The free Coded UTMs plugin for WordPress replaces five visible utm_ parameters with a single encoded string like ?udlq5=82642678 that survives every ad blocker filter list and privacy browser because no stripping mechanism recognises it as a tracking parameter. This guide walks through plugin installation, creating the first coded link in the lookup table, sharing it on a platform that strips standard UTMs, and verifying the decoded campaign data appears correctly in GA4 session reports — from first install to first decoded hit in under 15 minutes.
Why Standard UTMs Need a Backup Plan
The utm_ prefix is the problem — every stripping mechanism on the internet targets it by name.
42.7% of users globally run ad blockers, and a significant portion of those tools actively strip UTM parameters from URLs before your analytics can capture them. The mechanism is simple: filter lists like EasyList and AdGuard include regex rules such as *$removeparam=/^utm_/ that match anything starting with the utm_ prefix and remove it during navigation. Your carefully tagged campaign link arrives at the visitor’s browser intact and lands on your WordPress site with the attribution data deleted.
The problem isn’t limited to ad blockers. Adobe’s AEM Cloud CDN strips UTM parameters by default using a regex pattern that matches utm_.*, gclid, fbclid, and a dozen other known tracking identifiers. DuckDuckGo’s privacy tools remove UTM parameters as a feature. Browser extensions like Chrome UTM Stripper maintain lists of 50+ known tracking parameters. Safari’s Link Tracking Protection strips click identifiers like gclid and fbclid in Private Browsing and in links opened from Mail and Messages.
Research compiled across multiple industry sources suggests 30-40% of UTM attribution data never reaches analytics platforms. That’s not a rounding error — that’s nearly half your campaign tracking disappearing before your WordPress site even knows the visitor arrived from a paid campaign.
Ad blocker filter lists like EasyList and AdGuard use regex rules such as *$removeparam=/^utm_/ that specifically target the utm_ prefix — a coded parameter like ?udlq5=82642678 matches zero filter rules because it contains no recognisable tracking pattern.
You may be interested in: Eleven States Made GPC a Legal Opt-Out — Your Server-Side CAPI Doesn’t Know
What Coded UTMs Actually Do
One random-looking parameter replaces five, and nothing on the internet knows how to strip it.
A standard UTM link looks like this: yoursite.com/?utm_source=facebook&utm_medium=paid&utm_campaign=spring_sale&utm_content=hero_image&utm_term=running_shoes. Five parameters, all starting with the utm_ prefix, all matching every filter list published in 2026.
A coded UTM link looks like this: yoursite.com/?udlq5=82642678. One parameter. A random key name. A numeric value. To any ad blocker, privacy browser, CDN, or email security gateway scanning the URL, that parameter is meaningless — it could be a product ID, a session token, a pagination index. There’s no pattern to match, no known tracking identifier to strip.
The mapping between 82642678 and the full campaign payload — source, medium, campaign, content, term — lives in a lookup table on your WordPress server. When a visitor lands on your site with that coded parameter, the plugin decodes it server-side as the first action on page arrival. Before Google Tag Manager fires. Before GA4 loads. Before any analytics script executes. The decoded UTM values are pushed into the dataLayer so every tag in your GTM container reads the correct attribution data.
Translation: the browser never sees the real UTMs. The ad blocker never sees the real UTMs. Your server sees everything.
Step 1: Install the Free Plugin
Standard WordPress plugin installation — no configuration files, no code editing, no server access required.
In your WordPress admin dashboard, navigate to Plugins → Add New and search for “Coded UTMs” or “inPIPE”. Install and activate the plugin. The entire process takes under two minutes.
On activation, the plugin creates three things automatically: a settings page under your WordPress admin menu, a lookup table database for storing your coded link mappings, and a server-side decode hook that fires before any front-end scripts load. No additional configuration is required to start creating coded links.
The plugin doesn’t add JavaScript to your front-end pages. The decode runs server-side in PHP before the page template renders. That means it doesn’t affect your page load speed, doesn’t conflict with caching plugins, and doesn’t require any changes to your Google Tag Manager container.
Step 2: Create Your First Coded Link
Enter the five UTM values you’d normally use. The plugin generates one short code that carries all of them.
Open the Coded UTMs settings page in your WordPress admin. You’ll see a link creator with five familiar fields: Source, Medium, Campaign, Content, and Term. Enter the values you’d use in a standard UTM link — for example, Source: facebook, Medium: paid-social, Campaign: spring-sale-2026, Content: hero-image, Term: running-shoes.
Click “Generate Code.” The plugin creates a short numeric code — something like 82642678 — and maps it to all five values in the lookup table. Your shareable URL becomes yoursite.com/?udlq5=82642678 instead of the 120-character UTM string that every ad blocker recognises.
The lookup table is manageable from the same admin page. Each row shows the code, the mapped UTM values, the creation date, and a decode count showing how many times that code has been resolved on arrival. You can create as many coded links as you need — one per campaign, one per ad variant, one per influencer.
Every existing WordPress UTM plugin — HandL UTM Grabber with 200,000+ installs, Attributer, WP Statistics, AFL UTM Tracker — works exclusively with standard utm_ parameters and charges for premium features, while coded UTMs encode the parameter name itself for free.
Step 3: Share It Where UTMs Get Stripped
The real test: share your coded link on a platform that kills standard UTMs and watch it survive.
Take your coded link and share it somewhere standard UTMs would be at risk. Good test cases include posting it as a link in a Facebook post (Facebook’s in-app browser has been documented stripping UTM parameters through redirect chains), sharing it in an email that recipients will open in Apple Mail (Safari’s LTP strips click identifiers from links opened in Mail), or clicking it through a browser with uBlock Origin installed and AdGuard URL Tracking Protection enabled.
For the simplest test: open a browser with uBlock Origin active, paste a standard UTM link for your site, and check GA4. The UTM data won’t appear — source shows as direct. Now paste your coded link in the same browser and click through. The coded parameter passes through untouched because uBlock Origin’s filter rules don’t recognise it as a tracking parameter.
On your WordPress site, the decode fires server-side on page load. You can verify it worked immediately by checking the plugin’s decode counter in the admin dashboard — the count for your test code increments by one for each decoded arrival.
Step 4: Verify the Decoded Data in GA4
If the decode worked, GA4 shows the full campaign attribution — source, medium, campaign — exactly as if standard UTMs had arrived intact.
Open GA4 and navigate to Reports → Acquisition → Traffic Acquisition. Set the date range to include your test click. Look for a row matching the source and medium you encoded — in our example, facebook / paid-social.
If it appears, the end-to-end flow is confirmed: coded parameter in URL → server-side decode on WordPress → dataLayer push → GTM pickup → GA4 session attribution. The entire chain from link click to GA4 report works the same as standard UTMs, except the parameter that carried the data was invisible to every stripping mechanism along the way.
For real-time verification, use GA4’s Realtime report. Click your coded link, wait 30 seconds, and check the active users panel. Your session should appear with the correct source attribution. If GA4 shows direct / (none) instead, check that your GTM container is reading the dataLayer variables the plugin pushes — the decoded values need to be mapped to GA4’s campaign parameters in your GTM configuration.
How It Compares to Other WordPress UTM Plugins
Every competitor tracks standard UTMs that ad blockers can strip. None encode the parameter name itself.
| Plugin | Active Installs | Handles Standard UTMs | Encodes Parameter Name | Survives Ad Blockers | Free Core |
|---|---|---|---|---|---|
| Coded UTMs (inPIPE) | New | Yes | Yes | Yes | Yes — full features |
| HandL UTM Grabber | 200,000+ | Yes | No | No | Free with paid premium |
| Attributer | Established | Yes | No | No | Free with paid premium |
| WP Statistics | Established | Yes | No | No | Free with paid premium |
| AFL UTM Tracker | Established | Yes | No | No | Free with paid premium |
The differentiator isn’t feature richness or install count. It’s the architectural approach to the stripping problem. Every plugin in this table except Coded UTMs works with standard utm_ parameters — the exact parameter format that every ad blocker filter list, every privacy browser, and every CDN regex rule is designed to detect and remove.
HandL UTM Grabber, with over 200,000 active installs, is the most popular WordPress UTM plugin. It captures UTM parameters from URLs and stores them in cookies and hidden form fields for CRM integrations. It’s a solid tool — but it captures parameters after they arrive, which means if an ad blocker strips utm_source before the page loads, HandL has nothing to capture. The parameter name itself is the vulnerability, and no amount of cookie persistence or form-field injection fixes it.
Coded UTMs solve the problem one layer earlier: before the browser and before the ad blocker, at the URL parameter level. If the parameter arrives intact, every downstream tool — HandL included — can do its job.
You may be interested in: Meta Signals Gateway Is the Quiet End of the Meta Pixel
Key Takeaways
- The utm_ prefix is the target: Ad blocker filter lists use regex like
*$removeparam=/^utm_/that matches the prefix. Coded parameters use random key names that match zero filter rules. - One parameter replaces five: A coded string like
?udlq5=82642678carries the full source, medium, campaign, content, and term payload in a single short parameter — shorter URLs, cleaner links, no competitive intelligence exposed. - Server-side decode fires first: The plugin decodes the coded parameter before GTM, before GA4, before any front-end script. The decoded values hit the dataLayer before anything else executes.
- GA4 sees normal attribution: After decode, GA4 receives standard UTM values through its regular session attribution. Your reports show the correct source, medium, and campaign with no additional GA4 configuration required.
- Every competitor uses standard utm_ only: HandL, Attributer, WP Statistics, and AFL all capture standard parameters after arrival. None encode the parameter name itself, which means none survive the stripping that removes the data before it arrives.
Ad blocker filter lists use pattern matching to identify tracking parameters. Rules like *$removeparam=/^utm_/ target anything starting with the utm_ prefix. A coded parameter like ?udlq5=82642678 uses a random key name that doesn’t match any known tracking pattern, so every filter list ignores it completely. The parameter looks like any other functional query string to browsers and extensions.
Yes. The coded UTMs plugin is free to install and use. It includes the lookup table for creating coded links, server-side decoding on page arrival, and integration with Google Tag Manager and GA4. Every existing competitor — HandL UTM Grabber, Attributer, WP Statistics, AFL UTM Tracker — charges for premium features while working only with standard utm_ parameters that are vulnerable to stripping.
The plugin decodes the coded parameter server-side as the very first action on page arrival — before Google Tag Manager fires, before GA4 loads, before any analytics script executes. The decoded UTM values are written into the dataLayer so every tag in your GTM container can read the original source, medium, campaign, term, and content values as if standard UTMs had arrived intact.
Yes. Once the coded parameter is decoded server-side, the original UTM values are pushed to the dataLayer before GTM initialises. GA4 picks up the decoded values through its standard session attribution. Your GA4 reports show the correct source, medium, and campaign exactly as if the visitor had arrived with standard UTM parameters that weren’t stripped.
Yes. The plugin only activates when it detects its specific coded parameter in the URL. Standard UTM parameters continue to work normally for visitors arriving from links that use them. You can run both in parallel — coded links for channels where stripping is common and standard UTMs where they still pass through reliably.
References
- Seresa — How Coded UTM Parameters Bypass Every Ad Blocker Filter List (2026)
- Seresa — What Are Coded UTM Parameters (2025)
- Adobe Experience League — AEM Cloud CDN UTM Parameter Stripping (2025)
- Singular — iOS 26: Everything Privacy-Related Apple Announced at WWDC 2025 (2025)
- Seresa — How Ad Blockers Detect UTM Parameters: Why Coded Links Survive (2026)
- WordPress.org — HandL UTM Grabber Plugin (2026)
- Seresa — Ad Blockers Are Stripping Your UTM Parameters Before You See Them (2026)
If you’re running campaigns that send traffic through ad blocker territory — which is nearly half the internet in 2026 — the 15 minutes it takes to install and test a coded link is the fastest way to find out how much attribution data you’ve been losing. Start with one campaign. Compare the GA4 numbers. The gap between what standard UTMs report and what coded UTMs recover is the size of your blind spot. Get started at seresa.io.
