Full Answer

There's a common misconception baked into the question. Mainstream ad blockers operate by blocking network requests to known tracker domains and preventing their scripts from executing; they rarely rewrite your own site's URLs to remove utm_source and friends. So a campaign visitor usually still arrives with the UTM string intact, the problem is that the analytics or pixel script meant to read and send it never gets to run.

That reframes the solution. Instead of trying to make parameters "invisible", you capture them where no blocker can reach: on your server, during the first request. WordPress can read the query string in an early hook, persist the UTM values to the session or order before checkout, and stop depending on a browser tag firing at all. The values then travel with your server-side events to GA4 or ad platforms regardless of what the visitor's browser blocks.

There's a related technique, first-party encoded links, that helps with the stricter privacy tools which do strip known parameters. Routing campaign clicks through your own domain and decoding short, non-obvious tokens server-side avoids the pattern-matching that flags standard utm_* names. But the foundational move is the same: read attribution server-side at the door, treat the browser as an unreliable courier, and the 20-40% of events that blockers would otherwise cost you stays on your books.