Help Center

Docs

Everything you need to know about using Laureo

WordPress

Capture page views and visitor activity from your WordPress site as CRM activities.

Overview

What gets captured when you connect a WordPress site.

The WordPress integration captures page views and visitor activity from your WordPress site and writes them into the CRM as page_view activities. Events are signed on your WordPress server with an HMAC secret that never leaves the server, so nothing in the public-facing HTML can be lifted by a casual reader.

One site per registration

Each WordPress site you want to track registers separately. Each registered site gets its own tracking key and HMAC secret. If you compromise or retire a site, deactivating it stops further events without affecting your other sites.

Registering a site

Add a WordPress site to start receiving events.

Open Settings → Integrations → WordPress

Direct URL: /settings/integrations/wordpress. The page lists every site you have registered.

Click Add site

A form appears with two fields: Site URL and Description.

Enter the Site URL

The public origin of your WordPress site, exactly as visitors see it — for example, https://blog.example.com. The protocol matters; http and https are treated as different origins.

Add a Description (optional)

Free text up to 200 characters. Useful when you register multiple sites: "Marketing blog," "Knowledge base," etc.

Click Register

The next screen shows your one-time credentials and a copy-paste plugin snippet. Copy everything before dismissing the panel — the tracking key and HMAC secret are never displayed again.

Copy the credentials before dismissing

The credential panel is the only place where the plaintext tracking key and HMAC secret appear. Once you click I've copied everything — dismiss, the values are gone. If you lose them, deactivate the site and register it again to get a fresh pair.

Installing the plugin snippet on WordPress

Drop the generated PHP file into your WordPress plugins directory.

The credential panel includes a ready-to-paste PHP plugin snippet pre-filled with your site's tracking key, HMAC secret, the receiver URL, and your registered site origin.

Copy the Plugin snippet textarea

Select all (Cmd/Ctrl+A inside the textarea) and copy.

Create a new PHP file on your WordPress server

Path: wp-content/plugins/laureo-crm-tracker/laureo-crm-tracker.php. Create the directory if it does not exist.

Paste and save

The snippet is a complete WordPress plugin — no extra wiring needed.

Activate the plugin

In your WordPress admin, go to Plugins, find "Laureo CRM Tracker" in the list, and click Activate.

Verify it is sending events

Open your WordPress site in an Incognito window and load any public page (logged-in users and admin pages are intentionally skipped). Within a few seconds the site row in the CRM should update its Last seen timestamp.

Keep the HMAC secret on the server

The plugin signs each event with the HMAC secret on your WordPress server. The secret never ships down in any HTML, JavaScript, or cookie — visitors cannot see it. This is the main reason the integration uses a server-side plugin instead of a browser script tag.

What gets captured

Each public page view becomes a CRM activity.

For every public page view, the plugin sends a signed event containing:

Page URL — the full URL the visitor loaded.
Page title — the rendered <title> tag.
Visitor ID — a random first-party cookie value (laureo_vid). New visitors get a fresh ID; returning visitors keep theirs across pages.

Logged-in WordPress users and admin pages are skipped to keep activity volume focused on real visitors. The plugin makes the request non-blocking so it never slows the page load.

Row states on the settings page

What each label means in the Registered sites list.

Active — The site is registered and the receiver will accept signed events from it.
Deactivated — The site has been turned off. The receiver rejects events from this tracking key. Past activities remain in the CRM.
Last seen [date] — The most recent event the receiver accepted from this site.
No events yet — The site is registered but the receiver has not yet seen a valid event. Common causes: plugin not activated, plugin pasted but pointing at the wrong site origin, or events are failing signature verification.

Deactivating a site

Stop accepting events from a site without losing past activity.

Click Deactivatenext to a registered site. A confirmation dialog prompts you to confirm. Once confirmed, the receiver rejects further events from that site's tracking key with a 401 response. Previously captured page_view activities stay in the CRM. To resume tracking from the same site, register it again to get a fresh tracking key and HMAC secret, then update the plugin file on your WordPress server.

Deactivate when rotating credentials

If you suspect a site's plugin file has been tampered with or exposed, deactivate the site and re-register. The old tracking key becomes unusable instantly.

Security model

What the receiver verifies on every incoming event.

Every event the receiver accepts must pass four checks:

Origin header match — The request's Origin must equal the site URL you registered. A stolen tracking key used from a different origin is rejected.
Tracking key match — The receiver hashes the tracking key in the header and compares it to the hashed key on record. Plaintext keys are never stored server-side.
HMAC signature match — The plugin signs timestamp.payload with the per-site HMAC secret. The receiver re-computes the signature with the matching server-side secret and compares them in constant time.
Replay window — Events with a timestamp more than 5 minutes old or 5 minutes in the future are rejected. This prevents an attacker who captured one signed request from replaying it indefinitely.

Why the old WordPress integration was retired

An earlier version of this integration asked you to paste an organization-wide API key directly into a <script>tag on your WordPress page. Any visitor could read that key in their browser's page source. The v2 integration replaces that pattern with site-scoped tracking keys + a server-side HMAC secret that never appears in public HTML. If you were using the old integration, the script tag is no longer accepted and you need to register each site under the new flow.

Troubleshooting

Common failure modes and how to fix them.

“No events yet” persists after the plugin is activated. Check that the LAUREO_SITE_ORIGINconstant in the plugin file matches the Site URL you registered exactly (protocol included). The receiver rejects events whose Origin header doesn't match.
Events arrive but only sporadically.WordPress page caching plugins can serve cached HTML without firing the wp_footer hook on every request. Confirm your cache plugin doesn't strip the snippet.
Receiver returns 401. Almost always a tracking-key, HMAC-secret, or Origin mismatch. If you copied the credentials into a placeholder before the plugin was final, deactivate and re-register to get a fresh pair.
Receiver returns 429.A per-organization rate limit kicks in if you exceed the burst budget. Page-view traffic at normal levels won't hit it; very high-traffic sites should contact support to raise the cap.
I lost the credentials.They're unrecoverable by design. Deactivate the site, register it again, and update the plugin file with the new key + secret.

Integrations Overview— How to browse and connect third-party integrations Integration Troubleshooting— Generic fixes that apply to every integration Logging Activities— How page_view activities show up on company and contact records Data Privacy & GDPR— Erasing a contact also clears their page_view history

SharePoint Document Libraries

Integration Troubleshooting