Easy Server Side Tracking
| 开发者 |
jachtdigital2026
easyserversidetracking |
|---|---|
| 更新时间 | 2026年6月30日 18:12 |
| PHP版本: | 7.2 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Easy Server Side Tracking adds server-side tracking to WordPress and WooCommerce. Events are sent from the browser to a managed ingestion endpoint hosted on Cloudflare (
collect.easyserversidetracking.com), which normalizes, deduplicates, and forwards them to Google Analytics 4 using the Measurement Protocol. Because requests go to a first-party-style endpoint rather than directly to Google, common content blockers no longer drop your analytics traffic.
The plugin auto-provisions a free-tier account on activation — no license key is required to start using it, and the free tier is fully functional indefinitely. Optionally, you can buy a license on the management service to raise this site's server-side limits (higher monthly event volume and longer dashboard retention). Those limits are applied and enforced entirely on the service; the plugin itself never locks, disables, or restricts any built-in feature.
Features
- WooCommerce ecommerce tracking out of the box (purchase, add_to_cart, view_item, begin_checkout, etc.)
- Click, scroll, engagement and form-submission events
- Per-event bot filtering, consent state, and GA4 forwarding handled by the managed worker
- Admin Connection panel with site_id, plan name, and re-provision button
- Free tier: 10,000 events/month at the time of writing. All limits are set and enforced by the management service, never by the plugin.
- The plugin enqueues a small JavaScript tracker on every page.
- The tracker collects event details (event name, page URL, referrer, consent state, anonymized client/session IDs) in the visitor's browser.
- Events are posted to
https://collect.easyserversidetracking.com/over HTTPS with a short-lived HMAC token. - The managed worker validates the request, optionally proxies the event to GA4's Measurement Protocol (
google-analytics.com/g/collector/mp/collect), and stores a copy for the dashboard. - Your monthly usage, plan, and limits live on
dashboard.easyserversidetracking.com, where you log in to view them and upgrade. The plugin does not track event counts or limits locally.
安装:
- Upload the plugin folder to
/wp-content/plugins/(or install via Plugins → Add New → Upload Plugin). - Activate the plugin through the Plugins menu in WordPress. On activation the plugin auto-provisions a free account against the management server and stores a site ID locally.
- Visit Easy SST → Connection in the admin menu to view the site ID, plan name, and the re-provision button.
- (Optional) To raise this site's limits, upgrade your plan on the dashboard at https://dashboard.easyserversidetracking.com/ — no license key is entered in WordPress; the change applies to your provisioned site automatically.
常见问题:
How do I set up and connect my site?
- Install and activate the plugin.
- Go to Easy SST → Connection and click Create free account. This sends your site URL and admin email to easyserversidetracking.com and provisions your site (you'll see a Site ID appear on the Connection page). Tracking begins on the free tier.
- Your site is automatically linked to the dashboard account whose email matches the WordPress admin email used at step 2. So if you sign in to https://dashboard.easyserversidetracking.com/ with that same email, your site already appears under your account — nothing else to do.
- If your dashboard account uses a different email, link the site manually: on the dashboard go to Account → Websites → Add site, paste the Site ID shown on the plugin's Connection page, and click Add site. The Site ID is what proves the site is yours.
How do I upgrade, or change a site's plan?
Plans are managed entirely on the dashboard — you never enter a license key in WordPress. Buy or change a plan at https://dashboard.easyserversidetracking.com/, then on Account → Websites use the Plan dropdown next to a site to assign it the plan (or switch it back to the Default free plan). The new monthly limit is applied to the tracking service automatically; no change is needed in WordPress.
Do I need an account?
No account is required to use the plugin's free tier. The plugin auto-provisions a free site on activation. You can optionally create a paid account at https://dashboard.easyserversidetracking.com/ for higher limits and additional features.
Does this replace gtag.js?
It can run alongside gtag.js (hybrid mode), or you can rely entirely on the server-side path. The script is loaded from googletagmanager.com only when hybrid mode is enabled in the Settings screen.
What data is sent to the managed worker?
Each event includes: event name, page URL, page title, referrer, anonymized client ID and session ID, consent state, and event-specific parameters (e.g. WooCommerce order IDs, scroll percentages, click targets). The visitor's IP address is processed by the worker for geo-resolution and rate limiting but is not stored long-term. No personally identifiable information (name, email, address) is sent unless you explicitly configure user-data fields.
Where can I see my events?
After activation the License page shows your site_id and a link to the management dashboard, where you can view your live event log, monthly usage, and configure plan options.
Can I uninstall cleanly?
Yes. Deactivating the plugin stops event collection. The plugin's options can be deleted via the standard WordPress plugin uninstall flow.
更新日志:
5.2.1
- COMPLIANCE: Neutralised the worker quota notice. When the managed service pauses a site (after it reaches its plan's monthly event volume), the admin notice now states the service paused tracking and links to the dashboard — the "monthly limit reached / Upgrade your plan" wording and the pricing link were removed. The plugin itself locks no features; all tracking is free and fully functional, and the volume is enforced by the external service, not the plugin.
- DOCS: Added setup/connection and plan-change FAQ entries to the readme.
- COMPLIANCE (WordPress.org Guideline 5 — Trialware): Removed the entire client-side license subsystem. Deleted the license manager and tamper-detection guard, removed the in-WordPress license-key field, and removed all local tracking and caching of event counts and plan limits. The plugin is free and fully functional with no license key.
- Plans, usage, limits, and upgrades are now managed entirely on the dashboard (easyserversidetracking.com). Limits are applied and enforced server-side by the managed worker; the plugin only provisions the site and sends events. The admin "License" screen is now a "Connection" screen that links to the dashboard.
- Cleanup: all obsolete license, event-count, plan-limit, permission, and tamper-hash options are removed on upgrade.
- COMPLIANCE FIX: Two
wp_headoutputs (the googletagmanager preconnect hint and the early gtag consent script) were still gated on the provisioning id alone, so they could fire on grandfathered or consent-withdrawn sites. Both now require explicit consent AND provisioning, matching the tracker. - HARDENING: The page-token REST endpoint now refuses to mint a worker token without consent (defense-in-depth, mirroring the /g/collect proxy).
- RELIABILITY: The browser's collect URL is now normalized to a single /collect path before use, so a stored value without that suffix can't send events to the wrong endpoint. The token-refresh request no longer builds a double-slash URL.
- NOISE: The "Not provisioned" frontend message is now debug-gated instead of warning on every event.
- HOTFIX: The 5.1.4 consent gate replaced the provisioning check on the frontend tracker and the periodic license refresh instead of adding to it. On sites that had a consent record but were not provisioned, the tracker loaded and then dropped every event as "Not provisioned". Both paths now correctly require BOTH explicit consent AND a provisioning id before loading or phoning home.
- MAINTENANCE: Internal refactor (no change to behavior). Centralized all outbound service calls behind a single HTTP helper, extracted the consent logic (site-owner opt-in gate + visitor gcs→consent mapping) into a dedicated, unit-tested class, and split the admin notices into their own class.
- TESTS: Fixed the native unit-test bootstrap (it never defined
WPINC, which silently aborted the suite) and added coverage for the consent mapping.
- PRIVACY/COMPLIANCE: Explicit opt-in consent is now the single gate for ALL connections to the service and ALL tracking. Until the site administrator gives consent, the plugin does not contact the service, does not run the periodic license/usage refresh, does not load any tracking script, and rejects the
/g/collectproxy. The mere presence of a provisioning id (esst_site_id, which can survive an upgrade) no longer enables anything. Legacy installs with a provisioning id but no consent record now stay OFF and show a notice prompting the admin to review and enable. Withdrawing consent fully stops tracking. - PRIVACY: Server-side event logs forwarded to the worker now carry the visitor's real GA4 consent state (derived from the gtag
gcssignal, defaulting to denied) instead of a hardcoded "granted" value. - SECURITY:
$_GETWooCommerce variation attributes are now unslashed, sanitized (sanitize_key/sanitize_text_field) and validated before being passed to WooCommerce's variation matcher.
- HOTFIX: Resolves a fatal
Class "JachtSST\\Admin\\GA4_Server_Side_Tagging_Admin" not foundon the License page in 5.1.2 — the consent panel referenced the pre-rename class symbol. Fixed to use the real class nameJachtsst_Server_Side_Tagging_Admin.
- PRIVACY/UX: The License page now shows a persistent "Data sharing consent" panel above Re-provision. It lists exactly what is sent and where, with a checkbox that records explicit consent (timestamp + user + the exact disclosure text shown). Grandfathered installs (provisioned by an older version) see this with an unticked box; ticking it records consent retroactively and unlocks the Re-provision button. The Re-provision AJAX now refuses to phone home without a stored or in-request consent record.
- COMPLIANCE: Text domain in source code now matches the actual plugin slug
jacht-easy-server-side-tracking(previously had a stale reference to the slug originally proposed in the wp.org review). - COMPLIANCE: Restored phpcs:ignore comments on the three settings-handler POST reads so Plugin Check no longer reports false-positive sanitization warnings; the sanitizer callbacks do handle JSON-decode and per-field cleanup.
- DOCS:
Tested up to: 7.0.
- FIX: Page/event tokens now sign with the hashed signing key, matching the ingestion endpoint. Resolves
bad_page_token/ HMAC verification failures so events are accepted without re-provisioning.
- Provisioning is now an explicit opt-in; no data is sent until you connect.
- Logs are stored in the uploads directory instead of the plugin folder.
- Stricter input sanitization and unique internal prefixes for WordPress.org compliance.
- FIX: Tracker init no longer throws
TypeError: setupEventCountFlushHandlers is not a function. The orphaned calls (left over from the v5.0.2 client-side limit-enforcement removal) have been deleted, so the tracker reaches the end of its init path again. - UI: License page no longer exposes the management endpoint URL or the
ESST_MGMT_BASE_URLoverride note. Customers shouldn't be altering this endpoint. - Cache-bust: the version bump forces fresh JS to be loaded after the v5.0.3 release that introduced the broken init path.
- SECURITY: Added CSRF nonce verification to the encryption-key regeneration AJAX endpoint.
- PRIVACY: Removed the client-side fallback chain to ipapi.co, ipinfo.io, and json.geoiplookup.io. Geo-resolution is performed server-side by the managed worker from the request IP. No visitor IP is sent to third parties by the plugin.
- COMPLIANCE: Renamed the unprefixed
event_countoption toga4_event_count(with an automatic one-time migration). Sanitized all$_SERVERreads withsanitize_text_field( wp_unslash() ). Removed shipped legacyplugin-v4/source tree and thewp-admin/includes/upgrade.phptest mock. - README: Added
External servicessection documenting every external endpoint the plugin contacts, with terms and privacy links. Tags revised to remove trademarked terms.
- REMOVE: Client-side event-limit enforcement. The admin Settings page no longer hides itself when a cached "limit reached" flag is set. Quota is enforced exclusively server-side — the worker returns
429 quota_exceeded, the management server returnsallowed: falsein report-usage. - FIX: License page shows the paid-plan name and limit immediately after activation — the management server now propagates
plan_idontolm_websitesonlicense/activateandreport-usage.
- FIX: All events now use a single canonical payload format with top-level
client_id,session_id,user_id,consent, andcontext— previously some paths (scroll, click, batched events) sentclient_idnested underparamswhich the central worker rejected with HTTP 400missing_client_id. - FIX: Worker
bad_page_token(401) responses now trigger a token refresh + retry once, so tabs left open across a re-provision auto-heal. - FIX: Re-provisioning rotates the secret in place on the central worker instead of creating a new
cf_site_idevery time — no more orphaned worker sites and no more HMAC mismatches. - FIX: Gtag /g/collect proxy on the WP site also fires a server-side
log_onlyPOST to the central worker so events are counted even when content blockers block the JS bundle on the customer's browser. - FIX: License page correctly shows "Unlimited" for paid unlimited plans (was showing the free-tier 10,000 cap).
- REFACTOR: Removed legacy
sendAjaxPayloadandsendBatchPayload—esstSendEventis the single event-sending path. Worker no longer receives batches; each event is one request. - REFACTOR: Removed all remaining customer-hosted Cloudflare Worker references from the Settings UI.
- MAJOR: Plugin no longer requires a customer-hosted Cloudflare Worker.
- MAJOR: Events post directly to the managed collect endpoint (
collect.easyserversidetracking.com) using a short-lived per-page HMAC token. - MAJOR: Removed Event Monitor / Event Processor / Tracking Logs admin pages. All event analytics now live on the management dashboard.
- NEW: Auto-provisioning on activation — no license key required for the free tier.
- NEW: Status admin page shows
site_id, plan, this-month usage. (Merged into the License page in a later release.) - REMOVED:
ga4_event_queue/ga4_event_logstables (data not migrated). - REMOVED: Custom transmission method setting, CF Worker URL setting, JWT encryption setting, test mode toggle, "disable all IP" setting.
- The client-side session management setting is now always enabled.