![Cover image for [FREE] A self-hosted WordPress analytics plugin where your visitor data never leaves your server](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqay71jsn4k1f60yk3rgj.PNG)
I recently released a free, privacy analytics plugin for WordPress. It's cookieless, stores everything in your own database, and loads zero external resources, so it's GDPR/CCPA friendly without a consent banner.
After sharing it around, the same handful of questions kept coming up. Instead of answering them one at a time, here they are in one place.
What's in it
Everything is included for free, no upsells or feature gates:
- Real-time visitor counter
- Pageviews, unique visitors, bounce rate, average session duration
- Interactive world map with zoom, pan, and country/city drill-down
- UTM campaign tracking with automatic URL cleanup
- Event tracking — outbound links, downloads, mailto/tel clicks, 404s
- Custom events via data attributes or a JS API
- Smart insights — exit pages, dead pages, user journeys
- 24-hour peak activity chart and new vs returning breakdown
- Device, browser, and OS detection (server-side)
- Weekly or monthly email reports
- CSV export on every dashboard tab
- Date range selector with custom ranges
- Role-based dashboard access control
- Configurable data retention, IP exclusion, and bot filtering
How can it track visitors without cookies?
Instead of storing an identifier on the visitor's device, it builds an anonymous fingerprint server-side: a one-way SHA-256 hash of the IP plus a few request signals (User-Agent, screen size, language, timezone).
The raw IP is never stored, only the hash. The salt rotates daily (it includes the UTC date), so the same visitor produces a different hash every 24h, and yesterday's data can't be linked to today's. That's enough to count unique visitors and sessions within a day without ever setting a cookie or touching localStorage. It's the same audience-measurement approach the well-known privacy analytics tools use, and it meets the "limited lifespan" criterion for consent-exempt tracking.
Does it work with full-page caching?
Yes. The tracking is a small client-side script that fires on page load and POSTs to admin-ajax.php. That endpoint is dynamic and never cached by page-cache plugins or CDNs.
The cached HTML just contains the static <script> tag. The actual hit is recorded when the browser calls the uncached endpoint. The script also ships with flags to survive Rocket Loader, Autoptimize, and WP Rocket optimizations.
How is it different from Google Analytics?
The big one: nothing leaves your server. All data stays in your own WordPress database, with no Google, no third-party servers, no data sharing. That also means no cookie banner, and no sampling, so you see 100% of your traffic instead of estimates.
It's also much lighter than GA's tag, so no measurable slowdown on your pages. And it lives right inside WP Admin: install, activate, done. No account, no tags, no property setup.
Don't ad blockers block it?
Far less than third-party tools, though I won't claim it's 100% unblockable.
The difference is that the script is served from your own domain, not from a known third-party tracker domain, so there's no external host for blocklists to match. The request also goes to admin-ajax.php, a normal WordPress endpoint that blockers leave alone, since blocking it would break countless sites. Compared to anything loading from a separate tracking domain, it's a lot more resilient in practice.
That's most of what people asked. If you've got more questions, drop them in the comments and I'll add them here.
It's free and on the WordPress.org directory if you want to try it:
Top comments (0)