Title: Swirv
Author: Matt Steady
Published: <strong>June 5, 2026</strong>
Last modified: June 5, 2026

---

Search plugins

![](https://ps.w.org/swirv/assets/banner-772x250.jpg?rev=3562302)

![](https://ps.w.org/swirv/assets/icon-256x256.png?rev=3562302)

# Swirv

 By [Matt Steady](https://profiles.wordpress.org/mattsteady/)

[Download](https://downloads.wordpress.org/plugin/swirv.1.2.50.zip)

 * [Details](https://wordpress.org/plugins/swirv/#description)
 * [Reviews](https://wordpress.org/plugins/swirv/#reviews)
 *  [Installation](https://wordpress.org/plugins/swirv/#installation)
 * [Development](https://wordpress.org/plugins/swirv/#developers)

 [Support](https://wordpress.org/support/plugin/swirv/)

## Description

Share a link once, then change where it points — without resending anything.

Swirv is a personal link manager for WordPress. Every link lives on your own domain(
such as `yoursite.com/swirv/download`), and its destination is yours to change at
any time. Send a link to 200 people today, swap its target tomorrow, and all 200
land in the new place — no third-party shortener, no resending, and never that “
sorry, use this link instead” message.

#### Passes: a private link for every recipient

A **Pass** is a personalised version of a link — its own unguessable URL and a reference
label (a supporter, a customer, a newsletter). Issue everyone their own Pass and
they all inherit the parent link’s target. Change the link once and every Pass follows.
Emailed a track download to your supporters, then need to make a tweak? Edit the
target once, and every one of them now gets the fix.

#### What you can do

 * Redirect links on your own domain, e.g. `yoursite.com/swirv/download`
 * Re-point any link after it has been shared — no dead links, no resending
 * Issue personalised Passes under any link, each with its own private URL
 * Group links into Campaigns, with optional public campaign pages
 * Track clicks with daily analytics charts — privacy-first, no visitor IPs stored
 * Generate QR codes for any link or campaign
 * Run Health Scans to catch dead, redirecting, or slow target URLs
 * Import and export everything as JSON/ZIP for backups and migrations
 * Optional prefixless links (`yoursite.com/download`), with clash-checking against
   existing pages

A companion plugin, **Swirv Pro**, adds advanced Pass controls — access limits, 
expiry, self-destruct — and more, for larger libraries and tighter workflows.

#### Privacy-first by design

Swirv keeps your link and click data on your own site. It never stores visitor IP
addresses — a click records only a 2-letter country code — and Swirv URLs are served`
noindex, nofollow` with a `no-referrer` policy. Detailed click tracking is optional
and can be switched off entirely under **Swirv  Settings  Data**. Full disclosure
of the minimal, opt-in external services Swirv can use is in the **External services**
section below.

### External services

Swirv stores a 2-letter ISO country code per click, for visitor-country analytics.
It derives that code from Cloudflare’s `CF-IPCountry` request header when present,
or otherwise by looking the visitor’s IP up against a local MaxMind GeoLite2-Country
database if one has been installed. The raw IP is read only to derive the country
code and is never written to the database in any form, hashed or otherwise. With
neither source available, the country code is stored empty.

#### Requests to your target URLs

Swirv makes server-side HTTP requests to the target URLs you have added, in three
situations: (1) when you save a Link, Swirv sends a HEAD request to learn the target’s
MIME type, used to drive per-link image-target download behaviour; (2) Health scans
send HEAD requests when you run them; (3) when a visitor clicks an image-typed Link
that has the force-download behaviour active, Swirv fetches the image body server-
side and streams it back to the visitor. In all three cases the destination server
receives a request from your WordPress site. The save-time HEAD probe sends a User-
Agent of `Swirv Target Probe/{version} (+{your_site_url}; content-type sniffer)`;
the Health-scan and inline-download paths use the default WordPress HTTP API User-
Agent. No visitor data, click data, or WordPress account information is sent in 
the body of these requests.

#### Cloudflare

Swirv reads Cloudflare’s HTTP_CF_IPCOUNTRY request header when your site is fronted
by Cloudflare. Swirv does not send any data to Cloudflare; the header is set by 
Cloudflare’s edge on incoming requests as part of your site’s existing Cloudflare
relationship. The only data Swirv extracts is the 2-letter ISO country code, used
for visitor-country analytics on this install. If your site is not on Cloudflare,
this code path is inert.

Service: Cloudflare (https://www.cloudflare.com)
 Terms of service: https://www.
cloudflare.com/terms/ Privacy policy: https://www.cloudflare.com/privacypolicy/

#### MaxMind GeoLite2

Swirv can connect to MaxMind, Inc. to download the GeoLite2-Country database, used
to map visitor IP addresses to a 2-letter country code for analytics. The database
is stored locally on your server under `wp-content/uploads/swirv/geoip/` and every
country lookup happens on your server against that local copy; Swirv never sends
visitor IP addresses to MaxMind.

Swirv contacts MaxMind only after a site administrator has added their own MaxMind
licence key under **Swirv  Settings  Analytics  Geography** and either (a) clicked
the **Download / update database now** button, or (b) the monthly refresh cron has
fired since the key was saved. Without a saved licence key, the cron fires but takes
no action and Swirv makes no outbound request to MaxMind.

The licence key you enter is stored on your own server in the WordPress options 
table (as the `swirv_maxmind_license_key` option), in the same plain-text form WordPress
core uses for other site credentials and API keys; Swirv applies no separate encryption
to it. It is never transmitted anywhere except to MaxMind as the `license_key` parameter
of the download request described below. Anyone with read access to your WordPress
database (including other plugins running on the site) can read it, so treat your
MaxMind key like any other site secret. You can clear it at any time by emptying
the field and saving.

When downloading the database, Swirv issues a single HTTPS GET request to `https://
download.maxmind.com/app/geoip_download` with three query-string parameters: `edition_id
=GeoLite2-Country`, `license_key={your key}`, and `suffix=tar.gz`. The request uses
the default WordPress HTTP API User-Agent (which includes your site URL, per WordPress
core). No visitor data, click data, or WordPress account information is sent by 
Swirv as part of this download request.

Service: MaxMind GeoLite country database (https://www.maxmind.com)
 Terms of use:
https://www.maxmind.com/en/terms-of-use Privacy policy: https://www.maxmind.com/
en/privacy-policy GeoLite end-user licence agreement: https://www.maxmind.com/en/
geolite/eula

#### swirv.org

Swirv links the admin to swirv.org (the Swirv project’s marketing and documentation
site, operated by Matt Steady) in three places:

 * The **About ** submenu item under Swirv in the WordPress admin sidebar opens 
   https://swirv.org in a new tab. This is the Swirv project’s home page — project
   information, contact details, and links to documentation.
 * The **Swirv Pro ** submenu item — visible only when the Swirv Pro companion plugin
   is not active — opens https://swirv.org/swirvfree/upgrade.html in a new tab. 
   This is the page describing the Swirv Pro companion plugin.
 * The **★ Swirv Pro** badges next to Pro-only features in the admin (the Settings
   Analytics tab, the Passes and Analytics admin pages, and the Health Scan page)
   also open https://swirv.org/swirvfree/upgrade.html in a new tab.

These are user-initiated browser links, not server-side calls. Swirv does not send
any visitor data, click data, site URL, or WordPress account information to swirv.
org as part of these links — the connection happens in the user’s browser when they
click the link. Standard web-server access logs on swirv.org (the visitor’s IP address,
user-agent, referer) apply the same as any browser navigation to any site.

Service: swirv.org (the Swirv project’s marketing and documentation site)
 Terms
of use: https://swirv.org/terms.html Privacy policy: https://swirv.org/privacy

#### A note on uptime-monitor names

Swirv ships a default “exclude monitor traffic” list (Settings  Analytics) containing
names such as Pulsetic, UptimeRobot, Better Stack, Hyperping, StatusCake, and Pingdom.
These are not external services Swirv connects to. They are text substrings Swirv
matches against the User-Agent header of incoming requests to your own site, so 
that clicks from those uptime monitors are not counted in your analytics. No data
is sent to any of these services, and no network connection is made.

### Source Code and Bundled Libraries

Swirv ships two minified third-party JavaScript libraries and keeps all custom Swirv
JavaScript readable and unminified.

 * `admin/js/chart.umd.min.js` is Chart.js 4.5.1. Readable source is available at`
   https://www.npmjs.com/package/chart.js/v/4.5.1` and `https://github.com/chartjs/
   Chart.js/tree/v4.5.1`.
 * `admin/js/qrcode.min.js` is node-qrcode 1.5.4, bundled from the browser entry
   point as an IIFE that exposes `window.QRCode`. Readable source is available at`
   https://www.npmjs.com/package/qrcode/v/1.5.4` and `https://github.com/soldair/
   node-qrcode/tree/v1.5.4`.

## Screenshots

 * [[
 * Your links — edit any target after it’s shared, with live click counts and one-
   tap QR codes.
 * [[
 * Passes — give each recipient their own private URL that quietly follows the parent
   link.
 * [[
 * Privacy-first analytics — daily clicks and top countries, with no visitor IPs
   ever stored.
 * [[
 * Settings — pick your URL prefix, or drop it entirely for clean `yoursite.com/
   your-link` links.
 * [[
 * Campaign page — a ready-made public landing page for any group of links.
 * [[
 * Health Scan — catch dead, redirecting, or slow targets before your visitors do.

## Installation

 1. Upload the `swirv` folder to `/wp-content/plugins/`, or install Swirv from the 
    WordPress plugin directory.
 2. Activate the plugin through the **Plugins** screen in WordPress.
 3. Open **Swirv** in the admin sidebar and create your first link.

Optional: open **Swirv  Settings  General** before sharing links if you want to 
change the URL prefix. The default is `/swirv/your-link`. Prefixless mode is also
available, but changing the prefix after sharing links will break URLs already in
use.

## FAQ

### What is the difference between a Link and a Pass?

A **Link** is a short URL anyone can use. A **Pass** is a personalised URL under
a Link, usually issued to one person, subscriber, customer, or contact. Passes inherit
the parent Link target, so changing the Link updates every Pass beneath it.

### Does Swirv use a third-party short-link service?

No. Swirv links use your own WordPress domain. If your site is `yourband.com`, your
links are on `yourband.com`.

### Can links live at the top level of my site?

Yes. In **Settings  General**, turn off the URL prefix to use links such as `yoursite.
com/download`. Swirv checks for clashes with existing WordPress pages and posts 
before allowing this.

### Is click tracking GDPR-compliant?

Swirv avoids storing raw IP addresses and keeps analytics data on your site. Compliance
depends on your site, jurisdiction, and privacy policy, so treat this as privacy-
friendly design rather than legal advice.

### Can I turn off analytics?

Yes. Detailed click tracking is on by default. Go to **Swirv  Settings  Data** and
switch it off; Swirv will stop writing detailed click-event rows and keep only basic
counts.

### Can I move my Swirv data to another site?

Yes. **Swirv  Settings  Data** includes JSON/ZIP export and import for campaigns,
links, Passes, and optional analytics.

### What is the sponsored-link option?

Flagging a Link as sponsored makes Swirv serve the redirect with `rel="sponsored"`
signalled via the standard RFC 8288 `Link` HTTP header, plus `X-Robots-Tag: noindex,
nofollow, noarchive` and `Referrer-Policy: no-referrer`. The visitor still gets 
a normal 302 to the affiliate destination — no interstitial page. For SEO disclosure,
the right place for `rel="sponsored"` is on the link anchor in your source page,
not on the redirect target.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Swirv” is open source software. The following people have contributed to this plugin.

Contributors

 *   [ Matt Steady ](https://profiles.wordpress.org/mattsteady/)

[Translate “Swirv” into your language.](https://translate.wordpress.org/projects/wp-plugins/swirv)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/swirv/), check out 
the [SVN repository](https://plugins.svn.wordpress.org/swirv/), or subscribe to 
the [development log](https://plugins.trac.wordpress.org/log/swirv/) by [RSS](https://plugins.trac.wordpress.org/log/swirv/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.2.50

 * Improved: clearer plugin description and screenshot captions on the WordPress.
   org listing.
 * Docs: corrected QR-code references — QR codes are generated for links and campaigns.

#### 1.2.49

 * Fixed: opening an add or edit screen by direct URL now always returns you to 
   the list view, including on hosts that have PHP output buffering turned off.

#### 1.2.48

 * New: Data retention – automatically delete click events older than a chosen number
   of days (Settings -> Analytics) so older analytics data clears down on its own
   over time.
 * Improved: dead or not-yet-configured Swirv links now show a tidy branded “link
   not available” page instead of the theme’s generic 404.
 * Fixed: browser prefetch/prerender of a link no longer inflates its click count–
   speculative loads receive the redirect but are not counted, so a single visit
   registers a single click.
 * Maintenance: Plugin URI now points to the dedicated Swirv (free) landing page,
   per WordPress.org listing guidelines.
 * Hardening: internationalised remaining admin messages and tightened output escaping.
 * Downloads: preserve non-ASCII (accented / Unicode) filenames on forced downloads
   via RFC 6266.
 * Hardening: further input sanitisation and output escaping across admin screens.
 * Hardening: the uninstall handler now blocks direct file access.

## Meta

 *  Version **1.2.50**
 *  Last updated **9 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.3 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [analytics](https://wordpress.org/plugins/tags/analytics/)[campaigns](https://wordpress.org/plugins/tags/campaigns/)
   [links](https://wordpress.org/plugins/tags/links/)[qr code](https://wordpress.org/plugins/tags/qr-code/)
   [redirects](https://wordpress.org/plugins/tags/redirects/)
 *  [Advanced View](https://wordpress.org/plugins/swirv/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/swirv/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/swirv/reviews/)

## Contributors

 *   [ Matt Steady ](https://profiles.wordpress.org/mattsteady/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/swirv/)