Everything you need to understand your audience
A complete analytics suite built into your WordPress dashboard β no external services, no monthly SaaS fees.
Real-time Dashboard
Live visitor counts, page views, and session activity β updates automatically every 30 seconds with no page refresh required. Available in both the WordPress admin and the PWA/desktop app.
Multi-signal Bot Detection
Requests are scored across 10 client-side signals plus server-side UA and header checks before anything is written to the database. The source code is fully open β you can inspect every signal and threshold in the codebase. You can tune the score threshold in Preferences.
Heatmap
Overlay real click coordinates on any page to see exactly where visitors tap and click. The heatmap renders on a self-contained dark canvas with radial heat dots and a top-clicked elements panel — no screenshot service, no iframe required.
PremiumAudience Insights
Browser, operating system, screen resolution, and viewport breakdowns β derived from the browser environment and request headers, never from fingerprinting.
Referrer & UTM Tracking
See which sites and campaigns drive traffic. Referrers are stripped to domain-only before storage so no personal data leaks in via URL. Learn about UTM tracking β
Email Reports
Scheduled daily, weekly, or monthly digests sent to any address. Includes top pages, traffic summary, and period-over-period comparison.
WP-CLI Integration
Run wp rich-stats overview, wp rich-stats top-pages, wp rich-stats audience, wp rich-stats referrers, wp rich-stats behavior, wp rich-stats status, wp rich-stats purge, and more from the command line. Perfect for scripts and automated reports.
REST API
Every metric is available via a clean JSON REST API β the backbone that powers the companion PWA and desktop app.
Multisite Ready
Network-activate across an entire WordPress multisite. The network admin provides a dedicated dashboard with per-site KPIs for all sub-sites, cross-site AI chat, and network-wide settings. Per-site preferences β data retention, bot thresholds β stay scoped to each individual site.
AI Analytics Assistant
Ask questions about your analytics in plain English. The plugin provides structured data via POST /ai/tool β the PWA or desktop app calls your own OpenAI-compatible LLM to generate conversational answers. No AI API key is stored on your server β it lives in the app.
PWA & Desktop App
The web app, Linux desktop app, and Windows desktop app are free. Install the PWA on any device for offline-capable access, or download the native desktop build. Requires the REST API (Premium) on your WordPress site.
Get the app βData Retention Control
Set automatic data pruning from 1 to 730 days so your database never grows unbounded. Or disable pruning and keep everything forever.
User Flow & Path Explorer
Miller-column navigator drills through every step visitors take across your site. Each column shows where sessions went next, with drop-off counts at each transition.
PremiumClick Tracking
Define CSS selector rules (by element ID, class, or link protocol) to capture every click. Each event records the element, coordinate, and matched rule β visualised in the Click Map.
PremiumBehavior Analysis
Time-on-page histogram, session depth distribution, and entry page breakdown β all filterable by browser, operating system, and custom date range.
CSV Export
Download raw events, sessions, or click data as CSV for any date range. Pipe it into Excel, R, or any analysis tool without API rate limits.
PremiumData Maintenance
View every tracked page path across your site. Purge data for deleted, renamed, or test pages individually β without touching anything else.
WooCommerce Analytics
Automatically tracks product views, add-to-cart events (standard and AJAX), and completed orders. Surfaces a conversion funnel, top products, and revenue-over-time chart in a dedicated dashboard panel.
PremiumCustom Date Ranges
Every analytics view supports arbitrary from/to date selection alongside the preset 7-day, 30-day, 90-day, this-month, and last-month periods.
Multilingual & i18n Ready
Every admin string uses WordPress i18n functions and the plugin ships a .pot template file for translators. Custom translations load from wp-content/languages/plugins/ and contributions are welcome via GlotPress on WordPress.org.
Accessible Admin
The dashboard is built on WordPress core UI patterns β keyboard-navigable and screen reader compatible. Every analytics page includes a contextual Help tab explaining what the data means, so you never need to leave the admin.
How the privacy works
Privacy-first is not a marketing claim. Here's exactly what the code does β and doesn't β do.
β Do Not Track & Global Privacy Control
If a visitor's browser sends a DNT: 1 header or has the Global Privacy Control signal set (navigator.globalPrivacyControl), the tracker script exits immediately β before collecting any signal, before creating a session ID, before sending a single byte. No data is recorded for that visit. This honours the GDPR Art. 21 right to object, the CCPA Β§1798.120 right to opt-out, and California's GPC regulations without any configuration required.
β Session IDs
A random UUID is created in sessionStorage and used only to deduplicate rapid repeat pageviews within a single tab session. It dies when the tab closes, is never sent to a third party, and is never stored in a database column that could be queried to reconstruct a visitor's journey across sessions. Because sessionStorage is not a cookie and is cleared by the browser automatically, it falls outside the ePrivacy Directive Art. 5(3) consent requirement. The transient, tab-scoped nature means the identifier does not constitute personal data under GDPR Art. 4(1) β it cannot be used to identify a natural person across time or devices.
β Analytics: No IP addresses recorded
The analytics pipeline never reads, stores, or passes IP addresses. The bot scorer works from a browser-side bitmask (pass/fail scores only, never raw values) plus two request headers; REMOTE_ADDR is not used in tracking or recording. No IP address is written to any analytics table. Because IP addresses are personal data under GDPR Recital 30, not processing them at all means the analytics data falls outside the GDPR Art. 4(1) definition of personal data (see Recital 26 β anonymous data not subject to GDPR). This also satisfies the data minimisation principle (GDPR Art. 5(1)(c)) and qualifies as de-identified data under CCPA Β§1798.140(v)(2)(A).
β Analytics: No cookies or persistent identifiers
The plugin sets no cookies and writes nothing to localStorage for analytics purposes. There is no browser fingerprinting and no device ID generation. Visitor state within a tab uses sessionStorage only β the browser clears it when the tab closes. The only value that carries across page loads is an optional UTM attribution, also in sessionStorage. Since the tracking mechanism does not use HTTP cookies or any storage that persists beyond the tab session, it qualifies for the strictly necessary exemption under ePrivacy Directive Art. 5(3) β no consent is required. Note: WordPress core and Freemius SDK set authentication cookies when you or your visitors sign in β those are outside the plugin's control and are standard WordPress behaviour. Those cookies serve an entirely different purpose (auth vs. analytics) and are strictly necessary for site administration under the same Art. 5(3) exemption.
β URL & referrer sanitization
Before a page path is stored, it is scrubbed server-side: any query parameter longer than 40 characters or resembling an email address is stripped β preventing accidental storage of password-reset tokens or email addresses that sometimes appear in URLs. Referrer URLs are reduced to domain-only before storage; the path and query string (which can contain user-identifying tokens from the referring site) are discarded immediately and never written to the database. This implements data minimisation (GDPR Art. 5(1)(c)) and data protection by design (GDPR Art. 25) at the storage layer, ensuring that even accidental exposure of identifying data is prevented before it reaches a database row.
β Audience data
Operating system and browser are parsed from the User-Agent string. Screen resolution is reported directly by the browser. These are aggregated counters β no row in any table links a device spec back to a specific visit or session. Aggregate-level audience data that cannot be re-associated with an individual falls under anonymous data as defined by GDPR Recital 26, placing it outside the scope of the GDPR and CCPA Β§1798.140(v)(2)(A)'s definition of personal information.
β Heatmap coordinates
Click coordinates are stored as (page, x_pct, y_pct, element) records where x and y are percentage positions. Individual records include a tab-scoped session UUID and a timestamp, but session UUIDs are stored in sessionStorage β they expire when the tab closes and cannot identify a visitor across sessions or devices. The heatmap overlay aggregates records by coordinate bucket, discarding session linkage entirely for display.
β No cross-site tracking
The tracker runs entirely within your WordPress site. No script is loaded from an external domain, no beacon is sent to a third party, and no data leaves your server. This also means no ad-network leakage and no exposure from a CDN compromise. Because no data is transferred to a third country or international organisation, GDPR Chapter V (international transfers) β including Schrems II adequacy decisions, Standard Contractual Clauses (Art. 46), and Data Privacy Framework certification β is irrelevant to this plugin's operation.
β Security: Legitimate interest under GDPR Art. 6(1)(f)
The plugin accesses $_SERVER['REMOTE_ADDR'] in exactly one place: the OTP verification endpoint (POST /verify-otp). The IP is hashed via SHA-256 and used solely as a transient rate-limit key β a maximum of 5 failed attempts per 5-minute window before a 429 response is returned. The raw IP is never logged, stored in a database, persisted beyond the transient TTL, or associated with analytics data. This processing is necessary for the security of the authentication flow and qualifies as a legitimate interest under GDPR Art. 6(1)(f). It is not analytics tracking.
β Security: Authentication cookies (WordPress core)
When a site administrator or logged-in user authenticates, WordPress core sets standard session cookies (wordpress_logged_in_*, wp-settings-*). The Freemius SDK also sets a session cookie for licence verification. These are required for the admin dashboard and app authentication to function. Rich Statistics itself never sets, reads, or modifies these cookies β they are part of the underlying WordPress platform and are outside the plugin's analytics scope.
grep -rn "REMOTE_ADDR\|setcookie\|_COOKIE" includes/ assets/ on the plugin's own source and you will find exactly one match: $_SERVER['REMOTE_ADDR'] in class-rest-api.php, used only for OTP rate limiting as described above. The setcookie() and $_COOKIE searches return zero matches in the plugin's own code. (WordPress core and Freemius SDK under vendor/ use cookies for authentication β those are not part of the plugin's analytics system.)
View source on GitHub β
What Rich Statistics relieves your site of
Because the plugin collects no PII, sets no cookies for tracking, and keeps all data on your server, it eliminates the most common legal liability vectors for web analytics. Below is an itemised breakdown of what obligations do not apply.
β No cookie consent banner for analytics
The tracker sets no cookies, writes nothing to localStorage, and uses only sessionStorage (which clears when the tab closes). This qualifies for the strictly necessary exemption under ePrivacy Directive Art. 5(3). No consent mechanism, Consent Management Platform, or cookie notice is required for the analytics data this plugin collects.
β No Data Processing Agreement (DPA) needed
Data never leaves your server. No third-party analytics provider processes your visitors' data. Under GDPR Art. 28, a DPA is only required when a processor processes personal data on a controller's behalf β since there is no processor and no personal data leaves your infrastructure, no DPA is necessary between you and Rich Statistics.
β No cross-border transfer mechanism
No data is sent to an external analytics service, no CDN is loaded at runtime, and no third-party script fires on your pages. This eliminates Schrems II adequacy concerns, Standard Contractual Clauses administration, Data Privacy Framework certification dependencies, and GDPR Chapter V transfer restrictions. Your data physically stays on your WordPress server.
β No Data Protection Impact Assessment (DPIA) required
Under GDPR Art. 35, a DPIA is mandatory when processing is likely to result in high risk to individuals' rights. Processing that involves no special category data, no systematic monitoring, no profiling, and no personal data at all (the analytics data is anonymous β GDPR Recital 26) falls below the DPIA threshold.
β No Subject Access Request burden
Because no PII is stored, there is nothing to produce or erase when a visitor exercises their GDPR Art. 15 (right of access) or Art. 17 (right to erasure) rights. The analytics database contains no email addresses, no IP addresses, no usernames, and no device IDs. This also satisfies CCPA Β§1798.105 (right to delete) trivially β there is nothing identifying to delete.
β No personal data breach notification from analytics
Under GDPR Art. 33 and Art. 34, breach notification obligations apply only when personal data is compromised. Since the analytics database stores no PII, a breach of that database does not trigger notification to supervisory authorities or affected individuals. No IPs, no emails, no cookies β nothing that identifies a natural person (GDPR Art. 4(1)).
β No IP-address-as-PII liability
GDPR Recital 30 expressly identifies IP addresses as personal data. Since the analytics pipeline never reads or stores REMOTE_ADDR, this liability vector is eliminated entirely. The only IP processing is the hashed rate-limit key for OTP verification (security legitimate interest under GDPR Art. 6(1)(f)), which is never logged or persisted beyond minutes.
β No third-party vendor lock-in or data exposure
Self-hosted analytics means your data is not routed through Google, Mixpanel, or any other third-party infrastructure. There is no risk of a vendor-side breach exposing your visitor data, no dependency on a vendor's privacy policy changes, and no obligation to audit a processor's sub-processors. GDPR Art. 28(4) (sub-processor authorisation) is irrelevant when there is no processor.
β No Consent Management Platform costs
Most analytics providers require a CMP to capture consent for tracking cookies or IP processing. Because Rich Statistics needs neither, the ongoing cost, maintenance, and UX friction of a CMP are eliminated. ePrivacy Directive Art. 5(3) (cookie consent) and GDPR Art. 7 (consent conditions) do not apply to the analytics pipeline.
β No data retention violation risk
GDPR Art. 5(1)(e) requires that personal data be kept no longer than necessary. With configurable auto-pruning (1β730 days), the plugin enforces the storage limitation principle automatically. Old data is purged on a daily cron schedule, and the default 90-day retention aligns with standard regulatory guidance for analytics data.
Accessibility-first design
The plugin introduces nothing that degrades the experience for visitors or site administrators. No popups, no overlays, no forced consent dialogs.
β No consent popup required
Because Rich Statistics collects no PII and sets no cookies for analytics, most sites do not need a consent banner for analytics under the ePrivacy Directive Art. 5(3) (strictly necessary exemption), GDPR Art. 6(1)(f) (legitimate interest for anonymous analytics), and CCPA Β§1798.140(v)(2)(A) (de-identified data exemption). Do Not Track and Global Privacy Control are honoured automatically β no configuration required.
β Keyboard-navigable, screen-reader compatible
The dashboard uses WordPress core UI components (WP_List_Table, form-table, standard notices) following WordPress accessibility guidelines. Every control is keyboard-navigable and screen reader compatible. Each analytics page has a built-in Help tab explaining the data β no need to leave the admin.
β Zero front-end DOM changes
The tracker JavaScript is completely silent and invisible. It adds no elements to your page β no banners, no overlays, no notification bars. Your theme's layout and your visitors' browsing experience are completely unaffected.
Multilingual & international-ready
Built for sites that serve a global audience β with first-class translation support, per-visitor language reporting, and timezone-aware dashboards.
Fully translatable (i18n)
Every string in the admin uses WordPress i18n functions and the plugin ships a rich-statistics.pot template file. Translations can be contributed via GlotPress on WordPress.org or loaded from your own .mo files placed in wp-content/languages/plugins/.
Visitor language breakdown
The tracker captures navigator.language β the browser's declared language preference β on every pageview. The Audience view groups your visitors by language code so you can see which locales your content serves most.
RTL layout support
The admin dashboard stylesheets respect WordPress's RTL mode. The layout flips correctly for right-to-left locales (Arabic, Hebrew, Persian, etc.) without any extra configuration.
Timezone-aware reporting
The tracker records each visitor's declared timezone. Reporting in the WordPress admin uses your site's configured timezone so daily charts always show your local time, not UTC.
Downloads & Pricing
The plugin is free and open source. Download it from the GitHub releases page or install the Premium plan directly from your WordPress admin via Freemius.
Up and running in 60 seconds
Install the plugin
Download the plugin from GitHub releases and install it via your WordPress admin, then activate it.
Visit your dashboard
Navigate to Rich Statistics → Overview in your WordPress admin. The tracker begins collecting data immediately — no configuration required.
Adjust data retention (optional)
Go to Rich Statistics → Preferences to choose how long data is kept, configure bot score threshold, and manage historic data pruning.
Rich Statistics App
Access your analytics from any device β phone, tablet, or desktop. Install it as a Progressive Web App for a native-like experience with offline support.
Release Tracks
Each release track publishes desktop builds to its own endpoint. Choose the track that matches your update preference.
| Track | Linux amd64 | Linux arm64 | Windows |
|---|---|---|---|
| Production | .deb | .deb | .exe |
| Dev / Beta | .deb | .deb | .exe |
| Test / Staging | .deb | .deb | .exe |
Linux Desktop App Native Β· No Electron
A native WebKitGTK desktop window β built with Tauri. No bundled browser, no Electron overhead. Required libraries install automatically from your package manager.
sudo apt install ./rich-statistics-linux-amd64.deb
# ARM boards (Pi 4 / Pi 5):
sudo apt install ./rich-statistics-linux-arm64.deb
sudo dnf install webkit2gtk4.1
# extract & run the binary from the .deb
sudo pacman -S webkit2gtk-4.1
# extract & run the binary from the .deb
Install the plugin
The PWA and desktop app are free. To connect them to your site, you need the Rich Statistics plugin with the Premium plan active β this enables the REST API they use to fetch your analytics.
Generate an App Code
In WordPress, go to Users β Profile β Rich Statistics App and click Generate App Code. You'll get a 6-digit code valid for 15 minutes.
Open the app & add your site
Open the web app (or the PWA you installed), tap Add Your Site, enter your site URL and the 6-digit App Code, then create an Application Password to complete the connection.
Configure the AI Assistant (optional)
In the app, go to Install β AI Assistant Provider and enter your OpenAI-compatible endpoint, API key, and model. The AI feature calls POST /ai/tool on your site to fetch structured analytics data, then sends it to your LLM for conversational answers. No AI configuration is stored on your WordPress server.
The app connects to your site's REST API using WordPress Application Passwords β no extra accounts, no new services, no data leaves your server.