Title: Easy Server Side Tracking Author: jachtdigital2026 Published: June 29, 2026 Last modified: June 29, 2026 --- Search plugins ![](https://ps.w.org/jacht-easy-server-side-tracking/assets/banner-772x250.png?rev =3589709) ![](https://ps.w.org/jacht-easy-server-side-tracking/assets/icon-256x256.png?rev =3589709) # Easy Server Side Tracking By [jachtdigital2026](https://profiles.wordpress.org/jachtdigital2026/) [Download](https://downloads.wordpress.org/plugin/jacht-easy-server-side-tracking.5.2.1.zip) * [Details](https://wordpress.org/plugins/jacht-easy-server-side-tracking/#description) * [Reviews](https://wordpress.org/plugins/jacht-easy-server-side-tracking/#reviews) * [Installation](https://wordpress.org/plugins/jacht-easy-server-side-tracking/#installation) * [Development](https://wordpress.org/plugins/jacht-easy-server-side-tracking/#developers) [Support](https://wordpress.org/support/plugin/jacht-easy-server-side-tracking/) ## Description Easy Server Side Tracking adds server-side tracking to WordPress and WooCommerce. Events are sent from the browser to a managed ingestion endpoint hosted on Cloudflare(` collect.easyserversidetracking.com`), which normalizes, deduplicates, and forwards them to Google Analytics 4 using the Measurement Protocol. Because requests go to a first-party-style endpoint rather than directly to Google, common content blockers no longer drop your analytics traffic. The plugin auto-provisions a free-tier account on activation — **no license key is required to start using it**, and the free tier is fully functional indefinitely. Optionally, you can buy a license on the management service to raise this site’s server-side limits (higher monthly event volume and longer dashboard retention). Those limits are applied and enforced entirely on the service; the plugin itself never locks, disables, or restricts any built-in feature. **Features** * WooCommerce ecommerce tracking out of the box (purchase, add_to_cart, view_item, begin_checkout, etc.) * Click, scroll, engagement and form-submission events * Per-event bot filtering, consent state, and GA4 forwarding handled by the managed worker * Admin Connection panel with site_id, plan name, and re-provision button * Free tier: 10,000 events/month at the time of writing. All limits are set and enforced by the management service, never by the plugin. **How it works (data flow)** 1. The plugin enqueues a small JavaScript tracker on every page. 2. The tracker collects event details (event name, page URL, referrer, consent state, anonymized client/session IDs) in the visitor’s browser. 3. Events are posted to `https://collect.easyserversidetracking.com/` over HTTPS with a short-lived HMAC token. 4. The managed worker validates the request, optionally proxies the event to GA4’s Measurement Protocol (`google-analytics.com/g/collect` or `/mp/collect`), and stores a copy for the dashboard. 5. Your monthly usage, plan, and limits live on `dashboard.easyserversidetracking. com`, where you log in to view them and upgrade. The plugin does not track event counts or limits locally. ### External services This plugin connects to the following external services. Each is necessary for the functionality described and is only contacted as documented below. #### collect.easyserversidetracking.com (managed ingestion worker) * **Provider:** Easy Server Side Tracking (operated by Jacht.Digital Marketing). * **What it does:** Receives event posts from the in-browser tracker, normalizes and deduplicates them, applies bot filtering and consent rules, then forwards to Google Analytics 4 and stores a copy for the dashboard. * **What is sent:** Each event payload — event name, page URL, page title, referrer, anonymized client/session IDs, consent state, event-specific parameters, and the visitor IP (used for geo-resolution and rate limiting; not stored long-term). * **When:** Every time a tracked event fires in the visitor’s browser. * **Required:** Yes — the plugin’s core function is to send events here. * **Terms of service:** https://dashboard.easyserversidetracking.com/terms * **Privacy policy:** https://dashboard.easyserversidetracking.com/privacy-policy/ #### dashboard.easyserversidetracking.com (management & provisioning server) * **Provider:** Easy Server Side Tracking (operated by Jacht.Digital Marketing). * **What it does:** Provisions a site ID and signing secret for this site so the ingestion worker will accept its events. Your plan, usage, and limits are managed here when you log in to the dashboard. * **What is sent:** Site URL and admin email (during provisioning / re-provisioning only), and the site ID. * **When:** On activation and when you click Connect or Re-provision. * **Required:** Yes — the plugin auto-provisions a free account here on activation. * **Terms of service:** https://dashboard.easyserversidetracking.com/terms * **Privacy policy:** https://dashboard.easyserversidetracking.com/privacy-policy/ #### Google Analytics 4 (Measurement Protocol) * **Provider:** Google LLC. * **What it does:** Receives analytics events forwarded by the managed worker ( or, when configured locally, sent by the WordPress site directly). * **What is sent:** GA4 Measurement Protocol payloads — event name, parameters, client_id, optional user_id, optional consent flags. Sent to `https://www.google- analytics.com/g/collect` or `https://www.google-analytics.com/mp/collect`. * **When:** Every event the worker forwards (or every event your WP site forwards in direct-mode). * **Required:** Yes if you want events to appear in GA4. The plugin does not function as an analytics tool without GA4 (or another Measurement Protocol target). * **Terms of service:** https://marketingplatform.google.com/about/analytics/terms/ us/ * **Privacy policy:** https://policies.google.com/privacy #### googletagmanager.com (gtag.js, hybrid mode only) * **Provider:** Google LLC. * **What it does:** Serves the `gtag.js` library to the visitor’s browser for client- side GA4 measurement. * **What is sent:** Standard `gtag.js` telemetry while the script is loaded (page views, automatic events). Only sent when **hybrid tracking** is enabled in the plugin Settings. * **When:** On every pageload, when hybrid tracking is enabled. Disabled by default. * **Required:** No. Disable hybrid mode to prevent any contact with this service. * **Terms of service:** https://marketingplatform.google.com/about/analytics/terms/ us/ * **Privacy policy:** https://policies.google.com/privacy ### Privacy This plugin does not collect or store personal data on the WordPress site itself. All event data is sent to the external services listed above and stored there subject to those services’ privacy policies. The plugin stores the following non-personal data in WordPress options for its own operation: * `esst_site_id` — the site identifier returned by the management server. * `esst_signing_secret` — the HMAC signing secret for the managed ingestion endpoint( encrypted at rest). * `esst_collect_url`, `esst_plan_summary` — operational state from the management server (collect endpoint URL and the plan name shown in the admin). No cookies are set by the plugin itself; the in-browser tracker uses a first-party cookie named `_ga` (the standard GA4 client identifier) when present. ## Installation 1. Upload the plugin folder to `/wp-content/plugins/` (or install via _Plugins Add New Upload Plugin_). 2. Activate the plugin through the **Plugins** menu in WordPress. On activation the plugin auto-provisions a free account against the management server and stores a site ID locally. 3. Visit **Easy SST Connection** in the admin menu to view the site ID, plan name, and the re-provision button. 4. (Optional) To raise this site’s limits, upgrade your plan on the dashboard at https:// dashboard.easyserversidetracking.com/ — no license key is entered in WordPress; the change applies to your provisioned site automatically. No GA4 measurement ID is required for the managed ingestion path — server-side configuration is handled by the management worker. If you want server-side forwarding to GA4 from your WordPress site, configure the GA4 Measurement ID and API Secret on the Settings screen. ## FAQ ### How do I set up and connect my site? 1. Install and activate the plugin. 2. Go to **Easy SST Connection** and click **Create free account**. This sends your site URL and admin email to easyserversidetracking.com and provisions your site( you’ll see a **Site ID** appear on the Connection page). Tracking begins on the free tier. 3. Your site is automatically linked to the dashboard account whose email matches the WordPress admin email used at step 2. So if you sign in to https://dashboard. easyserversidetracking.com/ with that same email, your site already appears under your account — nothing else to do. 4. If your dashboard account uses a _different_ email, link the site manually: on the dashboard go to **Account Websites Add site**, paste the **Site ID** shown on the plugin’s Connection page, and click **Add site**. The Site ID is what proves the site is yours. ### How do I upgrade, or change a site’s plan? Plans are managed entirely on the dashboard — you never enter a license key in WordPress. Buy or change a plan at https://dashboard.easyserversidetracking.com/, then on ** Account Websites** use the **Plan** dropdown next to a site to assign it the plan( or switch it back to the **Default** free plan). The new monthly limit is applied to the tracking service automatically; no change is needed in WordPress. ### Do I need an account? No account is required to use the plugin’s free tier. The plugin auto-provisions a free site on activation. You can optionally create a paid account at https://dashboard. easyserversidetracking.com/ for higher limits and additional features. ### Does this replace gtag.js? It can run alongside `gtag.js` (hybrid mode), or you can rely entirely on the server- side path. The script is loaded from `googletagmanager.com` only when hybrid mode is enabled in the Settings screen. ### What data is sent to the managed worker? Each event includes: event name, page URL, page title, referrer, anonymized client ID and session ID, consent state, and event-specific parameters (e.g. WooCommerce order IDs, scroll percentages, click targets). The visitor’s IP address is processed by the worker for geo-resolution and rate limiting but is not stored long-term. No personally identifiable information (name, email, address) is sent unless you explicitly configure user-data fields. ### Where can I see my events? After activation the License page shows your `site_id` and a link to the management dashboard, where you can view your live event log, monthly usage, and configure plan options. ### Can I uninstall cleanly? Yes. Deactivating the plugin stops event collection. The plugin’s options can be deleted via the standard WordPress plugin uninstall flow. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Easy Server Side Tracking” is open source software. The following people have contributed to this plugin. Contributors * [ jachtdigital2026 ](https://profiles.wordpress.org/jachtdigital2026/) [Translate “Easy Server Side Tracking” into your language.](https://translate.wordpress.org/projects/wp-plugins/jacht-easy-server-side-tracking) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/jacht-easy-server-side-tracking/), check out the [SVN repository](https://plugins.svn.wordpress.org/jacht-easy-server-side-tracking/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/jacht-easy-server-side-tracking/) by [RSS](https://plugins.trac.wordpress.org/log/jacht-easy-server-side-tracking/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 5.2.1 * COMPLIANCE: Neutralised the worker quota notice. When the managed service pauses a site (after it reaches its plan’s monthly event volume), the admin notice now states the service paused tracking and links to the dashboard — the “monthly limit reached / Upgrade your plan” wording and the pricing link were removed. The plugin itself locks no features; all tracking is free and fully functional, and the volume is enforced by the external service, not the plugin. * DOCS: Added setup/connection and plan-change FAQ entries to the readme. #### 5.2.0 * COMPLIANCE (WordPress.org Guideline 5 — Trialware): Removed the entire client- side license subsystem. Deleted the license manager and tamper-detection guard, removed the in-WordPress license-key field, and removed all local tracking and caching of event counts and plan limits. The plugin is free and fully functional with no license key. * Plans, usage, limits, and upgrades are now managed entirely on the dashboard ( easyserversidetracking.com). Limits are applied and enforced server-side by the managed worker; the plugin only provisions the site and sends events. The admin“ License” screen is now a “Connection” screen that links to the dashboard. * Cleanup: all obsolete license, event-count, plan-limit, permission, and tamper- hash options are removed on upgrade. #### 5.1.7 * COMPLIANCE FIX: Two `wp_head` outputs (the googletagmanager preconnect hint and the early gtag consent script) were still gated on the provisioning id alone, so they could fire on grandfathered or consent-withdrawn sites. Both now require explicit consent AND provisioning, matching the tracker. * HARDENING: The page-token REST endpoint now refuses to mint a worker token without consent (defense-in-depth, mirroring the /g/collect proxy). * RELIABILITY: The browser’s collect URL is now normalized to a single /collect path before use, so a stored value without that suffix can’t send events to the wrong endpoint. The token-refresh request no longer builds a double-slash URL. * NOISE: The “Not provisioned” frontend message is now debug-gated instead of warning on every event. #### 5.1.6 * HOTFIX: The 5.1.4 consent gate replaced the provisioning check on the frontend tracker and the periodic license refresh instead of adding to it. On sites that had a consent record but were not provisioned, the tracker loaded and then dropped every event as “Not provisioned”. Both paths now correctly require BOTH explicit consent AND a provisioning id before loading or phoning home. #### 5.1.5 * MAINTENANCE: Internal refactor (no change to behavior). Centralized all outbound service calls behind a single HTTP helper, extracted the consent logic (site- owner opt-in gate + visitor gcsconsent mapping) into a dedicated, unit-tested class, and split the admin notices into their own class. * TESTS: Fixed the native unit-test bootstrap (it never defined `WPINC`, which silently aborted the suite) and added coverage for the consent mapping. #### 5.1.4 * PRIVACY/COMPLIANCE: Explicit opt-in consent is now the single gate for ALL connections to the service and ALL tracking. Until the site administrator gives consent, the plugin does not contact the service, does not run the periodic license/usage refresh, does not load any tracking script, and rejects the `/g/collect` proxy. The mere presence of a provisioning id (`esst_site_id`, which can survive an upgrade) no longer enables anything. Legacy installs with a provisioning id but no consent record now stay OFF and show a notice prompting the admin to review and enable. Withdrawing consent fully stops tracking. * PRIVACY: Server-side event logs forwarded to the worker now carry the visitor’s real GA4 consent state (derived from the gtag `gcs` signal, defaulting to denied) instead of a hardcoded “granted” value. * SECURITY: `$_GET` WooCommerce variation attributes are now unslashed, sanitized(` sanitize_key` / `sanitize_text_field`) and validated before being passed to WooCommerce’s variation matcher. #### 5.1.3 * HOTFIX: Resolves a fatal `Class "JachtSST\\Admin\\GA4_Server_Side_Tagging_Admin" not found` on the License page in 5.1.2 — the consent panel referenced the pre- rename class symbol. Fixed to use the real class name `Jachtsst_Server_Side_Tagging_Admin`. #### 5.1.2 * PRIVACY/UX: The License page now shows a persistent “Data sharing consent” panel above Re-provision. It lists exactly what is sent and where, with a checkbox that records explicit consent (timestamp + user + the exact disclosure text shown). Grandfathered installs (provisioned by an older version) see this with an unticked box; ticking it records consent retroactively and unlocks the Re-provision button. The Re-provision AJAX now refuses to phone home without a stored or in-request consent record. * COMPLIANCE: Text domain in source code now matches the actual plugin slug `jacht- easy-server-side-tracking` (previously had a stale reference to the slug originally proposed in the wp.org review). * COMPLIANCE: Restored phpcs:ignore comments on the three settings-handler POST reads so Plugin Check no longer reports false-positive sanitization warnings; the sanitizer callbacks do handle JSON-decode and per-field cleanup. * DOCS: `Tested up to: 7.0`. #### 5.1.1 * FIX: Page/event tokens now sign with the hashed signing key, matching the ingestion endpoint. Resolves `bad_page_token` / HMAC verification failures so events are accepted without re-provisioning. #### 5.1.0 * Provisioning is now an explicit opt-in; no data is sent until you connect. * Logs are stored in the uploads directory instead of the plugin folder. * Stricter input sanitization and unique internal prefixes for WordPress.org compliance. #### 5.0.4 * FIX: Tracker init no longer throws `TypeError: setupEventCountFlushHandlers is not a function`. The orphaned calls (left over from the v5.0.2 client-side limit- enforcement removal) have been deleted, so the tracker reaches the end of its init path again. * UI: License page no longer exposes the management endpoint URL or the `ESST_MGMT_BASE_URL` override note. Customers shouldn’t be altering this endpoint. * Cache-bust: the version bump forces fresh JS to be loaded after the v5.0.3 release that introduced the broken init path. #### 5.0.3 * SECURITY: Added CSRF nonce verification to the encryption-key regeneration AJAX endpoint. * PRIVACY: Removed the client-side fallback chain to ipapi.co, ipinfo.io, and json. geoiplookup.io. Geo-resolution is performed server-side by the managed worker from the request IP. No visitor IP is sent to third parties by the plugin. * COMPLIANCE: Renamed the unprefixed `event_count` option to `ga4_event_count` ( with an automatic one-time migration). Sanitized all `$_SERVER` reads with `sanitize_text_field( wp_unslash() )`. Removed shipped legacy `plugin-v4/` source tree and the `wp- admin/includes/upgrade.php` test mock. * README: Added `External services` section documenting every external endpoint the plugin contacts, with terms and privacy links. Tags revised to remove trademarked terms. #### 5.0.2 * REMOVE: Client-side event-limit enforcement. The admin Settings page no longer hides itself when a cached “limit reached” flag is set. Quota is enforced exclusively server-side — the worker returns `429 quota_exceeded`, the management server returns `allowed: false` in report-usage. * FIX: License page shows the paid-plan name and limit immediately after activation— the management server now propagates `plan_id` onto `lm_websites` on `license/ activate` and `report-usage`. #### 5.0.1 * FIX: All events now use a single canonical payload format with top-level `client_id`,` session_id`, `user_id`, `consent`, and `context` — previously some paths (scroll, click, batched events) sent `client_id` nested under `params` which the central worker rejected with HTTP 400 `missing_client_id`. * FIX: Worker `bad_page_token` (401) responses now trigger a token refresh + retry once, so tabs left open across a re-provision auto-heal. * FIX: Re-provisioning rotates the secret in place on the central worker instead of creating a new `cf_site_id` every time — no more orphaned worker sites and no more HMAC mismatches. * FIX: Gtag /g/collect proxy on the WP site also fires a server-side `log_only` POST to the central worker so events are counted even when content blockers block the JS bundle on the customer’s browser. * FIX: License page correctly shows “Unlimited” for paid unlimited plans (was showing the free-tier 10,000 cap). * REFACTOR: Removed legacy `sendAjaxPayload` and `sendBatchPayload` — `esstSendEvent` is the single event-sending path. Worker no longer receives batches; each event is one request. * REFACTOR: Removed all remaining customer-hosted Cloudflare Worker references from the Settings UI. #### 5.0.0 * MAJOR: Plugin no longer requires a customer-hosted Cloudflare Worker. * MAJOR: Events post directly to the managed collect endpoint (`collect.easyserversidetracking. com`) using a short-lived per-page HMAC token. * MAJOR: Removed Event Monitor / Event Processor / Tracking Logs admin pages. All event analytics now live on the management dashboard. * NEW: Auto-provisioning on activation — no license key required for the free tier. * NEW: Status admin page shows `site_id`, plan, this-month usage. (Merged into the License page in a later release.) * REMOVED: `ga4_event_queue` / `ga4_event_logs` tables (data not migrated). * REMOVED: Custom transmission method setting, CF Worker URL setting, JWT encryption setting, test mode toggle, “disable all IP” setting. * The client-side session management setting is now always enabled. #### 3.7.x Earlier 3.7.x releases focused on plugin-check compliance and security hardening. See the GitHub release notes for details. The plugin’s data flow and admin surface were rewritten in 5.0.0; users on 3.7.x should re-test after upgrading. ## Meta * Version **5.2.1** * Last updated **15 hours ago** * Active installations **Fewer than 10** * WordPress version ** 5.2 or higher ** * Tested up to **7.0** * PHP version ** 7.2 or higher ** * Tags * [analytics](https://wordpress.org/plugins/tags/analytics/)[conversion tracking](https://wordpress.org/plugins/tags/conversion-tracking/) [server side](https://wordpress.org/plugins/tags/server-side/)[tracking](https://wordpress.org/plugins/tags/tracking/) [woocommerce](https://wordpress.org/plugins/tags/woocommerce/) * [Advanced View](https://wordpress.org/plugins/jacht-easy-server-side-tracking/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/jacht-easy-server-side-tracking/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/jacht-easy-server-side-tracking/reviews/) ## Contributors * [ jachtdigital2026 ](https://profiles.wordpress.org/jachtdigital2026/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/jacht-easy-server-side-tracking/)