XeroWP
SysRadar
SysRadar

SysRadar

0/5 (0 ratings) — active installs Updated May 27, 2026
analyticsbotsperformanceprivacyvitals
Download v1.3.0 Plugin Website
Main SysRadar dashboard — traffic categories (humans, AI crawlers, attackers, SEO crawlers, etc.) in real time, with category breakdown and live event feed

Main SysRadar dashboard — traffic categories (humans, AI crawlers, attackers, SEO crawlers, etc.) in real time, with category breakdown and live event feed

SysRadar is a server-side, privacy-first alternative to Google Analytics and Plausible — built in Brazil, hosted in Brazil, fully LGPD/GDPR-compliant.

Unlike GA4 (which requires cookies and complicated LGPD setup) and Plausible (which only sees human visitors with JavaScript enabled), SysRadar captures 100% of real requests to your server: humans, AI bots (ClaudeBot, GPTBot, PerplexityBot), SEO crawlers (Ahrefs, Semrush), attackers (sqlmap, nuclei, wpscan), RSS readers, uptime monitors — all categorized in real time.

Why this matters in 2026

  • 30 to 60% of your traffic is bots. You never knew — because GA4 and Plausible filter bots automatically. But it’s your server serving those bots, your bandwidth, your cost.
  • AI crawlers (Claude, GPT, Perplexity) are indexing your content right now. If you don’t know what they are reading, you can’t optimize. The first sites to appear in AI answers will win the next decade of SEO.
  • Attackers are continuously scanning /wp-admin/, /xmlrpc.php, /.env. Wordfence Free does not block them. Cloudflare lets them through. You don’t even know they exist.
  • Web Vitals (LCP, CLS, INP) — Google ranks search results by them. Lighthouse on your machine ≠ real user. SysRadar measures with RUM (Real User Monitoring) data.

What the plugin does

  1. Injects the tracker (one line of JS, ~2KB minified, async) into the <head> of all front-end pages via the wp_head hook
  2. Live Dashboard inside WordPress (since v1.2.0): your last 24h of traffic, AI crawlers, suspected attacks and a real-time live counter — all visible without leaving wp-admin. Cached locally for 5 min; the fetch fires ONLY when an administrator opens the SysRadar page (zero impact on visitor load times)
  3. Auto-detects WooCommerce, Elementor, Yoast SEO, Rank Math, Contact Form 7, BuddyPress, LearnDash, bbPress, All-in-One SEO
  4. Auto-excludes: admin pages, AJAX, REST API, cron jobs, and logged-in users with edit-posts capability (admins/editors)
  5. Honors DNT: 1 (Do Not Track) optionally
  6. Compatible with cache plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, Cloudflare APO)
  7. Custom domain support (Pro+ plan): use analytics.yoursite.com to bypass aggressive ad-blockers
  8. Zero queries to the WordPress database (settings stored in wp_options)

Who is it for

  • Bloggers and content creators — discover which AI crawlers are indexing your content (ChatGPT, Claude, Perplexity)
  • E-commerce (WooCommerce) — real channel attribution, price-scraper detection, per-product Web Vitals
  • Agencies — manage analytics for multiple client sites in a single dashboard (Agency plan)
  • Developers — Web Vitals degradation alerts, automatic JS error capture, REST API access

Privacy & compliance

  • IP anonymization runs in the plugin, before transmission — last octet zeroed (IPv4) / last 80 bits zeroed (IPv6) inside your WordPress install, so SysRadar never receives identifiable IP addresses
  • First-party cookies only (_rdid, _rds) — no cross-site tracking, no fingerprinting. Cookieless mode is available as a one-click toggle
  • Split tracking toggles (since v1.1.1) — disable the front-end pixel and the server-side beacon independently
  • GDPR/LGPD-friendly: no data brokers, no impression auctions, no persona-building
  • Optional Honor DNT (Do Not Track) support
  • Servers located in Brazil; data processed under LGPD
  • No dependency on Google, Facebook, or any ad-tech vendor

Privacy policy snippet for site owners

You are the data controller for visitors of your site. The paragraph below is a starting point you can paste (and adapt) into your own privacy policy when this plugin is active. Replace the example placeholders with your specifics.

Analytics — SysRadar. We use SysRadar (operated by SysWP, Brazil) for privacy-first server-side analytics. SysRadar receives the page URL you visit, the referrer URL, your user-agent, anonymized IP (last octet zeroed before it leaves our server), Web Vitals metrics (LCP / FCP / TTFB / CLS / INP), and security telemetry on suspicious requests. SysRadar never sets third-party cookies and is configured here in [cookieless mode / standard mode]. We process this data under [legitimate interest in security monitoring / your consent for analytics], depending on the feature. SysRadar privacy policy: https://radar.syswp.com.br/privacy/. To exercise your LGPD/GDPR rights, contact us at [your email].

If you enable cookieless mode in the plugin settings, the _rdid and _rds first-party cookies are not set and you typically do not need a cookie consent banner for SysRadar.

Data subject rights walkthrough

Under LGPD (Brazil) Art. 18 and GDPR (EU) Art. 15–17, your visitors can request access to, correction of, deletion of, and portability of their personal data. Because SysRadar minimizes data at source (anonymized IPs, no names, no emails, no persistent cross-site identifier), most data subject requests are quick to answer:

  • Access: show the visitor the categories of data collected — see the table in the plugin’s Settings SysRadar page and the SysRadar privacy policy at https://radar.syswp.com.br/privacy/.
  • Correction: SysRadar does not collect identifiable data that can be “corrected” in the LGPD/GDPR sense. If a visitor still requests correction, document the request and respond confirming the data is anonymized.
  • Deletion: events are automatically purged after your plan retention window (7 to 180 days). For earlier deletion of events tied to a specific anonymized IP, the site owner can email [email protected] with the timeframe and the IP prefix.
  • Portability: the site owner can export all events for their site via the dashboard Account Export Data.
  • Objection / withdrawal of consent: if the visitor enabled DNT in their browser and you have “Honor DNT” turned on in the plugin, they are automatically not tracked. They can also block first-party cookies in their browser.

Pricing

Free permanent plan with 1 site. Automatic 7-day Pro trial on signup (no credit card). Full pricing and plan details at https://radar.syswp.com.br/pricing.

Roadmap

v1.2 (Q3 2026)

  • Mini-dashboard in WP admin showing last 24h numbers
  • Web Vitals widget in the WP admin

v1.3 (Q3 2026)

  • Auto-detection of SysWP ecosystem siblings + single sign-on via SSO HMAC
  • Integration with SysRadar API to fetch config remotely

v1.4 (Q4 2026)

  • Server-side events (S2S) — captures even with the most aggressive ad-blockers
  • Block AI crawlers directly from the plugin (optional)

External services

This plugin connects to the SysRadar service at https://radar.syswp.com.br. There are two distinct outbound transmissions, both fully disclosed below.

(1) Front-end JS pixel

  • When it fires: on every front-end page view from a non-excluded visitor (admins are excluded by default; logged-in users with edit-posts capability are skipped).
  • Transport: an async <script> tag loaded from https://radar.syswp.com.br/p/{site_id}.js runs in the visitor’s browser and sends measurement events back to the same domain.
  • Data sent: anonymized IP (last octet zeroed in your server before the script even runs, as the pixel is keyed to your site), page URL, referrer URL, user-agent string, browser locale and timezone, Web Vitals metrics (LCP, FCP, TTFB, CLS, INP).
  • Cookies set: _rdid and _rds first-party cookies — unless cookieless mode is enabled in the plugin settings, in which case no cookies are set.
  • Legal basis: consent (cookie + analytics) or legitimate interest depending on your jurisdiction. See the “Privacy & compliance” section above.

(2) Server-side beacon (new in v1.1.0+)

  • When it fires: only for requests the JS pixel cannot see — unauthenticated requests to /wp-json/, xmlrpc.php, admin-ajax.php, wp-login.php, and direct probes of /wp-admin/. Skipped for cron, WP-CLI, and excluded users.
  • Transport: a fire-and-forget wp_remote_post to https://radar.syswp.com.br/api/v1/pixel/server-beacon, dispatched on the WordPress shutdown action AFTER the page response is delivered, using fastcgi_finish_request() + blocking => false for zero added page latency.
  • Data sent: site ID, HTTP method, request URI (truncated to 500 chars), anonymized IP (last octet zeroed inside this plugin before transmission), user-agent (truncated to 1000 chars), referer (truncated, escaped), HTTP response status code, request-type label (rest / xmlrpc / ajax / login / admin_unauth / other), plugin version, DNT header value, cookieless-mode flag.
  • Data NOT sent: logged-in user identities, post content, form submissions, payment data, cookies, session tokens — none of these ever transit the beacon.
  • Legal basis: legitimate interest in security monitoring under LGPD Art. 7º IX / GDPR Art. 6(1)(f). No visitor consent is required for security telemetry of suspicious unauthenticated requests, per regulator guidance. Disclosure remains mandatory and is provided in the privacy policy snippet above.

(3) Install / deactivation ping (new in v1.3.0)

  • When it fires: twice in the lifetime of an install — once on register_activation_hook (plugin activation) and once on register_deactivation_hook (plugin deactivation). Never on uninstall (most plugins cannot make HTTP calls during the uninstall hook). No periodic pings, no per-request pings, no scheduled pings.
  • Transport: a fire-and-forget wp_remote_post to https://radar.syswp.com.br/api/v1/plugin/install-event (activation) or /api/v1/plugin/install-deactivate, with blocking => false so it never delays activation/deactivation.
  • Data sent: anonymous install ID (UUID v4 generated locally on first activation and stored in wp_options; not derived from any user data), site domain (e.g. example.com), plugin version, WordPress version, PHP version, multisite flag.
  • Data NOT sent: no admin email, no usernames, no user data, no visitor data, no IP, no cookies, no site title, no post content. The ping is strictly an installed-base counter for the plugin.
  • How to disable: Settings SysRadar “Plugin telemetry” check “Disable plugin telemetry” Save. Once disabled, no further activation/deactivation pings are sent.
  • Legal basis: legitimate interest under LGPD Art. 7º IX / GDPR Art. 6(1)(f) — knowing roughly how many installs are active and on which WordPress/PHP versions is necessary to keep the plugin compatible and supported. No visitor consent is involved (the ping originates from the WordPress site itself, not from any visitor).

Common to all three

  • Servers are located in Brazil.
  • Data is processed in compliance with LGPD/GDPR.
  • sslverify is always true on outbound HTTP — never relaxed.
  • No personally identifiable information (no name, no email, no full IP, no cross-site identifier) leaves your WordPress install.

Service links

  • Service URL: https://radar.syswp.com.br
  • Privacy policy: https://radar.syswp.com.br/privacy/
  • Terms of service: https://radar.syswp.com.br/terms/
  • Plugin setup + LGPD guide: https://radar.syswp.com.br/docs/plugin-setup/