Description
Trackless measures your site’s traffic — and, on WooCommerce stores, your real revenue and margin — entirely server-side. No cookies, no JavaScript snippet, no consent banner slowing your pages down. You read the reports in your Trackless account dashboard.
How visitors are counted (privacy by design):
- The visitor key is a daily-rotating HMAC-SHA256 hash of IP + User-Agent + day, keyed with a secret salt that exists only on your server. It cannot be reversed and changes every day.
- The raw IP address is never stored and never transmitted — only a keyed hash.
- Global Privacy Control (the
Sec-GPCbrowser signal) is honoured: opted-out visitors are not tracked at all. - No data is written to the visitor’s browser — no cookies, no localStorage, no fingerprinting scripts.
What it measures:
- Visits and sessions with source / medium / campaign and a GA4-style channel group
- Page views and events: product view, category view, search, add to cart, cart, checkout, 404
- Device, browser, OS, country and language (one row per visitor per day)
- With WooCommerce: orders, revenue, refunds, payment and shipping methods, first-order flag, order attribution (WooCommerce 8.5+ Order Attribution), ordered items — including per-unit purchase cost for margin reporting if you store it (
_wc_cog_cost,_alg_wc_cog_cost,_costor thetrackless_wholesale_pricefilter)
Events are collected into a small queue table in your own database and flushed once a day via WP-Cron (or manually with the “Send now” button). The delivery is HMAC-SHA256 signed and idempotent, so retries are safe.
WooCommerce is optional: on a plain WordPress site you get cookieless web analytics; with WooCommerce you also get the e-commerce metrics.
External service: Trackless (please read)
This plugin is a connector for Trackless (https://trackless.cz), a hosted analytics service. It is not a standalone statistics plugin — the reports live in your Trackless account, and the plugin sends data to the service’s ingest endpoint at https://trackless.cz/ingest.
When data is sent: only after you enter your API key and explicitly tick the Data Processing Agreement (DPA) consent checkbox in the plugin settings. Until you do both, the plugin collects and sends nothing.
What is sent (once a day, HMAC-signed):
- Anonymous traffic aggregates: hashed visitor identifiers (keyed HMAC, daily-rotating), hashed IPs, page URLs, referrers, UTM parameters and click IDs, device/browser/OS, country code, language
- With WooCommerce: order data including order ID, totals and refunds (amounts), currency, payment method, shipping method, order status, attribution, and line items with prices and (if configured) per-unit purchase costs
- Site metadata: site name, domain, timezone, currency, order statuses, product categories, carriers, payment gateway names
Terms and pricing: Trackless is a paid service with a 30-day free trial; you need a Trackless account and API key to use this plugin.
- Terms of Service: https://trackless.cz/en/obchodni-podminky
- Data Processing Agreement (DPA): https://trackless.cz/en/zpracovatelska-smlouva
Screenshots
Installation
- Install the plugin from the WordPress.org directory (Plugins Add New search for “Trackless”), or upload the ZIP via Plugins Add New Upload Plugin. Activate it.
- Create a Trackless account at https://trackless.cz (30-day free trial) and copy your API key from Account management.
- Go to Settings Trackless, paste the API key, tick “Enable data collection and sending” and confirm the Data Processing Agreement. Save.
- (Optional) Click “Send now” to deliver the first batch immediately; afterwards data is sent automatically once a day via WP-Cron.
FAQ
-
Does it work without WooCommerce?
-
Yes. On a plain WordPress site you get the full cookieless traffic analytics (visits, sources, pages, devices, countries). WooCommerce only adds the e-commerce part: orders, revenue, margin and product events.
-
The plugin itself stores nothing in the visitor’s browser — no cookies, no localStorage — and only ever processes a keyed, daily-rotating hash instead of raw identifiers. So this plugin does not give you a reason to add a consent banner. (Whether the rest of your site needs one is a separate question, and this is not legal advice.)
-
What about Global Privacy Control and Do Not Track?
-
Global Privacy Control (
Sec-GPC: 1) is honoured: such visitors are not tracked at all. The deprecated Do Not Track signal is intentionally ignored, matching common industry practice. -
Will it slow down my site?
-
No measurable effect. A page view costs one INSERT into a local queue table — there is no JavaScript, no external request during the visit. Everything is sent to Trackless once a day in the background (WP-Cron).
-
Do I need a Trackless account? Is it free?
-
You need an account at https://trackless.cz — the plugin is only a connector to the Trackless service. The service is paid, with a 30-day free trial; see the pricing on the website.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Trackless” is open source software. The following people have contributed to this plugin.
Contributors
“Trackless” has been translated into 1 locale. Thank you to the translators for their contributions.
Translate “Trackless” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.5
- Bot/crawler detection now runs server-side in Trackless: the plugin forwards the visitor’s User-Agent and the app decides what is a bot, so the rule is identical across every site and module and is updated centrally without a plugin release. The local bot User-Agent list and the central bot-pattern sync have been removed.
- Excluded IP addresses are now configured only in Trackless (Můj účet). The local excluded-IP field has been removed; the plugin applies the centrally managed list it receives via the ingest response (single addresses and CIDR ranges, IPv4 and IPv6). The IP match still runs on your server, because that is the only place the real visitor IP is seen — Trackless itself only ever receives a salted, irreversible hash.
1.1.4
- Bot/crawler filter is now managed centrally in your Trackless account: the User-Agent list you keep there is applied automatically by the plugin (taking precedence over the local default). One place to maintain it across all your sites; your local list is kept as a fallback.
1.1.3
- Excluded IP addresses now also accept CIDR ranges (IPv4 and IPv6), not just single addresses.
- IP addresses you exclude centrally in your Trackless account are now applied by the plugin automatically, alongside your local list. Your local list is kept.
1.1.2
- Expanded the default bot User-Agent filter to match the PrestaShop module: SEO crawlers, monitoring/uptime services, headless browsers and common HTTP libraries are now filtered out by default, for cleaner human-only stats. Any custom list you saved is kept.
1.1.1
- New setting: Excluded domains (self-referral) — return visits from payment gateways keep their original source. Pre-filled with common gateways.
- New setting: Filtered robots (User-Agent) — the bot filter is now editable.
- Clearer wording of the developer-only multi-currency note.
1.1.0
- Internationalization: all user-facing strings are translatable (text domain
trackless), English source strings, bundled Czech and Slovak (cs_CZ, sk_SK) translations. - readme rewritten for the WordPress.org plugin directory, including the external-service disclosure.
- Hardening pass: stricter capability checks (
manage_optionson save and send), escaping of all admin output, sanitization of all inputs, fuller uninstall cleanup (salt, transients, cron).
1.0.1
- Visitor fingerprint and IP hash switched to keyed HMAC-SHA256; the order
ip_hashnow uses the identical construction as the tracker (cross-day attribution join). - Fix: corrupt queue rows are deleted on fetch instead of being re-scanned forever.
- Fix:
trackless_conversion_ratefilter values NAN/INF are clamped to 1. - Fix: X/Twitter is matched exactly (x, x.com, t.co) — sources merely containing the letter “x” are no longer classified as social.
- Fix: plain HTTP clients (curl, wget, python-requests) are treated as bots and not tracked.
- Fix: 3-letter geo header country codes (e.g. AUT) are skipped instead of being cut to a different country’s 2-letter code.
1.0.0
- Initial release: cookieless server-side traffic analytics; with WooCommerce also orders, revenue and margin.