If you're running Plausible, Google Analytics, or GoatCounter and feeling good about your traffic numbers, SysWP Radar has some uncomfortable news: you're probably missing 30 to 60 percent of what's actually hitting your server. The company's new open beta analytics platform captures everything at the server level โ€” AI crawlers, attackers, RSS readers, uptime monitors โ€” by never relying on JavaScript execution in the visitor's browser.

The Blind Spot Killing Your Analytics Accuracy

Traditional web analytics runs a JavaScript snippet in the user's browser. If that script doesn't execute โ€” because of ad blockers, privacy extensions, or simply bots and crawlers that don't render pages at all โ€” those visits vanish from your reports entirely. Radar flips this model by capturing traffic server-side through either a 1ร—1 pixel tag or direct WordPress plugin integration, giving you the complete picture of every request hitting your infrastructure. The dashboard shows real-time examples of what traditional tools miss. In the past 24 hours alone, Radar flagged sqlmap/1.7-dev probes from Russian IP space targeting vulnerable installations, empty user-agent requests from Netherlands-based sources attempting automated scraping, Mozilla/5.0 zgrab scans originating from Lithuania, and Nuclei vulnerability scanner traffic from US IP addresses running against WordPress endpoints. None of these would register in Google Analytics โ€” because none of them execute JavaScript.

AI Crawlers Are Eating Your Server Resources Undetected

The rise of AI training and inference has flooded the web with crawlers that operate entirely without JavaScript. Radar automatically categorizes ClaudeBot (Anthropic), GPTBot (OpenAI), PerplexityBot, Googlebot, Bingbot, and various SEO crawlers into distinct bot categories โ€” all invisible to traditional analytics but fully visible at the server level. These crawlers consume your PHP workers, bandwidth, and CPU cycles while you have zero visibility into their activity. GoatCounter founder Aral Balkan has noted that 30-60 percent of most websites' traffic is non-human, yet most site operators run JavaScript-based tools that see only a fraction of actual visitors. Radar's comparative chart shows the gap starkly: in one example dashboard view, traditional JS analytics logged 8,420 human visits while server-side capture revealed an additional 9,819 requests invisible to conventional methods โ€” totaling 18,239 actual server hits versus what appeared to be a much smaller audience.

Attack Detection Without the JavaScript Dependency

Beyond traffic analytics, Radar monitors for active attack patterns targeting WordPress infrastructure. The tool tracks probes against wp-login.php (credential stuffing attempts), xmlrpc.php (remote procedure call abuse), and /wp-json/ REST API enumeration โ€” all common vectors for automated exploitation. It detects tools like sqlmap (automated SQL injection scanner), wpscan, Nuclei, and masscan running reconnaissance against your server. The product integrates natively with SysWP Shield for blocking and SysWP Pulse (coming soon) for broader observability. Site operators using Cloudflare get GeoIP data via headers without additional tracking cookies or GDPR compliance headaches โ€” a practical approach that avoids the cookie banner nightmare while still delivering country-level geolocation and device detection.

Pricing That Won't Scare You Away

Radar launches with a genuinely free tier: no credit card required, 1 site, 50k events per month. The Starter plan costs R$24/month (roughly $5 USD) for single-site operators wanting extended retention, Core Web Vitals analysis, and AI-powered dashboard explanations. Pro tiers at R$79/month ($16 USD regular price through a limited founder promotion) add multi-site support up to 20 sites, custom tracking domains that resist ad blockers, and deeper performance attribution. The catch โ€” if you can call it that โ€” is an aggressive data deletion policy for inactive accounts: 15 days after last login, your entire account, sites, events, and sessions get wiped. The company frames this as privacy-first transparency rather than hostile to customers. Whether that's a feature or a bug depends on how often you check your analytics.

Key Takeaways

  • JavaScript-based analytics is fundamentally blind to any visitor that doesn't execute client-side code โ€” including AI crawlers, attackers, and most automated tools
  • Server-side pixel tracking captures the complete request picture regardless of what's happening in the browser
  • Radar's bot intelligence automatically categorizes 9 types: humans, verified bots, AI crawlers (ClaudeBot, GPTBot, Perplexity), SEO crawlers, RSS readers, health checks, WP internals, attackers, and unknown traffic
  • Attack detection covers wp-login/xmlrpc brute force, SQL injection scanners like sqlmap, vulnerability scanners like Nuclei, and REST API enumeration patterns
  • The free tier is genuinely useful for small sites; paid plans unlock meaningful retention and analysis improvements at reasonable prices

The Bottom Line

If you're running a WordPress site โ€” or any web property โ€” and relying solely on JavaScript analytics, you have no idea what's actually happening on your server. AI crawlers are legitimate traffic that consumes real resources. Attackers probing your login forms are real threats that need visibility. Server-side analytics isn't revolutionary; it's just honest about what the internet actually looks like in 2026.