Title: DataFirefly Server-Side
Author: datafirefly
Published: <strong>July 13, 2026</strong>
Last modified: July 13, 2026

---

Search plugins

![](https://ps.w.org/datafirefly-server-side/assets/banner-772x250.png?rev=3606656)

![](https://ps.w.org/datafirefly-server-side/assets/icon-256x256.png?rev=3606656)

# DataFirefly Server-Side

 By [datafirefly](https://profiles.wordpress.org/datafirefly/)

[Download](https://downloads.wordpress.org/plugin/datafirefly-server-side.2.2.2.zip)

 * [Details](https://wordpress.org/plugins/datafirefly-server-side/#description)
 * [Reviews](https://wordpress.org/plugins/datafirefly-server-side/#reviews)
 *  [Installation](https://wordpress.org/plugins/datafirefly-server-side/#installation)
 * [Development](https://wordpress.org/plugins/datafirefly-server-side/#developers)

 [Support](https://wordpress.org/support/plugin/datafirefly-server-side/)

## Description

DataFirefly Server-Side delivers complete, reliable WooCommerce conversion tracking
with a single connection key:

 * **Full funnel** — page view, product view, add to cart, initiate checkout, add
   payment info, purchase.
 * **Dual delivery, deduplicated** — every event fires a light client pixel (Meta/
   GA4 / TikTok) **and** a signed server-side event sharing the same event id, so
   ad blockers never cost you a conversion and nothing is ever counted twice.
 * **Per-destination control** — enable or disable the Meta, GA4 and TikTok client
   tags individually. A disabled destination’s third-party script (and its cookies)
   is never loaded in your visitors’ browsers.
 * **Consent-first (GDPR)** — with “Require consent” on (the default), nothing fires
   and nothing is sent — client-side or server-side — until the visitor explicitly
   grants marketing consent (DataFirefly Cookie Consent, WP Consent API, Complianz,
   Cookiebot, IAB TCF v2). This includes the server-side purchase event: the consent
   decision is captured at checkout and enforced even when the purchase confirmation
   arrives later from a payment gateway.
 * **Reliable** — failed sends are queued and retried with exponential backoff; 
   an Activity panel shows delivery status live.
 * **Secure by design** — no destination credential ever reaches the browser; the
   HMAC secret never leaves the server; the public beacon endpoint is rate-limited,
   size-capped and strictly sanitized; purchase events are server-authoritative 
   and cannot be spoofed.

This plugin is the WooCommerce connector for the DataFirefly server-side tracking
service. It requires a DataFirefly account (https://datafirefly.com), and no data
is ever transmitted anywhere until the shop administrator explicitly connects the
plugin with their account’s connection key. See the “External services” section 
below for full details of what is sent, when, and to whom.

### External services

This plugin relies on the following external services. No data is sent to any of
them until the shop administrator explicitly connects the plugin to a DataFirefly
account, and — when the “Require consent” setting is enabled (the default) — no 
visitor data is sent unless that visitor has explicitly granted marketing consent.

**1. DataFirefly server-side tracking dispatcher (the service this plugin connects
to)**

 * What it is and what it is used for: DataFirefly is the tracking service this 
   plugin is a connector for. The dispatcher (https://serverside.datafirefly.com)
   receives your shop’s e-commerce events, signs them and forwards them server-side
   to the advertising/analytics destinations configured in your DataFirefly account(
   Meta Conversions API, Google Analytics 4 Measurement Protocol, TikTok Events 
   API).
 * What data is sent and when: after the administrator connects the plugin, e-commerce
   events are sent to the dispatcher — funnel events (page view, product view, add
   to cart, checkout) carrying pseudonymous browser identifiers (cookie ids such
   as _fbp, _ga, click ids), page URL, IP address and user agent; and the purchase
   event carrying order data (order id, amount, currency, products) and the customer’s
   billing details (email, phone, name, city, postcode, country). When “Require 
   consent” is enabled, none of this is sent for a visitor who has not granted marketing
   consent.
 * Service provider: DataFirefly Limited — [Terms and Conditions](https://www.datafirefly.com/en/terms-and-conditions/)—
   [Privacy Policy](https://www.datafirefly.com/en/privacy-policy-2/)

**2. Meta (Facebook) Pixel**

 * What it is and what it is used for: when the Meta destination is configured in
   your DataFirefly account and enabled in the plugin settings, the plugin loads
   the Meta Pixel script in the visitor’s browser to record client-side ad events(
   deduplicated with the server-side events).
 * What data is sent and when: the script is loaded from https://connect.facebook.
   net and, once loaded, Meta receives the standard pixel data (page URL, browser
   information, event data, Meta cookies) — only after marketing consent is granted
   when “Require consent” is enabled, and never if the destination is disabled.
 * Service provider: Meta Platforms — [Terms of Service](https://www.facebook.com/legal/terms)—
   [Privacy Policy](https://www.facebook.com/privacy/policy)

**3. Google Analytics 4 (gtag.js)**

 * What it is and what it is used for: when the GA4 destination is configured and
   enabled, the plugin loads Google’s gtag.js script in the visitor’s browser to
   record client-side analytics events (deduplicated with the server-side events).
 * What data is sent and when: the script is loaded from https://www.googletagmanager.
   com and, once loaded, Google receives the standard GA4 data (page URL, browser
   information, event data, Google cookies) — only after marketing consent is granted
   when “Require consent” is enabled, and never if the destination is disabled.
 * Service provider: Google — [Terms of Service](https://policies.google.com/terms)—
   [Privacy Policy](https://policies.google.com/privacy)

**4. TikTok Pixel**

 * What it is and what it is used for: when the TikTok destination is configured
   and enabled, the plugin loads the TikTok Pixel script in the visitor’s browser
   to record client-side ad events (deduplicated with the server-side events).
 * What data is sent and when: the script is loaded from https://analytics.tiktok.
   com and, once loaded, TikTok receives the standard pixel data (page URL, browser
   information, event data, TikTok cookies) — only after marketing consent is granted
   when “Require consent” is enabled, and never if the destination is disabled.
 * Service provider: TikTok — [Terms of Service](https://www.tiktok.com/legal/terms-of-service)—
   [Privacy Policy](https://www.tiktok.com/legal/privacy-policy)

## Installation

 1. Upload the plugin and activate it. At this point the plugin does nothing and sends
    nothing.
 2. Go to Settings  DataFirefly Server-Side.
 3. Paste the connection key from your DataFirefly client space and click Connect. 
    That is the only step.
 4. Optional: in the same screen, untick any client destination (Meta, GA4, TikTok)
    you do not use.

## FAQ

### Does the plugin send any data before I connect it?

No. Until you paste your DataFirefly connection key and click Connect, the plugin
loads no third-party script and sends no data anywhere.

### Does the plugin load Facebook / TikTok / Google scripts on my shop?

Only for the destinations that are both configured on your DataFirefly account **
and** enabled in the “Client destinations” setting. Untick a destination and its
script will never be injected.

### Is visitor consent respected?

Yes. When “Require consent” is on (the default), no tag is injected and no event
is sent — including the server-side purchase event — until the visitor explicitly
grants marketing consent, with live re-check when the visitor accepts. The consent
decision is captured at checkout and stored on the order, so a purchase confirmed
later by a payment gateway webhook still honours it. With “Require consent” on and
no explicit grant (including when no consent banner is installed), the purchase 
event is simply not sent, and an order note tells you why.

### Which consent tools are supported?

DataFirefly Cookie Consent, the official WP Consent API, Complianz, Cookiebot, and
IAB TCF v2-compatible banners.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“DataFirefly Server-Side” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ datafirefly ](https://profiles.wordpress.org/datafirefly/)

[Translate “DataFirefly Server-Side” into your language.](https://translate.wordpress.org/projects/wp-plugins/datafirefly-server-side)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/datafirefly-server-side/),
check out the [SVN repository](https://plugins.svn.wordpress.org/datafirefly-server-side/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/datafirefly-server-side/)
by [RSS](https://plugins.trac.wordpress.org/log/datafirefly-server-side/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 2.2.2

 * Security: the thank-you-page tracking context now enforces the same authorization
   as WooCommerce’s own order-received template — the order key (or being logged
   in as the order’s customer) is required before any order detail (products, total,
   order number) is exposed to the page. A guessed order-received URL no longer 
   reveals anything.

#### 2.2.1

 * Privacy: the server-side purchase flow now strictly enforces end-user opt-in 
   consent when “Require consent” is enabled — the visitor’s consent decision is
   captured at checkout, stored on the order and honoured even when the purchase
   fires later from a gateway webhook; without an explicit grant, no personal or
   order data is sent.
 * Privacy: Complianz and Cookiebot consent cookies are now also read server-side
   as a defense-in-depth signal.
 * Docs: added the “External services” disclosure (DataFirefly dispatcher, Meta 
   Pixel, GA4 gtag.js, TikTok Pixel) with links to each service’s terms and privacy
   policy.
 * i18n: the text domain now matches the plugin slug (datafirefly-server-side).

#### 2.2.0

 * New: per-destination client-tag toggles (Meta, GA4, TikTok) — a disabled destination’s
   script is never loaded.
 * Fix: coding-standards and Plugin Check compliance pass (i18n translators comments,
   input sanitization, no unprefixed globals).

#### 2.1.1

 * New: merchandising events (view_item_list, select_item, view_promotion, select_promotion).

#### 2.0.1

 * Full-funnel client tracking layer with dedup-perfect server-side delivery, retry
   queue and Activity panel.

#### 1.x

 * Server-side purchase event delivery.

## Meta

 *  Version **2.2.2**
 *  Last updated **16 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [Conversion API](https://wordpress.org/plugins/tags/conversion-api/)[Facebook Pixel](https://wordpress.org/plugins/tags/facebook-pixel/)
   [ga4](https://wordpress.org/plugins/tags/ga4/)[tracking](https://wordpress.org/plugins/tags/tracking/)
   [woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://wordpress.org/plugins/datafirefly-server-side/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/datafirefly-server-side/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/datafirefly-server-side/reviews/)

## Contributors

 *   [ datafirefly ](https://profiles.wordpress.org/datafirefly/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/datafirefly-server-side/)