=== SysRadar ===
Contributors: aporcebr
Donate link: https://radar.syswp.com.br/account/billing
Tags: analytics, web-vitals, bot-detection, performance, privacy
Requires at least: 5.5
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.1.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Server-side analytics. Sees 100% of traffic (including bots and attackers), real Web Vitals, UTM attribution, rage clicks. Privacy-first.

== Description ==

SysRadar is a **server-side, privacy-first** alternative to Google Analytics and Plausible — built in Brazil, hosted in Brazil, fully LGPD/GDPR-compliant.

Unlike GA4 (which requires cookies and complicated LGPD setup) and Plausible (which only sees human visitors with JavaScript enabled), SysRadar captures **100% of real requests** to your server: humans, AI bots (ClaudeBot, GPTBot, PerplexityBot), SEO crawlers (Ahrefs, Semrush), attackers (sqlmap, nuclei, wpscan), RSS readers, uptime monitors — all categorized in real time.

= Why this matters in 2026 =

* **30 to 60% of your traffic** is bots. You never knew — because GA4 and Plausible filter bots automatically. But it's your server serving those bots, your bandwidth, your cost.
* **AI crawlers** (Claude, GPT, Perplexity) are indexing your content right now. If you don't know what they are reading, you can't optimize. The first sites to appear in AI answers will win the next decade of SEO.
* **Attackers** are continuously scanning `/wp-admin/`, `/xmlrpc.php`, `/.env`. Wordfence Free does not block them. Cloudflare lets them through. You don't even know they exist.
* **Web Vitals** (LCP, CLS, INP) — Google ranks search results by them. Lighthouse on your machine ≠ real user. SysRadar measures with **RUM (Real User Monitoring) data**.

= What the plugin does =

1. **Injects the tracker** (one line of JS, ~2KB minified, async) into the `<head>` of all front-end pages via the `wp_head` hook
2. **Auto-detects** WooCommerce, Elementor, Yoast SEO, Rank Math, Contact Form 7, BuddyPress, LearnDash, bbPress, All-in-One SEO
3. **Auto-excludes:** admin pages, AJAX, REST API, cron jobs, and logged-in users with edit-posts capability (admins/editors)
4. **Honors** `DNT: 1` (Do Not Track) optionally
5. **Compatible** with cache plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache, Cloudflare APO)
6. **Custom domain support** (Pro+ plan): use `analytics.yoursite.com` to bypass aggressive ad-blockers
7. **Zero queries** to the WordPress database (settings stored in `wp_options`)

= Who is it for =

* **Bloggers and content creators** — discover which AI crawlers are indexing your content (ChatGPT, Claude, Perplexity)
* **E-commerce (WooCommerce)** — real channel attribution, price-scraper detection, per-product Web Vitals
* **Agencies** — manage analytics for multiple client sites in a single dashboard (Agency plan)
* **Developers** — Web Vitals degradation alerts, automatic JS error capture, REST API access

= Privacy & compliance =

* IPs are always anonymized (last octet zeroed) — we never persist full IPs
* First-party cookies only (`_rdid`, `_rds`) — no cross-site tracking, no fingerprinting
* GDPR/LGPD-friendly: no data brokers, no impression auctions, no persona-building
* Optional Honor DNT
* Servers located in Brazil
* No dependency on Google, Facebook, or any ad-tech vendor

= Pricing =

Free permanent plan with 1 site and 50K events/month. Automatic 7-day Pro trial on signup (no credit card).

* **Free:** R$ 0 / $0 — 1 site, 50K events, 7-day retention
* **Starter:** R$ 29 / $5 per month — 3 sites, 150K events, 30 days
* **Pro:** R$ 79 / $19 per month — 20 sites, 1M events, 90 days (per-URL Web Vitals, alerts, export)
* **Agency:** R$ 199 / $35 per month — 50 sites, 5M events, 180 days

**Founder promotion:** the first 100 paying customers lock in 50% lifetime discount + 12% off annual.

== Installation ==

= Via upload =

1. Upload the `syswp-radar` folder to `/wp-content/plugins/` or install via **WP Admin → Plugins → Add New → Upload Plugin** (use the `.zip`)
2. Activate the plugin in **WP Admin → Plugins**
3. Go to **Settings → SysRadar**
4. Paste your **Site ID** (12 characters) — find it at [radar.syswp.com.br/sites](https://radar.syswp.com.br/sites)
5. Save. Done. The pixel is now injected on all front-end pages automatically.

= Via WordPress.org (after approval) =

1. WP Admin → Plugins → Add New → search "SysRadar"
2. Install → Activate
3. Settings → SysRadar → paste your Site ID

Don't have an account yet? Sign up free at [radar.syswp.com.br/auth/signup](https://radar.syswp.com.br/auth/signup) — 7 days of Pro free, no credit card required.

== Frequently Asked Questions ==

= Will the plugin slow down my site? =

No. The JS is asynchronous (`<script async>`), under 2KB minified, and the server responds in sub-millisecond. Nothing blocks rendering. We honor the "zero impact on LCP/FCP" contract — you can verify on the Web Vitals panels in the SysRadar dashboard after installing.

= Does it work with WP Rocket / LiteSpeed Cache / Cloudflare? =

Yes. The snippet is static and works inside any page cache. Tested in production with WP Rocket and LiteSpeed.

= Can I use it with ad-blockers? =

Most ad-blockers allow it because the traffic is interpreted as a simple image request (`.gif`). If you need maximum accuracy and have the Pro+ plan, configure a **custom domain** (e.g., `analytics.yoursite.com`) and ad-blockers become completely blind to the tracking.

= Is there a free tier? =

Yes. Permanent Free plan with 1 site, 50K events/month, 7-day retention. Automatic 7-day Pro trial on signup.

= What happens if I uninstall the plugin? =

Events already collected stay in SysRadar (subject to your plan retention policy). New visitors will not be tracked. The plugin's settings (Site ID, etc.) remain in `wp_options` until you delete the plugin via "Plugins → Delete" — at that point the included `uninstall.php` cleans them up automatically.

= Does it collect personal data (LGPD/GDPR)? =

No. The plugin collects only: User-Agent, visited URL, referrer, and browser performance metrics (LCP/FCP/TTFB). IPs are anonymized before storage (last octet zeroed by default). No name, email, cross-site tracking cookies, or any personally identifiable information.

= How do I know it's working? =

After pasting the Site ID and saving, visit your site in an incognito tab. The dashboard at [radar.syswp.com.br/dashboard](https://radar.syswp.com.br/dashboard) shows the event in real time (5-10 second delay).

= Does the plugin auto-update? =

Yes, via standard WordPress auto-update when we publish a new version. You are notified at **WP Admin → Updates**.

= Does it support multisite? =

Yes. Install on the network and configure each subsite with its own Site ID in local settings. Each subsite has its own separate dashboard in SysRadar.

= Can I block AI crawlers via the plugin? =

No — SysRadar **detects** AI crawlers, it does not block them. To block, use `robots.txt` or a dedicated security plugin focused on bot blocking.

= Why "SysRadar" and not "SysWP Radar"? =

The plugin's **display name** was changed from "SysWP Radar" to "SysRadar" because the WordPress.org Plugin Review Team does not allow the "WP" abbreviation in user-facing plugin names (it could imply affiliation with WordPress itself). The slug — `syswp-radar` — is a technical URL identifier and is exempt from this restriction, similar to how Yoast SEO's slug is `wordpress-seo`. The SaaS service is still branded "SysWP Radar" at radar.syswp.com.br — only the plugin's display name changed.

== Screenshots ==

1. Main SysRadar dashboard — traffic categories (humans, AI crawlers, attackers, etc.) in real time
2. Real Web Vitals (LCP, FCP, TTFB, CLS, INP) collected from real visitors with Good/Needs-improvement/Poor coloring
3. Top attackers detected in real time, with country flag, hits, scanned paths
4. Plugin settings page in the WordPress admin
5. Email notifications when your LCP degrades >30% or a persistent attacker is detected

== Changelog ==

= 1.1.0 - 2026-05-11 =
* Display name changed to "SysRadar" (per WordPress.org Plugin Review Team guidance — "WP" cannot appear in plugin display names). Plugin slug remains `syswp-radar` (slugs are URL identifiers, not user-facing branding, and are exempt from the "WP" restriction).
* All UI strings translated from Portuguese to English with full i18n support — translations welcome via translate.wordpress.org
* Added server-side beacon (captures attacks the JS pixel cannot see: /wp-json/, xmlrpc.php, admin-ajax.php unauth, wp-admin probes, wp-login.php). Fired on `shutdown` action; uses `fastcgi_finish_request()` + `blocking=false` for zero added latency.
* Pixel injection switched from direct `echo` to `wp_enqueue_script()` + `script_loader_tag` filter for `async` attribute (matching WP.org Plugin Review best practices).
* All `$_SERVER` reads now properly sanitized with `sanitize_text_field(wp_unslash())` / `esc_url_raw(wp_unslash())`.
* Class renamed to `Syswp_Radar_Plugin` to match the slug-derived prefix convention.
* Removed call to `load_plugin_textdomain()` — no longer needed since WordPress 4.6 for plugins hosted on WordPress.org.

= 1.0.0 - 2026-05-06 =
* Initial release on WordPress.org
* Pixel injection via wp_head (priority 99)
* Auto-detection of platforms (WooCommerce, Elementor, Yoast, Rank Math, etc.)
* Settings page with privacy controls
* Compatibility tested with WP Rocket, LiteSpeed Cache, W3 Total Cache
* Multisite support
* Optional Honor DNT
* Auto-exclusion of admins/editors

== Upgrade Notice ==

= 1.1.0 =
Display name changed from "SysWP Radar" to "SysRadar" per WordPress.org guidance. Slug stays `syswp-radar` (settings + folder location unchanged for existing users). UI is now in English (translations welcome).

= 1.0.0 =
Initial release.

== Roadmap ==

= v1.2 (Q3 2026) =
* Mini-dashboard in WP admin showing last 24h numbers
* Web Vitals widget in the WP admin

= v1.3 (Q3 2026) =
* Auto-detection of SysWP ecosystem siblings + single sign-on via SSO HMAC
* Integration with SysRadar API to fetch config remotely

= v1.4 (Q4 2026) =
* Server-side events (S2S) — captures even with the most aggressive ad-blockers
* Block AI crawlers directly from the plugin (optional)

== External services ==

This plugin connects to the SysRadar service (radar.syswp.com.br) to send anonymous traffic data from your site visitors. This includes:

* The visitor's user-agent string (truncated)
* The URL they visited
* The referrer URL
* Their browser's locale and timezone
* Web Vitals metrics (LCP, FCP, TTFB) measured client-side
* Their IP address (anonymized — last octet zeroed before storage)

No personally identifiable information is collected. The data is processed in Brazil and stored according to LGPD/GDPR requirements.

* Service URL: https://radar.syswp.com.br
* Privacy policy: https://radar.syswp.com.br/privacy/
* Terms of service: https://radar.syswp.com.br/terms/
