges wrapped in role="status", and visible :focus-visible outlines across every interactive element.
• No schema migrations introduced. 33 new PHPUnit tests added; full suite 719 tests / 0 failures.

1.22.1

• Fixed popup tracking events (popup_impression, popup_visible, popup_cta_click, etc.) returning HTTP 403 for logged-in users. Root cause: WordPress’s REST API processes requests without X-WP-Nonce as user ID 0, but the nonce was being created with the logged-in user’s ID — causing wp_verify_nonce to fail on the server. The public event proxy nonce is now always created with user ID 0 context, matching the REST verification context for all visitor types.

1.22.0

• Added lightweight browser-side bot probe to every browser event payload. Collects passive signals (webdriver flag, pointer/scroll/keyboard interaction, screen size, timezone, page-time) using one-shot passive event listeners — no fingerprinting, no impact on page load. The probe is stripped from all outbound platform payloads and used only by the LayerSync server-side bot classifier to more accurately distinguish real visitors from automated traffic.

1.21.0

• Improved GA4 ecommerce tracking accuracy across WooCommerce stores.
• Added global initial page_view coverage before contextual ecommerce events.
• Fixed home page tracking to avoid invalid GA4 view_item events.
• Improved purchase payloads so value excludes tax and shipping while sending tax, shipping, currency, transaction_id, and items separately.
• Added valid view_item_list item payloads for shop and category pages.
• Added remove_from_cart tracking improvements for classic WooCommerce and BeTheme cart flows.
• Added duplicate guards for add_payment_info and add_shipping_info.
• Added item_category coverage across key ecommerce events.
• Added refund item enrichment.
• Added form_start, form_submit, and generate_lead tracking with AJAX form support for supported form plugins.
• Improved select_item payloads with item_category, item_list_id, item_list_name, and index.
• Added X (Twitter) browser pixel and Conversion API support: UWT pixel with Conversion Event ID resolution, server-side CAPI delivery for purchase, add_to_cart, and begin_checkout, consent-aware identity (twclid / hashed email / hashed phone), and referrer-based attribution for t.co / twitter.com / x.com traffic.
• Fixed X pixel events not firing after initial page load due to an incorrect event-forwarding reference in the deduplication wrapper.
• Fixed X page_view custom conversion not registering in X Events Manager — the pixel auto-fires PageView from twq(‘config’), so an explicit conversion event for page_view caused X deduplication to suppress the custom conversion.
• Fixed Snapchat uuid_c1 (_scid first-party cookie) not reaching the Snap pixel on anonymous visits or when ad_user_data consent was denied separately from ad_storage. The cookie ID is now forwarded independently, gated only on ad_storage.

1.20.3

• Fixed popups targeting the Home page or Blog never showing: the popup runtime now normalizes the pixel’s page-type names (home, post, archive) to the popup builder’s vocabulary (homepage, blog).

1.20.2

• Security hardening and release-readiness improvements.
• Added uninstall cleanup for LayerSync plugin data and scheduled hooks.
• Improved consent-safe runtime behavior.
• Improved queue retry reliability and UTC-safe scheduling.
• Improved catalog sync completion handling.
• Improved WordPress.org readiness checks.

1.20.1

• GA4 campaign attribution: the plugin now forwards first-party campaign context to GA4 — source / medium / campaign plus first-touch, last-touch and last-paid-touch, returning-visitor and touch-count signals — as ls_* parameters and GA4’s native campaign fields. Google Ads auto-tagging is respected (native fields are suppressed when a Google click ID is present).
• Original landing URL lock: the true first landing URL is captured at the earliest point in the page, before redirects or SPA navigation can overwrite it, so first-touch attribution stays accurate.
• Privacy hardening: landing URLs and referrers are sanitized to strip PII and WooCommerce order keys / checkout tokens before they reach GA4 or LayerSync, while UTMs and ad click IDs are preserved.
• Test traffic is flagged (ls_test) so internal/QA visits can be excluded from reporting.
• Meta Pixel payloads now omit non-product content_type values for homepage ViewContent and click-to-contact events, avoiding Meta’s invalid parameter warning while preserving content_name.

1.20.0

• GA4 Direct Browser Mode: choose how GA4 events reach Google — Direct (LayerSync fires gtag itself, no GTM needed), GTM / dataLayer only, or Measurement Protocol only. Set per site on the Platforms page. Existing installs default to Direct, preserving current behavior.
• Controlled page_view: in Direct mode the plugin emits gtag('config', …, { send_page_view:false }) and fires a single page_view with full params (page_location, page_referrer, page_title, page_path, page_type, content_group, language, engagement_time_msec), plus SPA support for history-based navigation.
• Full GA4 funnel coverage from the browser: select_item, view_cart, remove_from_cart, add_shipping_info, add_payment_info, view_promotion, select_promotion, login, and sign_up now fire alongside the existing commerce events.
• GA4 session capture: reads the _ga_<MID> session cookie (both the legacy GS1 and current GS2 formats) on the browser AND server side, so events attach to the correct GA4 session. A short best-effort wait on high-value events (purchase, sign_up, login, lead) improves session attribution without delaying normal page traffic.
• Consent Mode: per-site Strict (denied-by-default until the CMP grants) or Standard (defers to your existing consent setup). Enhanced Conversions / GA4 user-provided data are now explicit, off-by-default opt-ins and only attach to conversion events.
• GA4 User-ID is restricted to signed-in WordPress users only.
• New diagnostics in the Live Events drawer: missing/invalid client_id, missing/invalid session_id, missing transaction_id on purchase, missing currency when value is set, items missing id and name, browser+GTM duplicate-source risk, and consent-denied.
• Google Ads, LinkedIn, and X delivery paths are code-validated locally with unit tests but still require live staging credential validation before public enablement.

1.19.0

• New popup builder runtime: targets your existing LayerSync audiences, renders inside Shadow DOM so the merchant’s theme can’t break it, evaluates audience + trigger + frequency + consent locally per visit. Supports modal, slide-corner, and bar layouts with per-device (desktop / tablet / mobile) position overrides.
• Live cart-items block: pulls the visitor’s current WooCommerce cart via the Store API and renders the actual products (image, name, qty, line price, subtotal) inside the popup. Empty carts auto-suppress the popup so you never reminder a customer who already checked out.
• WhatsApp CTA: when a popup CTA is set to the WhatsApp action, the runtime opens wa.me/<number> with a pre-composed message built from the popup heading + the visitor’s live cart contents, so they arrive on WhatsApp with a ready-to-send order summary.
• Popup tracking: every popup interaction (impression, visible, CTA click, submit, close reason, conversion) fires through the existing WP-proxy endpoint into LayerSync events — same pipeline as commerce events, so popups show up in Live Events, ROI Insights, and audience targeting with no extra setup.

1.18.2

• One-time backfill: marks every order whose server purchase event was already delivered as “pixel-rendered” so 1.18.1’s once-per-order guard takes effect immediately on legacy orders. Without this, each pre-1.18.1 order would cost one stray browser purchase fire on its first thank-you-page revisit before the guard kicked in. Runs asynchronously via WP-Cron in batches of 200 so admin page loads stay snappy on stores with thousands of orders.

1.18.1

• Fixed duplicate purchase events fired by the browser pixel on order-received page revisits. The thank-you page URL is permanent — customers bookmark it, merchants revisit to test, and WC’s payment redirect can reload it — so without a guard, every revisit re-fired the same purchase event_id, inflating dashboard funnel and revenue numbers. The pixel now sets a _layersync_purchase_pixel_rendered order meta on first render and silently skips on subsequent visits, mirroring the existing server-side _layersync_purchase_sent guard.

1.18.0

• Homepage now fires a view_content event in addition to page_view, so Meta and TikTok have an explicit top-of-funnel signal for cold-start audience optimization.
• Click-to-contact CTAs are auto-tracked: clicks on tel:, sms:, mailto:, WhatsApp (wa.me, api.whatsapp.com), and Messenger links fire a contact event mapped to Meta Contact and TikTok Contact. Captures intent signals from off-site CTAs without any merchant setup.
• Pixel firePixelEvent now passes content_name through to Meta and TikTok for non-product events so Pixel Helper and attribution dashboards label them meaningfully; Meta content_type is reserved for product/product_group payloads.

1.17.0

• Renamed plugin to better describe what it does: “LayerSync for WooCommerce – Conversion Tracking, Server-Side API, Pixel Manager, GA4”.
• Hardened the public events endpoint: same-origin nonce check, per-IP rate limit, body-size cap, and a block on purchase / refund events (those flow only through the WooCommerce server hook now).
• Refactored every inline <script> to ship through wp_add_inline_script against registered handles, in line with the WordPress Plugin Directory’s enqueue-API guideline.
• Replaced closure-based register_setting() sanitize callbacks with named static methods so static-analysis tools can resolve them.
• Scoped the “Not connected” admin notice to the Dashboard, Plugins list, and WooCommerce Settings only — no more banner on every admin page.
• CSV queue export now neutralizes leading =, +, -, @ characters to prevent spreadsheet formula injection when an admin opens the file.
• Declared Requires Plugins: woocommerce; bumped Requires at least to 6.5.

1.16.0

Initial public release.

• Browser pixel injection for 9 ad platforms: Meta (Facebook & Instagram), Google Tag (GA4), Google Ads, TikTok, Snapchat, Pinterest, Reddit, X (Twitter), and LinkedIn.
• Server-side Conversions API forwarding via the LayerSync hub — one connection, every platform.
• Same-origin REST proxy keeps event delivery working through ad-blockers and corporate firewalls.
• Browser-side resilience: events queue locally during outages and drain automatically when connectivity returns.
• Lead-form tracking for Contact Form 7, WPForms, Ninja Forms, and Formidable.
• Privacy-first: per-event consent capture, CMP integration via window.LayerSync.setConsent({...}), IP anonymization, and SHA-256 PII hashing before any platform handoff.
• Catalog sync to LayerSync for one product feed URL consumed by every connected platform.