42.7% of your visitors are running software that actively destroys your campaign tracking. Ad blockers and privacy browsers don’t just block ads—they strip UTM parameters from URLs before your analytics can capture them. That expensive paid campaign? It’s showing as direct traffic in GA4 because the utm_source never survived the browser.

Privacy tools see the utm_ prefix in your URLs and immediately flag it as tracking. DuckDuckGo removes UTMs entirely. Safari strips query strings containing tracking indicators. Brave has built-in parameter filtering. Your carefully tagged campaign links arrive at the browser intact, then get sanitized before your page loads.

The Two Ways You Lose UTM Data#

UTM stripping happens through two distinct mechanisms, and most WordPress store owners only think about one of them.

Script blocking is what everyone worries about. Ad blockers prevent analytics JavaScript from loading—uBlock Origin blocks Google Analytics, AdBlock Plus filters tracking scripts. Your UTMs arrive in the URL but never get captured because the analytics code never runs. This is the obvious problem.

Parameter stripping is the hidden problem. Privacy browsers actively remove UTM parameters from URLs before your page even loads. DuckDuckGo Privacy Tools, Safari ITP, Brave Shields, and Firefox Enhanced Tracking Protection all target the utm_ prefix specifically. The UTMs don’t survive long enough for any analytics to see them.

Here’s the difference: with script blocking, your UTMs exist in the URL but your analytics can’t capture them. With parameter stripping, the UTMs are gone before anything can capture them—server-side or client-side.

You may be interested in: Brave Blocks Adobe Analytics, GA4 and Meta Pixel: Here’s What WordPress Stores Lose

Which Privacy Tools Strip What#

30-50% of attribution data gets lost to blockers and privacy tools combined. But the mechanisms vary:

• DuckDuckGo Privacy Tools: Actively removes UTM parameters from URLs. Also blocks tracking scripts. Double impact on attribution.
• Safari ITP (Intelligent Tracking Prevention): Strips query parameters containing known tracking identifiers. Also limits cookie duration to 7 days.
• Brave Browser: Built-in shields remove tracking parameters including UTMs. Can be configured by users but defaults to stripping.
• Firefox ETP (Enhanced Tracking Protection): Blocks known trackers and strips query parameters in strict mode.
• uBlock Origin: Primarily blocks scripts rather than stripping parameters. UTMs survive but analytics doesn’t run.
• AdBlock Plus: Script-focused blocking. Less likely to strip UTMs directly unless using enhanced lists.

The practical result is identical—your paid campaign shows as direct traffic in GA4. But understanding the mechanism matters for choosing a solution.

Why the utm_ Prefix Is the Problem#

Privacy tools pattern-match URLs for tracking indicators. The utm_ prefix is on every filter list because Google literally invented it for tracking. When DuckDuckGo sees utm_source=facebook in your URL, it knows exactly what that parameter does and removes it.

Privacy-focused browsers see utm_source in your URLs and think: tracking, must destroy. They’re not wrong—UTMs exist specifically to track where visitors come from. But this creates a conflict: you need attribution data for legitimate business purposes while privacy tools treat any tracking as surveillance.

The standard response from analytics vendors is “just accept the data loss.” That’s not helpful when 40% of your campaign spend is invisible.

Coded UTMs: Bypassing Pattern Matching#

Here’s the thing: filter lists match specific patterns. They’re looking for utm_source, utm_medium, utm_campaign. They’re not looking for c1, s1, or m1.

Coded UTMs use non-standard parameter names that don’t trigger filter lists. Instead of:

yoursite.com/?utm_source=facebook&utm_medium=paid&utm_campaign=spring

You use:

yoursite.com/?s1=fb&m1=p&c1=spr

Privacy browsers don’t recognize these parameters as tracking. They pass through untouched. Your analytics system decodes them back to standard UTM values for reporting.

You may be interested in: The Privacy Browser Trifecta: How Brave, Safari and Firefox Combine to Hide 31% of Your Traffic

The inPIPE WordPress plugin from Transmute Engine™ handles this automatically. You tag campaigns with standard UTMs (so your ad platforms work normally), and inPIPE captures the original parameters before browsers can strip them. The coded approach works for links you control directly—email campaigns, organic social, direct placement.

Server-Side Capture: The Script Blocking Solution#

Coded UTMs solve parameter stripping. They don’t solve script blocking. If uBlock Origin prevents GA4 from loading, your analytics never runs regardless of what parameters survive.

Server-side tracking captures UTM data before it reaches the browser. When a visitor clicks your campaign link, the parameters go to your server first. By the time the browser can block anything, the attribution data is already captured.

Transmute Engine™ is a first-party Node.js server running on your subdomain. The inPIPE plugin captures UTM parameters on page load—server-side, before ad blockers can interfere—and sends them to your Transmute Engine server. From there, attribution data flows to GA4 via Measurement Protocol, Facebook via CAPI, and Google Ads via Enhanced Conversions.

No blocked scripts. No stripped parameters. Attribution data that actually represents your campaign performance.

Key Takeaways#

• 42.7% of users run ad blockers—your attribution data is incomplete by default
• Parameter stripping and script blocking are different problems requiring different solutions
• DuckDuckGo, Safari, Brave, and Firefox all strip UTM parameters in different ways
• Coded UTMs bypass filter lists by using non-standard parameter names
• Server-side tracking captures attribution before browsers can interfere

Stop losing attribution data to privacy tools. Start tracking campaigns that actually reach your analytics.