[FREE] A self-hosted WordPress analytics plugin where your visitor data never leaves your server

A developer released a free, self-hosted WordPress analytics plugin that stores visitor data on the server without cookies or external resources, making it GDPR/CCPA compliant. The plugin uses anonymous fingerprinting via SHA-256 hashing of IP and request signals, with daily salt rotation to prevent long-term tracking. It offers 100% traffic visibility without sampling and is designed to resist ad blockers by serving scripts from the site's own domain.

I recently released a free, privacy analytics plugin for WordPress. It's cookieless, stores everything in your own database, and loads zero external resources, so it's GDPR/CCPA friendly without a consent banner. After sharing it around, the same handful of questions kept coming up. Instead of answering them one at a time, here they are in one place. Everything is included for free, no upsells or feature gates: Instead of storing an identifier on the visitor's device, it builds an anonymous fingerprint server-side: a one-way SHA-256 hash of the IP plus a few request signals User-Agent, screen size, language, timezone . The raw IP is never stored, only the hash. The salt rotates daily it includes the UTC date , so the same visitor produces a different hash every 24h, and yesterday's data can't be linked to today's. That's enough to count unique visitors and sessions within a day without ever setting a cookie or touching localStorage. It's the same audience-measurement approach the well-known privacy analytics tools use, and it meets the "limited lifespan" criterion for consent-exempt tracking. Yes. The tracking is a small client-side script that fires on page load and POSTs to admin-ajax.php . That endpoint is dynamic and never cached by page-cache plugins or CDNs. The cached HTML just contains the static <script tag. The actual hit is recorded when the browser calls the uncached endpoint. The script also ships with flags to survive Rocket Loader, Autoptimize, and WP Rocket optimizations. The big one: nothing leaves your server. All data stays in your own WordPress database, with no Google, no third-party servers, no data sharing. That also means no cookie banner, and no sampling, so you see 100% of your traffic instead of estimates. It's also much lighter than GA's tag, so no measurable slowdown on your pages. And it lives right inside WP Admin: install, activate, done. No account, no tags, no property setup. Far less than third-party tools, though I won't claim it's 100% unblockable. The difference is that the script is served from your own domain, not from a known third-party tracker domain, so there's no external host for blocklists to match. The request also goes to admin-ajax.php , a normal WordPress endpoint that blockers leave alone, since blocking it would break countless sites. Compared to anything loading from a separate tracking domain, it's a lot more resilient in practice. That's most of what people asked. If you've got more questions, drop them in the comments and I'll add them here. It's free and on the WordPress.org directory if you want to try it: