Everything you need to understand your audience
A complete analytics suite built into your WordPress dashboard β no external services, no monthly SaaS fees.
Real-time Dashboard
Live visitor counts, page views, and session activity β refreshed every 30 seconds via the WordPress REST API.
Multi-signal Bot Detection
Requests are scored across 15 combined signals before anything is written to the database. The exact signals and thresholds are intentionally undisclosed β knowing them would make them easy to defeat. You can tune the score threshold in Preferences.
Heatmap
Overlay real click coordinates on any page to see exactly where visitors tap and click. The heatmap renders on a self-contained dark canvas with radial heat dots and a top-clicked elements panel — no screenshot service, no iframe required.
PremiumAudience Insights
Browser, operating system, screen resolution, and viewport breakdowns β derived from the browser environment and request headers, never from fingerprinting.
Referrer & UTM Tracking
See which sites and campaigns drive traffic. Referrers are stripped to domain-only before storage so no personal data leaks in via URL. Learn about UTM tracking β
Email Reports
Scheduled weekly or monthly digests sent to any address. Includes top pages, traffic summary, and period-over-period comparison.
WP-CLI Integration
Run wp rich-stats overview, wp rich-stats top-pages, and wp rich-stats purge from the command line. Perfect for scripts and automated reports.
REST API
Every metric is available via a clean JSON REST API β the backbone that powers the companion PWA and desktop app.
PremiumMultisite Ready
Network-activate across an entire WordPress multisite. The network admin provides per-site analytics views for all licensed sites alongside network-wide controls. Per-site preferences β data retention, bot thresholds β stay scoped to each individual site.
PWA & Desktop App
The web app and Linux desktop app are free. Install the PWA on any device for offline-capable access, or download the native Linux desktop build. Requires the REST API (Premium) on your WordPress site.
Get the app βData Retention Control
Set automatic data pruning (30, 90, 180, 365 days) so your database never grows unbounded. Or disable pruning and keep everything forever.
User Flow & Path Explorer
Miller-column navigator drills through every step visitors take across your site. Each column shows where sessions went next, with drop-off counts at each transition.
PremiumClick Tracking
Define CSS selector rules (by element ID, class, or link protocol) to capture every click. Each event records the element, coordinate, and matched rule β visualised in the Click Map.
PremiumBehavior Analysis
Time-on-page histogram, session depth distribution, and entry page breakdown β all filterable by browser, operating system, and custom date range.
CSV Export
Download raw events, sessions, or click data as CSV for any date range. Pipe it into Excel, R, or any analysis tool without API rate limits.
PremiumData Maintenance
View every tracked page path across your site. Purge data for deleted, renamed, or test pages individually β without touching anything else.
WooCommerce Analytics
Automatically tracks product views, add-to-cart events (standard and AJAX), and completed orders. Surfaces a conversion funnel, top products, and revenue-over-time chart in a dedicated dashboard panel.
PremiumCustom Date Ranges
Every analytics view supports arbitrary from/to date selection alongside the preset 7-day, 30-day, 90-day, this-month, and last-month periods.
Multilingual & i18n Ready
Every admin string uses WordPress i18n functions and the plugin ships a .pot template file for translators. Custom translations load from wp-content/languages/plugins/ and contributions are welcome via GlotPress on WordPress.org.
Accessible Admin
The dashboard is built on WordPress core UI patterns β keyboard-navigable and screen reader compatible. Every analytics page includes a contextual Help tab explaining what the data means, so you never need to leave the admin.
How the privacy works
Privacy-first is not a marketing claim. Here's exactly what the code does β and doesn't β do.
β Do Not Track & Global Privacy Control
If a visitor's browser sends a DNT: 1 header or has the Global Privacy Control signal set (navigator.globalPrivacyControl), the tracker script exits immediately β before collecting any signal, before creating a session ID, before sending a single byte. No data is recorded for that visit.
β Session IDs
A random UUID is created in sessionStorage and used only to deduplicate rapid repeat pageviews within a single tab session. It dies when the tab closes, is never sent to a third party, and is never stored in a database column that could be queried to reconstruct a visitor's journey across sessions.
β No IP addresses, ever
IP addresses are never read, stored, or passed to any function β including the bot detection pipeline. The bot scorer works from a browser-side bitmask (pass/fail scores only, never raw values) plus two request headers; REMOTE_ADDR is not accessed anywhere. Run grep -rn "REMOTE_ADDR" includes/ assets/ on the source β zero matches.
β No cookies or persistent identifiers
The plugin sets no cookies and writes nothing to localStorage. There is no browser fingerprinting and no device ID generation. setcookie() and $_COOKIE are not used anywhere. Visitor state within a tab uses sessionStorage only β the browser clears it when the tab closes. The only value that carries across page loads is an optional UTM attribution, also in sessionStorage.
β URL & referrer sanitization
Before a page path is stored, it is scrubbed server-side: any query parameter longer than 40 characters or resembling an email address is stripped β preventing accidental storage of password-reset tokens or email addresses that sometimes appear in URLs. Referrer URLs are reduced to domain-only before storage; the path and query string (which can contain user-identifying tokens from the referring site) are discarded immediately and never written to the database.
β Audience data
Operating system and browser are parsed from the User-Agent string. Screen resolution is reported directly by the browser. These are aggregated counters β no row in any table links a device spec back to a specific visit or session.
β Heatmap coordinates
Click coordinates are stored as (page, x_pct, y_pct, element) records where x and y are percentage positions. Individual records include a tab-scoped session UUID and a timestamp, but session UUIDs are stored in sessionStorage β they expire when the tab closes and cannot identify a visitor across sessions or devices. The heatmap overlay aggregates records by coordinate bucket, discarding session linkage entirely for display.
β No cross-site tracking
The tracker runs entirely within your WordPress site. No script is loaded from an external domain, no beacon is sent to a third party, and no data leaves your server. This also means no ad-network leakage and no exposure from a CDN compromise.
grep -rn "REMOTE_ADDR\|setcookie\|_COOKIE" includes/ assets/ on the source and you'll get zero matches.
View source on GitHub β
Accessibility-first design
The plugin introduces nothing that degrades the experience for visitors or site administrators. No popups, no overlays, no forced consent dialogs.
β No consent popup required
Because Rich Statistics collects no PII and sets no cookies, most sites do not need a consent banner for analytics at all. Do Not Track and Global Privacy Control are honoured automatically β no configuration required.
β Keyboard-navigable, screen-reader compatible
The dashboard uses WordPress core UI components (WP_List_Table, form-table, standard notices) following WordPress accessibility guidelines. Every control is keyboard-navigable and screen reader compatible. Each analytics page has a built-in Help tab explaining the data β no need to leave the admin.
β Zero front-end DOM changes
The tracker JavaScript is completely silent and invisible. It adds no elements to your page β no banners, no overlays, no notification bars. Your theme's layout and your visitors' browsing experience are completely unaffected.
Multilingual & international-ready
Built for sites that serve a global audience β with first-class translation support, per-visitor language reporting, and timezone-aware dashboards.
Fully translatable (i18n)
Every string in the admin uses WordPress i18n functions and the plugin ships a rich-statistics.pot template file. Translations can be contributed via GlotPress on WordPress.org or loaded from your own .mo files placed in wp-content/languages/plugins/.
Visitor language breakdown
The tracker captures navigator.language β the browser's declared language preference β on every pageview. The Audience view groups your visitors by language code so you can see which locales your content serves most.
RTL layout support
The admin dashboard stylesheets respect WordPress's RTL mode. The layout flips correctly for right-to-left locales (Arabic, Hebrew, Persian, etc.) without any extra configuration.
Timezone-aware reporting
The tracker records each visitor's declared timezone. Reporting in the WordPress admin uses your site's configured timezone so daily charts always show your local time, not UTC.
Downloads & Pricing
The plugin is free and open source. Download it from the GitHub releases page or install the Premium plan directly from your WordPress admin via Freemius.
Up and running in 60 seconds
Install the plugin
Download the plugin from GitHub releases and install it via your WordPress admin, then activate it.
Visit your dashboard
Navigate to Rich Statistics → Overview in your WordPress admin. The tracker begins collecting data immediately — no configuration required.
Adjust data retention (optional)
Go to Rich Statistics → Preferences to choose how long data is kept, configure bot score threshold, and manage historic data pruning.
Rich Statistics App
Access your analytics from any device β phone, tablet, or desktop. Install it as a Progressive Web App for a native-like experience with offline support.
Linux Desktop App Native Β· No Electron
A native WebKitGTK desktop window β built with Tauri. No bundled browser, no Electron overhead. Required libraries install automatically from your package manager.
sudo apt install ./rich-statistics-linux-amd64.deb
# ARM boards (Pi 4 / Pi 5):
sudo apt install ./rich-statistics-linux-arm64.debsudo dnf install webkit2gtk4.1
# extract & run the binary from the .debsudo pacman -S webkit2gtk-4.1
# extract & run the binary from the .debInstall the plugin
The PWA and desktop app are free. To connect them to your site, you need the Rich Statistics plugin with the Premium plan active β this enables the REST API they use to fetch your analytics.
Generate an App Code
In WordPress, go to Users β Profile β Rich Statistics App and click Generate App Code. You'll get a 6-digit code valid for 15 minutes.
Open the app & add your site
Open the web app (or the PWA you installed), tap Add Your Site, enter your site URL and the 6-digit App Code, then create an Application Password to complete the connection.
The app connects to your site's REST API using WordPress Application Passwords β no extra accounts, no new services, no data leaves your server.