Run A\/B tests by pointing the plugin at two existing pages \u2014 one as the control (Variant A), one as the variant (Variant B). Visitors are split 50\/50 via a persistent cookie; once assigned, they always see the same variant.<\/p>\n\n
Tracking is fully internal: impressions and conversions land in a custom database table, and the wp-admin dashboard shows conversion rates, lift, and a basic statistical significance indicator (two-proportion z-test).<\/p>\n\n
Security-audited internally before every release (situated checklist + OWASP grid). See SECURITY.md on GitHub for the disclosure policy and the latest audit report ( A\/B testing breaks under page caching: the first variant served gets cached for everyone, all subsequent visitors get that same response, the 50\/50 split dies. The plugin handles most cases automatically.<\/p>\n\n Kinsta uses a two-layer cache (nginx server-cache + Cloudflare Enterprise edge cache). The plugin's no-store headers bypass both \u2014 but for 100% safety, also add your test URLs to MyKinsta \u2192 Tools \u2192 Cache \u2192 Cache Bypass<\/strong> as URL Patterns (e.g. Verify it works by inspecting headers on your test URL:<\/p>\n\n Look for For W3 Total Cache, WP Super Cache, WP Fastest Cache, and Cache Enabler \u2014 the plugin shows a notice but does not automatically exclude URLs (no clean public API). Manually add your test URLs to that plugin's cache exclusion list.<\/p>\n\n Pull stats programmatically from external tools (n8n, Make, Pipedream, dashboards).<\/p>\n\n Optional query params:<\/p>\n\n Example:<\/p>\n\n The response includes for each experiment: id, title, test_url, status, dates, control\/variant IDs, goal, and a stats block with A\/B impressions\/conversions\/rate, lift, p-value, significance, and 95% confidence interval bounds for both lift and absolute difference.<\/p>\n\n The plugin stores no raw IP, no User-Agent, no email, no name, and no cross-site tracking identifier. The events table contains: experiment_id, variant, test_url, event_type, created_at, and a A native WordPress privacy guide snippet is registered automatically \u2014 find it under Settings \u2192 Privacy \u2192 Policy Guide \u2192 Variolab \u2013 A\/B Testing to paste into your privacy policy.<\/p>\n\n For consent-banner sites: enable \"Require consent\" in the plugin settings and wire your banner to the Right to erasure: because no reversible identifier is stored, individual deletion isn't possible. Use This plugin connects to one external service, only when the site administrator opts in<\/strong> through the plugin's Settings \u2192 Google Analytics 4 panel by entering a Measurement ID and API Secret. With the GA4 integration disabled (default), no data leaves your site.<\/p>\n\n What it is and what it's used for: when the GA4 integration is enabled, the plugin forwards A\/B-test impression and conversion events to Google Analytics 4 via the Measurement Protocol, so the test results can be analyzed alongside your existing GA4 reports.<\/p>\n\n What data is sent and when: on each impression and each conversion logged by the plugin, a single fire-and-forget HTTPS request is sent to No raw IP address, User-Agent string, email, name, WordPress user ID, or page content is sent.<\/p>\n\n Service provided by Google. Please review their terms and policies before enabling the integration:<\/p>\n\n On their first visit to the control page, a cookie No. Logged-in users with v1 only swaps the entire page (the variant must be a separate post). Block-level and product-level testing are on the roadmap.<\/p><\/dd>\n\n<\/dl>\n\n\ndocs\/security\/latest.md<\/code>).<\/p>\n\nFeatures<\/h4>\n\n
\n
abtest_event_logged<\/code> action hook ready for v2 GA4\/webhook integrations<\/li>\n<\/ul>\n\nCaching<\/h3>\n\n
What the plugin does automatically<\/h4>\n\n
\n
Cache-Control: no-store<\/code> headers<\/strong> on every page response under A\/B test. Respected by Cloudflare, Varnish, Kinsta edge cache, nginx page cache, and most server-level caches.<\/li>\nrocket_cache_reject_uri<\/code> filter<\/strong> when WP Rocket is detected \u2014 your test URLs are auto-added to the never-cache list.<\/li>\nlitespeed_force_nocache_url<\/code> filter<\/strong> when LiteSpeed is detected \u2014 same idea.<\/li>\nHosting on Kinsta<\/h4>\n\n
^\/promo\/$<\/code>). After publishing a new test, purge the Kinsta cache<\/strong> to flush any version cached before the experiment started.<\/p>\n\ncurl -I https:\/\/yoursite.com\/promo\/\n<\/code><\/pre>\n\nX-Kinsta-Cache: BYPASS<\/code> (or MISS<\/code>). If you see HIT<\/code>, you're getting the cached version and the split is broken \u2014 purge the cache.<\/p>\n\nHosting on other CDNs \/ hosts<\/h4>\n\n
\n
curl -I<\/code> looking for cf-cache-status: BYPASS<\/code> or DYNAMIC<\/code>.<\/li>\nPlugins not auto-supported<\/h4>\n\n
REST API<\/h3>\n\n
\n
GET \/wp-json\/abtest\/v1\/stats<\/code><\/li>\nmanage_options<\/code>.<\/li>\n\n
url=\/promo\/<\/code> \u2014 filter to a single test URL.<\/li>\nexperiment_id=38<\/code> \u2014 fetch a single experiment by ID.<\/li>\nstatus=running|paused|ended|draft<\/code> \u2014 filter by status.<\/li>\nfrom=YYYY-MM-DD&to=YYYY-MM-DD<\/code> \u2014 restrict event date range for the stats computation.<\/li>\nbreakdown=daily<\/code> \u2014 include per-day time series (for charting).<\/li>\n<\/ul>\n\ncurl -u 'admin:xxxx xxxx xxxx xxxx xxxx xxxx' 'https:\/\/yoursite.com\/wp-json\/abtest\/v1\/stats?status=running'\n<\/code><\/pre>\n\nPrivacy<\/h3>\n\n
visitor_hash<\/code> = first 16 hex chars (64 bits) of sha256(IP + UA + wp_salt('auth'))<\/code> \u2014 non-reversible, single-site, salt-rotated, dedup-safe. Cookies are httponly, samesite=Lax, secure on HTTPS, value = a single letter (a\/b\/c\/d), 30-day TTL.<\/p>\n\nabtest_visitor_has_consent<\/code> filter (return true to track, false\/null to block). Snippets for Complianz, CookieYes, and Cookiebot are in the README on GitHub.<\/p>\n\nTRUNCATE wp_abtest_events<\/code> to erase all A\/B testing data.<\/p>\n\nExternal services<\/h3>\n\n
Google Analytics 4 (Measurement Protocol)<\/h4>\n\n
https:\/\/www.google-analytics.com\/mp\/collect<\/code> with a JSON payload containing:<\/p>\n\n\n
client_id<\/code> \u2014 the plugin's internal visitor hash (truncated salted SHA-256 of IP + User-Agent; never the raw IP or UA)<\/li>\nevents[].name<\/code> \u2014 abtest_impression<\/code> or abtest_conversion<\/code><\/li>\nevents[].params.experiment_id<\/code> \u2014 the WordPress post ID of the experiment<\/li>\nevents[].params.variant<\/code> \u2014 the variant served (a<\/code>, b<\/code>, c<\/code>, or d<\/code>)<\/li>\nevents[].params.test_url<\/code> \u2014 the URL path under test (e.g. \/promo\/<\/code>)<\/li>\n<\/ul>\n\n\n
\n
\/wp-content\/plugins\/<\/code>.<\/li>\n\n
How is a visitor assigned to a variant?<\/h3><\/dt>\n
abtest_{experiment_id}<\/code> is set with value a<\/code> or b<\/code>. Subsequent visits read that cookie \u2014 the visitor always sees the same variant.<\/p><\/dd>\nWill admins see the test?<\/h3><\/dt>\n
edit_posts<\/code> capability are bypassed and always see the control. The admin bar shows a marker indicating which experiment is running on the page.<\/p><\/dd>\nDoes it work with WooCommerce \/ Gutenberg blocks?<\/h3><\/dt>\n
0.15.0<\/h4>\n\n
\n
Stats::overview_kpis()<\/code> aggregator; toolbar with 5 status chips (All \/ Draft \/ Running \/ Paused \/ Ended) + date range with 7d\/30d\/All-time presets; URL blocks rendered as cards with per-experiment 3-column CSS grid; ended experiments collapse into a native <details><\/code> per URL block. Cream canvas (#EFECE4) replaces the wp-admin gray across every plugin admin screen (scoped via body.toplevel_page_abtest-experiments<\/code>).<\/li>\nassets\/js\/url-charts.js<\/code> wrapper with a ~200-LOC vanilla list-interactions.js<\/code> that renders an SVG polyline per (experiment, variant) using a 12-hex rotating palette so the chart line color matches the variant tag color in the row above. Variant A renders solid, B\/C\/D dashed. Dashed light-gray vertical markers show each experiment's start + end dates with hover tooltip.<\/li>\nAdmin::render_brand_header( $title )<\/code> helper applied to List \/ Edit \/ Settings \/ Import; the legacy form-table styles on Edit \/ Settings \/ Import are preserved by the dual wrap vlab-page abtest-wrap<\/code> class so the form submission paths are unchanged.<\/li>\npyftsubset<\/code>). SIL OFL 1.1 license files shipped alongside.<\/li>\n?status_filter=all|draft|running|paused|ended<\/code> query arg replaces the old ?show=<\/code>. The legacy parameter is translated silently for one release so bookmarks keep working.<\/li>\nadmin-tokens.css<\/code> (design tokens + @font-face<\/code>, everywhere) \u2192 admin-shell.css<\/code> (cream bg + brandline + buttons, everywhere) \u2192 admin-list.css<\/code> (list-specific, list page only). The legacy admin.css<\/code> is kept verbatim for the other pages.<\/li>\nAbtest\\<\/code> PHP namespace, abtest_*<\/code> hook \/ cookie \/ option \/ table prefixes, REST namespace abtest\/v1<\/code>, custom table wp_abtest_events<\/code>. No DB \/ cookie \/ option breaking change.<\/li>\n<\/ul>\n\n0.14.0<\/h4>\n\n
\n
variolab<\/code> \u2192 variolab-ab-testing<\/code> (matches the slug wp.org reserved on resubmission). Text domain mass-updated across every __()<\/code> \/ _e()<\/code> call, main file variolab.php<\/code> \u2192 variolab-ab-testing.php<\/code>, composer.json<\/code> \/ package.json<\/code> package names, phpcs.xml.dist<\/code> text-domain element + file ref, tests\/Integration\/bootstrap.php<\/code> require path, .github\/workflows\/{ci,release}.yml<\/code> build folder + zip filename + header-version grep.<\/li>\n.html<\/code> \/ .htm<\/code> \/ .js<\/code> files to the uploads directory (wp.org policy: no code-bearing files in uploads even though the area itself is allowed). The main index.html<\/code> is read directly from the zip into memory and stored in post_content<\/code> instead \u2014 never touches disk. CSS, images, fonts continue to extract normally. Local JS the template referenced via <script src=\".\/bundle.js\"><\/code> will 404 at render time; admins can re-inject inline JS via the per-URL tracking-scripts feature.<\/li>\nUrlScripts::print_for_position()<\/code> now wraps each entry via wp_print_inline_script_tag()<\/code> \u2014 the WP-blessed inline-script helper \u2014 instead of raw echo<\/code>. The new UrlScripts::parse_script_input()<\/code> silently strips <script ...><\/code> \/ <\/script><\/code> wrappers the admin pastes, extracting src<\/code> \/ async<\/code> \/ defer<\/code> \/ type<\/code> \/ id<\/code> attributes for fidelity. 11 unit tests cover plain JS \/ single wrapper \/ multi-script degraded mode \/ orphan tags \/ boolean attributes.<\/li>\nab_experiment<\/code> \u2192 abtest_experiment<\/code> (wp.org requires \u22654-char prefixes; ab_<\/code> was too short). Menu slug<\/strong> ab-testing<\/code> \u2192 abtest-experiments<\/code>. New idempotent migration Plugin::pre_install_rename_post_type()<\/code> runs at upgrade (DB schema v1.3.0 \u2192 v1.4.0) renaming every existing post_type<\/code> row in one statement before the new CPT registers on init<\/code>. Uninstall handler accepts both new and legacy slugs so old installs still get cleaned up.<\/li>\nAbtest\\<\/code> namespace, abtest_*<\/code> hook \/ cookie \/ option \/ table prefixes (already 6-char), and REST namespace abtest\/v1<\/code> stay untouched \u2014 no breaking change for existing data.<\/li>\n<\/ul>\n\n0.13.0<\/h4>\n\n
\n
variolab<\/code>). The wp.org Plugin Review Team flagged \"Uplift\" on two cumulative grounds: (1) it is the standard industry term for the A\/B-testing lift metric (non-distinctive \u2014 every VWO\/Statsig\/Insider\/etc. doc uses \"uplift\" to mean conversion-rate lift), and (2) UPLIFT\u00ae is a live USPTO trademark (Reg. 4973441, UPLIFT INC., San Francisco) in the same \"Advertising, Business & Retail Services\" class as the plugin. Variolab is an invented term (vario + lab) with no wp.org \/ USPTO \/ SaaS hit at name-pick time.<\/li>\nuplift-ab-testing<\/code> \u2192 variolab<\/code> everywhere \u2014 every __()<\/code>\/_e()<\/code> call across includes\/<\/code>), main plugin file uplift-ab-testing.php<\/code> \u2192 variolab.php<\/code>, composer.json<\/code>\/package.json<\/code> package names, phpcs.xml.dist<\/code> text-domain element + file ref + ruleset name, tests\/Integration\/bootstrap.php<\/code> require path, .github\/workflows\/{ci,release}.yml<\/code> build folder + zip filename + header-version grep.<\/li>\nAbtest\\<\/code> PHP namespace, abtest_*<\/code> hook\/cookie prefixes, REST namespace abtest\/v1<\/code>, custom table wp_abtest_events<\/code>, option keys (abtest_settings<\/code>, abtest_db_version<\/code>).<\/li>\n<\/ul>\n\n0.12.0<\/h4>\n\n
\n
uplift-ab-testing<\/code>). The WordPress trademark guideline forbids the word \"WordPress\" in both the plugin display name and the slug \u2014 this rename closes the last remaining wp.org submission blocker.<\/li>\nuplift-ab-testing<\/code> everywhere \u2014 every __()<\/code>\/_e()<\/code> call across includes\/<\/code>), main plugin file ab-testing-wordpress.php<\/code> \u2192 uplift-ab-testing.php<\/code>, composer.json<\/code>\/package.json<\/code> package names, phpcs.xml.dist<\/code> text-domain element, tests\/Integration\/bootstrap.php<\/code> require path, release.yml<\/code> + ci.yml<\/code> build paths and zip filename.<\/li>\nAbtest\\<\/code> PHP namespace, abtest_*<\/code> hook prefixes, abtest_*<\/code> cookies, REST namespace abtest\/v1<\/code>, custom table wp_abtest_events<\/code>, and option keys (abtest_settings<\/code>, abtest_db_version<\/code>) all stay as-is. They're internal \u2014 never visible to wp.org reviewers and never on a user URL.<\/li>\n<\/ul>\n\n0.11.3<\/h4>\n\n