Easily embed the Chatwoot live-chat widget on your WordPress site — with optional HMAC-based user identity validation for authenticated support experiences.
- ✅ Embed Chatwoot widget via WP settings
- 🌍 Set language, position, style, launcher text
- 🔐 Secure identity validation with
setUser()andidentifier_hash - 🔑 AES-256 encrypted HMAC token storage
- 🧠 Guest users get unique fallback names (e.g.
Guest a8b14f12) - 🔎 DevTools debugging with
window.ChatwootDebug = true; - 🧪 Built-in tools:
- HMAC Validator
- Key Generator (base64-ready)
- ⚙️ Multi-site compatible
- Clone or download this repo
- Upload to
/wp-content/plugins/chatwoot-secure - Activate in Plugins > Installed Plugins
- Go to Settings > Chatwoot Settings
- Fill in the following:
| Field | Example |
|---|---|
| Website Token | abc123xyz456 |
| Installation URL | https://app.chatwoot.com |
| Web Widget HMAC Token | (paste your token here) |
To verify users in Chatwoot, we pass:
window.$chatwoot.setUser('<identifier>', {
name: 'John Doe',
email: '[email protected]',
identifier_hash: '<server-side-hmac>'
});-
Logged-in users: WP user ID + email/name +
identifier_hash -
Guests: Anonymous UUID + fallback name like
Guest 7c92a9b1
-
The plugin uses
hash_hmac('sha256', $visitor_id, $token) -
The token is encrypted and stored in WP options
-
You inject
identifier_hashonly via PHP — never exposed
Edit wp-config.php and add:
define('CHATWOOT_ENCRYPTION_KEY', 'base64:...');
define('CHATWOOT_ENCRYPTION_IV', 'base64:...');You can generate secure values via:
-
Tools → Generate Chatwoot Key (admin-only page)
-
Or run:
base64_encode(random_bytes(32)); // key
base64_encode(random_bytes(16)); // IVEnable admin test page under: Tools → Test Chatwoot HMAC Also test manually via browser:
window.ChatwootDebug = true;🔍 DevTools Console will show:
🔐 Chatwoot Identity Debug
🆔 Identifier: 42
🔑 HMAC Hash: c0ffee3...
👤 Name: Guest 7c92a9b1And Chatwoot’s API should respond with:
"hmac_verified": trueIn wp-config.php:
define('DISABLE_CHATWOOT_HMAC_TEST', true);
define('DISABLE_CHATWOOT_KEY_GENERATOR', true);Admin Settings
| Frontend | Chatwoot |
|---|---|
| pic1 | pic2 |
chatwoot-secure/
├── chatwoot-plugin.php
├── js/
│ └── chatwoot.js
├── includes/
│ ├── crypto.php
│ ├── identity.php
│ ├── admin-key-generator.php
│ └── admin-hmac-tester.php
├── admin.css
└── readme.txtThis plugin is licensed under the GNU GPL v2 or later.
-
🧠 Original plugin by antpb
-
🔒 HMAC support & crypto by [you / your org]
-
💬 Chatwoot team for the open-source chat platform
-
Support multi-identity context switching
-
REST API hook for external HMAC tools
-
WooCommerce & membership integrations