LeadConnector

FAQ

Do I need a LeadConnector account?

Yes. You need an active LeadConnector account and a connected location to use the CRM-connected features.

Is the plugin free?

The WordPress plugin is free. A LeadConnector subscription may be required to use connected services such as widgets, funnels, forms, calendars, email, and CRM tools.

How do I connect my LeadConnector account?

Open LeadConnector in the WordPress admin menu and follow the connection flow. Settings changes use authenticated WordPress admin requests.

How do I add the chat widget to my site?

Open LeadConnector > Chat Widget, enable the widget, and select the widget you want to display. The plugin loads the selected LeadConnector chat widget on your WordPress site.

How do I publish a LeadConnector funnel in WordPress?

Open LeadConnector > Funnels, choose a funnel and funnel step, set the WordPress slug, and publish it. Funnel pages are stored in WordPress as LeadConnector funnel content and routed through the selected display method.

What shortcodes are available?

The plugin includes [leadconnector_form], [leadconnector_calendar], [leadconnector_survey], [leadconnector_quiz], [leadconnector_reviews_widget], and [leadconnector_phone_number_pool]. The historical [lc_*] aliases remain registered for backward compatibility and will be removed in a future major release.

Does the plugin work with Elementor and other page builders?

Yes. The plugin includes Elementor-specific compatibility support and frontend styles for supported LeadConnector funnel pages. Compatibility can vary by theme, template, and builder configuration.

Does the plugin support RTL languages?

Yes. LeadConnector includes Right-to-Left language support for supported plugin screens and frontend output.

External Services

LeadConnector is a CRM/marketing platform operated by LeadConnector LLC. This WordPress plugin is a thin client for that platform: connecting WordPress to your LeadConnector account, embedding chat widgets, forms, calendars, surveys, quizzes, reviews, and phone-tracking pools, importing and rendering funnel pages, opening the LeadConnector authorization flow, and optionally purging an external CDN cache. Every feature that needs the LeadConnector platform will cause one or more HTTP requests to LeadConnector-owned hosts (and, for form-embed support, a sibling messaging host). This section documents every external host the plugin reaches out to, why, when, what data crosses the wire, and what does not.

All LeadConnector-owned hosts (leadconnectorhq.com, msgsndr.com, reputationhub.site subdomains listed below) are governed by the same LeadConnector terms of service and privacy policy:

• Terms of service: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

Each domain block below repeats the per-domain links so reviewers (and end users) can verify them in place. Calls to these hosts only happen when the corresponding feature is enabled, configured, or used. A feature that is disabled, an empty configuration value, or a shortcode that is not present on the page will not trigger any of these requests.

services.leadconnectorhq.com (admin / server-to-server and chat widget browser endpoints)

• What it is: LeadConnector’s authenticated services API. The plugin’s primary read/write surface for account and configuration data, OAuth token exchange / refresh, optional CDN cache purge, chat-widget service endpoints, and one allowlisted host for optional funnel tracking-code downloads supplied by LeadConnector during import.
• What is sent:
  • OAuth access token (Authorization: Bearer header) when an admin has connected their account; OAuth refresh token during token-refresh calls only.
  • Connected location ID.
  • Plugin settings being saved (chat widget selection, SMTP enable flag and configuration, SEO override fields, white-label URL, AI Pages flags).
  • Funnel/page identifiers and the WordPress post ID they were imported into (during funnel import, refresh, and native-mode warm-up).
  • Custom-value field keys for the connected location during the admin “sync custom values” action.
  • Cache-purge target identifiers ({locationId}, {wpId}) inside the URL path when CDN purge fires; no request body is sent for cache-purge calls.
  • Chat-widget service URL configuration is exposed to the widget loader through script data-* attributes when the chat widget is enabled.
  • Optional funnel tracking-code download URL when LeadConnector supplies a download URL on this host during import / publish.
• When sent (admin-triggered server-side requests only):
  • OAuth connect / disconnect flow (admin clicks “Connect to LeadConnector” or “Disconnect”).
  • OAuth token refresh (background WP-Cron task leadconnector_oauth_token_refresh_cron, fired only when a connected access token is approaching expiry).
  • Settings save on the LeadConnector admin screen.
  • Funnel browse, import, and refresh actions (admin clicks “Import” / “Refresh” inside the LeadConnector funnels UI).
  • Custom-value listing and sync action.
  • SMTP enable / disable / test send actions.
  • Reviews widget admin browsing.
  • Admin REST proxy requests that target an allowlisted full URL on this host.
  • CDN cache purge (see below for triggers).
• CDN cache-purge triggers (only when CDN_WP_ID or CDN_SITE_ID is defined in wp-config.php and an active OAuth session exists). The plugin sends an authenticated empty-body POST to services.leadconnectorhq.com/wordpress/lc-plugin/site/{locationId}/{wpId}/clear-cache on:
  1. A connected WordPress administrator clicking “Purge everything on all domains” in the admin bar.
  2. The LeadConnector settings page being saved.
  3. A public post (any post type registered with public => true, including standard post, page, WooCommerce products, and third-party CPTs) being published or updated via WordPress’s save_post hook. Auto-saves, revisions, and non-public post types are skipped.
• Custom-value placeholder fallback (a single front-end-render code path): when a {{custom_values.…}} placeholder is referenced on a public page and the local transient cache is cold for that key, the public renderer falls back to an authenticated read from services.leadconnectorhq.com using the admin-issued OAuth bearer that the site has stored. The fallback is a read-only lookup; no visitor data is forwarded.
• Visitor browser trigger: when the chat widget is enabled, the browser loads widgets.leadconnectorhq.com/loader.js with data-server-u-r-l and data-marketplace-u-r-l values pointing at services.leadconnectorhq.com; the widget may contact those service endpoints directly. Browser requests include the selected widget configuration plus normal browser metadata (IP address, User-Agent, Referer, language headers, and any cookies the host previously set).
• What is not sent by PHP server-to-server calls: WordPress administrator credentials, password hashes, WordPress secret keys/salts, WordPress authentication cookies, other plugins’ data, visitor IP, visitor User-Agent, or visitor referrer. Chat-widget browser requests are initiated by the visitor’s browser and carry normal browser metadata as described above.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

rest.leadconnectorhq.com (admin / server-to-server)

• What it is: LeadConnector’s REST API. Used by legacy admin flows that have not yet migrated to services.leadconnectorhq.com and as one allowlisted host for optional funnel tracking-code downloads supplied by LeadConnector during import.
• What is sent: the LeadConnector API key (when API-key auth is configured instead of OAuth), location ID, page/funnel IDs, custom-value keys, and request parameters required by the admin action. For optional tracking-code downloads, WordPress sends a server-side GET to the LeadConnector-supplied download URL.
• When sent: admin-triggered actions only – account validation against the REST API, certain custom-value reads, certain legacy data pulls, admin REST proxy requests that target an allowlisted full URL on this host, and funnel import / publish when the supplied tracking download URL points to this host. The plugin never calls this host from the public render path.
• What is not sent: WordPress admin credentials, WordPress secrets, WordPress auth cookies, visitor data.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

api.leadconnectorhq.com (front-end browser **and** admin server-to-server)

• What it is: LeadConnector’s public widget and asset host. It serves browser-loaded JavaScript / iframes for embeds, allowlisted admin REST proxy targets, and optional funnel tracking-code downloads supplied by LeadConnector during import.
• Front-end browser triggers (visitor’s browser contacts the host directly):
  • [leadconnector_phone_number_pool id="…"] shortcode loads https://api.leadconnectorhq.com/loc/{locationId}/pool/{poolId}/number_pool.js and https://api.leadconnectorhq.com/js/user_session.js.
  • [leadconnector_form id="…"] shortcode renders an iframe pointing at https://api.leadconnectorhq.com/widget/form/{formId}.
  • [leadconnector_survey id="…"] shortcode renders an iframe pointing at https://api.leadconnectorhq.com/widget/survey/{surveyId}.
  • [leadconnector_quiz id="…"] shortcode renders an iframe pointing at https://api.leadconnectorhq.com/widget/quiz/{quizId}.
  • [leadconnector_calendar slug="…"] shortcode renders an iframe pointing at https://api.leadconnectorhq.com/widget/booking/{slug}.
  • The shortcodes also enqueue https://link.msgsndr.com/js/form_embed.js (see the link.msgsndr.com block below) which is what allows the iframes to resize.
• Data the visitor’s browser sends to api.leadconnectorhq.com when those embeds load: the configured identifier in the URL (location/pool/form/survey/quiz/calendar slug), plus whatever the visitor’s browser includes automatically (IP address, User-Agent, Referer, language headers, and any cookies the host previously set in this browser). Anything the visitor subsequently types into an embedded LeadConnector form, survey, quiz, calendar booking, or chat is submitted directly from the visitor’s browser to LeadConnector’s services and is governed by the LeadConnector privacy policy.
• Funnel display trigger: if a published funnel step is configured to redirect to an api.leadconnectorhq.com URL, the visitor’s browser is redirected there. In native mode, the funnel HTML is fetched from app.leadconnectorhq.com, but scripts or stylesheets inside that upstream HTML may reference api.leadconnectorhq.com; those assets are re-emitted only when they pass the native-mode allowlists documented below.
• Admin server-to-server triggers:
  • Certain admin REST data pulls (calendar lists, reviews widget metadata, related lookups) target api.leadconnectorhq.com with the OAuth bearer.
  • The admin REST proxy accepts direct_endpoint=true only for an allowlisted LeadConnector URL. If an administrator action requests an allowlisted full URL on api.leadconnectorhq.com, WordPress performs a server-side GET to that URL.
  • During funnel import / publish, WordPress may fetch a LeadConnector-supplied tracking-code download URL on this host.
• What is not sent by the plugin itself: WordPress admin credentials, WordPress secrets, WordPress auth cookies, other plugins’ data. The plugin does not proxy visitor input through PHP; it embeds the iframes/scripts directly.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

backend.leadconnectorhq.com (admin / server-to-server)

• What it is: LeadConnector’s marketplace backend.
• What is sent: OAuth bearer, location ID, marketplace identifiers, page IDs, template IDs, and funnel-step identifiers required to retrieve page metadata during import.
• When sent: admin-triggered marketplace and funnel-template browsing, import, sync, and publish actions inside the LeadConnector admin UI, plus admin REST proxy requests that target an allowlisted full URL on this host.
• What is not sent: visitor data, WordPress secrets, WordPress auth cookies.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

app.leadconnectorhq.com (admin **and** front-end)

• What it is: LeadConnector’s customer-facing application host. The funnel HTML that gets rendered as a WordPress page lives here.
• Admin triggers: the funnel import / refresh flow performs an authenticated wp_remote_get() against https://app.leadconnectorhq.com/{path} to fetch the funnel step HTML so it can be stored in WordPress. The OAuth bearer is sent; the visitor never sees this request. The admin UI may also open connected LeadConnector app screens in the administrator’s browser, and the admin REST proxy may request an allowlisted full URL on this host.
• Optional server-side tracking download: during funnel import / publish, WordPress may fetch a LeadConnector-supplied tracking-code download URL on this host.
• Front-end triggers depend on the funnel page’s configured display mode (set per funnel post):
  • iframe mode – The visitor’s browser loads https://app.leadconnectorhq.com/{funnelStepPath} inside an <iframe>. The visitor’s browser sends its IP, User-Agent, Referer, and any cookies LeadConnector has previously set. Visitor interactions with the funnel happen on LeadConnector.
  • native mode – WordPress fetches the funnel HTML server-side via wp_remote_get() and re-emits it inside the current document. The visitor’s browser then loads any LeadConnector-owned sub-resources (scripts, stylesheets, images, fonts) that the funnel HTML references; those sub-resource loads carry the visitor’s IP, User-Agent, and Referer to whichever LeadConnector host they target.
  • redirect mode – The visitor is 301-redirected to a https://app.leadconnectorhq.com/{funnelStepPath} URL (or to an admin-configured white-label host). All subsequent traffic happens entirely on the LeadConnector side; WordPress is no longer in the path.
• What is not sent: WordPress secrets, WordPress auth cookies, other plugins’ data. The native-mode fetch does not include any visitor identifier.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

widgets.leadconnectorhq.com (front-end browser)

• What it is: LeadConnector’s chat-widget CDN. Hosts the loader script that bootstraps the LeadConnector chat widget plus all its sub-resources (sub-loaders, fonts, images).
• Front-end trigger: every public-facing page render when the chat widget feature is enabled and a chat widget has been selected in the plugin settings. The plugin enqueues https://widgets.leadconnectorhq.com/loader.js with data-widget-id, data-resources-url, data-server-u-r-l, and data-marketplace-u-r-l attributes carrying the selected widget ID and the configured LeadConnector service URLs. The loader script then requests further assets from the same host and may contact the configured services.leadconnectorhq.com/forms service endpoint.
• Data the visitor’s browser sends: standard browser identifiers (IP, User-Agent, Referer, language), the selected widget ID via the script attribute, plus any cookies LeadConnector has previously set in this browser. Chat messages the visitor sends are transmitted from the visitor’s browser to LeadConnector’s services and are governed by the LeadConnector privacy policy.
• What is not sent by the plugin: WordPress credentials, WordPress secrets, WordPress auth cookies, content of WordPress posts, or visitor data not already embedded in the browser request.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

marketplace.leadconnectorhq.com (administrator browser)

• What it is: LeadConnector marketplace and OAuth authorization host.
• What is sent: OAuth authorization parameters such as the public client ID, redirect / callback URL, requested scopes, and state value when an administrator starts the connection flow. LeadConnector marketplace session cookies may be handled directly by LeadConnector in the administrator’s browser.
• When sent: when an administrator starts or completes the LeadConnector account connection flow or opens marketplace/account-management screens from wp-admin. Anonymous front-end visitors do not contact this host through the plugin.
• What is not sent by the plugin: visitor data, WordPress secrets, WordPress auth cookies, WordPress administrator passwords.
• Service: provided by LeadConnector LLC.
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

link.msgsndr.com (front-end browser)

• What it is: LeadConnector’s messaging short-link and form-embed support host (msgsndr is a LeadConnector-operated brand). Hosts form_embed.js, the shared bootstrap script that the form, survey, quiz, and calendar iframes need in order to resize themselves inside the host page.
• Front-end trigger: any public page that renders a [leadconnector_form], [leadconnector_survey], [leadconnector_quiz], or [leadconnector_calendar] shortcode (or one of their [lc_*] aliases). The plugin enqueues https://link.msgsndr.com/js/form_embed.js.
• Data the visitor’s browser sends: standard browser identifiers (IP, User-Agent, Referer, language). The plugin itself does not forward any PII to this host; the loader’s job is in-page resizing.
• When a visitor clicks a link.msgsndr.com short-link inside LeadConnector-authored content, the browser navigates directly to LeadConnector; the plugin does not proxy or augment those clicks.
• Service: provided by LeadConnector LLC (msgsndr brand).
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

reputationhub.site (front-end browser)

• What it is: LeadConnector’s reviews / reputation widget host (reputationhub is a LeadConnector-operated brand). Hosts the review-widget loader script and the widget iframe URL.
• Front-end trigger: any public page that renders a [leadconnector_reviews_widget id="…"] shortcode (or its [lc_reviews_widget] alias) when both a location ID and a widget ID are configured. The plugin enqueues https://reputationhub.site/reputation/assets/review-widget.js and emits an <iframe> pointing at https://reputationhub.site/reputation/widgets/review_widget/{locationId}?widgetId={widgetId}.
• Data the visitor’s browser sends: standard browser identifiers (IP, User-Agent, Referer, language), plus the location ID and widget ID in the iframe URL.
• What is not sent by the plugin: WordPress credentials, WordPress secrets, WordPress auth cookies, visitor PII not already embedded in the browser request.
• Service: provided by LeadConnector LLC (reputationhub brand).
• Service terms: https://www.leadconnectorhq.com/terms2
• Privacy policy: https://www.leadconnectorhq.com/privacy-policy

Summary: when the plugin reaches out

• Admin server-to-server (PHP wp_remote_*()): OAuth connect/disconnect/refresh, settings save, funnel import/refresh, custom-value sync, SMTP setup, reviews/calendars/forms/quizzes/surveys listing, admin REST proxy requests, funnel tracking-code downloads, marketplace backend metadata pulls, CDN cache purge (when CDN integration is configured) on admin-bar click, settings save, and save_post for public post types. Hosts touched: services.leadconnectorhq.com, rest.leadconnectorhq.com, api.leadconnectorhq.com, backend.leadconnectorhq.com, app.leadconnectorhq.com.
• Administrator browser: OAuth connection and account / marketplace screens. Host touched: marketplace.leadconnectorhq.com.
• Front-end browser (enqueued <script> and rendered <iframe>): chat widget, phone number pool, form/survey/quiz/calendar embeds, reviews widget, funnel iframe / redirect / native sub-resources. Hosts touched: widgets.leadconnectorhq.com, services.leadconnectorhq.com, api.leadconnectorhq.com, link.msgsndr.com, reputationhub.site, app.leadconnectorhq.com.
• Front-end PHP fallback (rare): an authenticated read from services.leadconnectorhq.com if a {{custom_values.…}} placeholder is referenced on a public page and the local transient cache is cold for that key. The fallback uses the admin-issued OAuth bearer; no visitor data is forwarded.
• Never: the plugin does not transmit WordPress administrator credentials, WordPress secret keys/salts, WordPress authentication cookies (LOGGED_IN_COOKIE, SECURE_AUTH_COOKIE, AUTH_COOKIE), other plugins’ data, or any visitor data not already embedded in the visitor’s own outbound browser request, to any of the hosts listed above.

Native funnel rendering — trust boundary

LeadConnector funnel posts have two display modes that are configured per-funnel inside the funnel editor:

• iframe — the funnel HTML is embedded inside an <iframe src="…leadconnectorhq.com…"> on the WordPress page. The browser treats the funnel as a separate origin: its scripts, cookies, storage, and DOM are isolated from the WordPress site and from every other plugin/theme on the site. This is the safest display mode and is the default for the majority of funnels.
• native — the funnel HTML is fetched server-side via wp_remote_get() against an allowlisted LeadConnector host, parsed, sanitized via wp_kses() against a strict allowlist, and emitted inline on the WordPress page. Any <script> and <style> blocks extracted from the upstream HTML are re-emitted via the WordPress script/style APIs (wp_print_inline_script_tag(), wp_add_inline_style()) so the funnel’s CSS selectors and JavaScript run intact. This mode exists for one explicit reason: funnels that take payments (Stripe, PayPal, Apple Pay) and other in-page integrations refuse to run inside an <iframe> for PCI / 3D Secure reasons, so the funnel content must be rendered on the WordPress origin for the checkout to complete.

When a funnel is displayed in native mode, vendor-authored LeadConnector CSS and JavaScript loads and executes on your WordPress origin. This is a deliberate trust extension from the WordPress site to LeadConnector, comparable to embedding Stripe.js or Google Tag Manager directly. To make that boundary explicit and auditable, the plugin applies the following layered controls (since 3.0.32):

1. Admin opt-in toggle (default: enabled). Native rendering is gated on a single site-wide option (leadconnector_native_mode_allowed). When it is OFF, every funnel post with display_method = native is silently downgraded to the iframe display path so no remote LeadConnector JavaScript runs on the WP origin. Site owners who do not run payment funnels (or who want a stricter security posture) can switch the toggle off. Administrators see a persistent admin notice describing the current state.
2. Per-host <script src> allowlist. Any <script src> URL extracted from the upstream funnel HTML is validated against a host allowlist before it is enqueued. Entries may be exact hostnames (applepay.cdn-apple.com, connect.facebook.net) or subdomain wildcards (*.foo.com matches any direct or nested subdomain of foo.com but never the apex). The default allowlist covers (a) *.leadconnectorhq.com and the apex leadconnectorhq.com — this includes app, services, rest, api, backend, widgets, marketplace, stcdn (LC static CDN that hosts the funnel runtime bundles, intl-tel-input, libphonenumber-js), and images (LC’s funnel image proxy), (b) LeadConnector-operated sibling brands (*.msgsndr.com, msgsndr.com, *.reputationhub.site, reputationhub.site), (c) LC’s media-storage CDN (*.filesafe.space), (d) the Google-hosted CDNs LC funnels commonly load static assets and fonts from (*.googleapis.com, *.gstatic.com), (e) Bunny Fonts — LC’s default privacy-focused font CDN (*.bunny.net), (f) the payment-processor JS that funnel checkouts integrate with (*.stripe.com, *.stripe.network, *.paypal.com, *.paypalobjects.com, applepay.cdn-apple.com), and (g) the tag managers / analytics that funnels commonly embed (*.googletagmanager.com, *.google-analytics.com, connect.facebook.net, *.facebook.net). Off-allowlist <script src> URLs are dropped entirely; the surrounding markup is still rendered. Sites that need to register additional payment-processor or analytics hosts can use the leadconnector_funnel_allowed_script_hosts filter (which accepts both exact hosts and *.host.tld wildcard entries).
3. Content-Security-Policy <meta> tag. Every native-mode funnel page emits a <meta http-equiv="Content-Security-Policy" …> tag inside <head> so that browsers enforce a strict policy on subsequent fetches. The default policy:
   • Pins default-src to 'self'.
   • Limits script-src to the same wildcard host allowlist described in (2) — <script src> URLs outside the allowlist are blocked at the browser layer in addition to being stripped at the server layer.
   • Uses style-src 'self' 'unsafe-inline' https:, img-src 'self' data: blob: https:, font-src 'self' data: https:, and media-src 'self' data: blob: https:. Stylesheets, images, fonts, and media have effectively no JS-execution surface in modern browsers, and funnels routinely pull these from a long tail of vendor-chosen CDNs (Bunny Fonts, Google Fonts, the merchant’s own CDN, payment-processor checkouts, embedded video preview hosts, etc.). The dangerous CSS payloads (expression(…), behavior:, -moz-binding, javascript: URIs in url()) are already neutralized by sanitize_extracted_inline_css() before any remote CSS is enqueued, so this directive is defense-in-depth rather than the primary control.
   • Scopes connect-src and form-action to the same wildcard host allowlist plus https: to allow legitimate vendor telemetry / form endpoints while still blocking data: / blob: / http: exfil.
   • Scopes frame-src to the canonical funnel-embed providers (*.leadconnectorhq.com, *.msgsndr.com, Stripe Elements, PayPal Smart Buttons, YouTube, YouTube no-cookie, Vimeo, Google).
   • Forbids <object> / Flash / legacy plugins outright (object-src 'none').
   • Refuses to be framed off-origin (frame-ancestors 'self') — clickjacking guard.
   • Pins base-uri 'self' so a future malicious <base href> can’t rewrite every relative URL on the document to an attacker-controlled host.
   • Sites can extend or replace the directive map with the leadconnector_native_mode_csp_directives filter; returning an empty array disables CSP emission for the request.
4. Inline CSS allowlist sanitization (3.0.32). Inline <style> content extracted from the upstream funnel HTML is passed through LeadConnector_Admin::sanitize_extracted_inline_css() before reaching wp_add_inline_style(). The sanitizer strips embedded HTML tag fragments (</style>, <script>, <iframe>, …), legacy CSS XSS vectors (expression( … ), -moz-binding, IE behavior:), and dangerous URI schemes (javascript:, vbscript:, livescript:, mocha:, jar:, file:, phar:). data: URIs are restricted to image/*, font/*, and application/font-* MIME types. @import rules are dropped entirely (external stylesheets continue through the <link rel=stylesheet> branch with esc_url() and an explicit http/https protocol allowlist).
5. No WordPress secret cross-over. Native rendering never reads LOGGED_IN_KEY, LOGGED_IN_SALT, LOGGED_IN_COOKIE, SECURE_AUTH_COOKIE, or AUTH_COOKIE. The deferred custom-values write that used to forward those cookies through a plugin-generated loopback request was removed in 3.0.32 and replaced with a wp_schedule_single_event() cron handler.

If you do not run funnels that need payment processors or other in-page integrations, the safest configuration is: flip the “Allow native funnel rendering” toggle off in LeadConnector settings. Every native funnel will then be served via the iframe path, and the WordPress origin will not execute any remote LeadConnector JavaScript.

OAuth client ID

The plugin ships with a public OAuth client ID constant (LEAD_CONNECTOR_OAUTH_CLIENT_ID) used only to start the LeadConnector authorization flow. It is not a secret. Sites may override it in wp-config.php:

define( 'LEAD_CONNECTOR_OAUTH_CLIENT_ID', 'your-client-id' );

Source Code

The WordPress.org distribution includes compiled JavaScript for the LeadConnector admin UI (admin/app.js, admin/chunk-vendors.js). Human-readable source, build instructions, and version history live in the public repository:

https://github.com/LeadConnectorHQ/leadconnector-fe

Debug Logging

Debug logging is off by default. Enable it for support sessions only:

• define( 'LEADCONNECTOR_DEBUG', true ); in wp-config.php, or
• Enable WordPress core WP_DEBUG + WP_DEBUG_LOG.

When logging is enabled the plugin writes daily files to:

• WP_CONTENT_DIR/leadconnector-logs/leadconnector-YYYY-MM-DD.log (default)
• Override with define( 'LEADCONNECTOR_LOG_DIR', '/path/outside/webroot/leadconnector-logs' );

OAuth tokens, refresh tokens, API keys, SMTP passwords, the OAuth code query parameter, and Authorization: headers are redacted by the logger before lines are written. Context payloads larger than 2 KB are truncated. The directory is created with an index.php stub and (under Apache) a .htaccess “Deny from all” file.

Under nginx or Caddy the generated .htaccess is ignored. Add the following snippet to your server block (adjust paths to match your install):

location ^~ /wp-content/leadconnector-logs/ {
    deny all;
    return 403;
}

For Caddy:

@leadconnectorLogs path /wp-content/leadconnector-logs/*
respond @leadconnectorLogs 403

For Apache 2.4+ where the .htaccess has been allowed, the bundled directive uses the modern Require all denied directive automatically.

Uninstalling

By default, uninstalling the plugin leaves your stored settings, funnel pages, and custom values in the database. To remove all plugin data on uninstall, set one of the following before deleting the plugin:

• update_option( 'leadconnector_delete_data_on_uninstall', true );
• define( 'LEADCONNECTOR_DELETE_DATA_ON_UNINSTALL', true ); in wp-config.php
• Enable delete_data_on_uninstall in the main plugin options array

What data may be stored or exchanged?

LeadConnector connects WordPress with your LeadConnector account. Depending on enabled features, the plugin may store connection details, selected widget IDs, location IDs, OAuth tokens, funnel settings, and embed configuration.

When connected features are used, relevant account, location, site, funnel, widget, form, calendar, survey, quiz, review, phone, custom value, and email configuration data may be exchanged with LeadConnector services. Visitor interactions with embedded widgets are handled by LeadConnector services.