nBlick Signal Agent

Description

Server-side, non-blocking request logging with a local queue, batched delivery,
exponential-backoff retries, a circuit breaker, query-parameter redaction, and
path filtering. Admin actions use the WordPress REST API.

Configuration

Settings -> nBlick Signal Agent. Set the API key (or define NBLICK_SIGNAL_API_KEY
in wp-config.php), enable logging, and use the Status tab to send a test event.

External services

This plugin connects to the nBlick Signal API, a third-party service, to provide
bot detection and traffic analysis. This connection is essential to the plugin’s
purpose: request data collected on your site is transmitted to nBlick for
analysis, and the plugin does nothing useful without it.

What is sent, and when:

• The plugin sends batches of request metadata to the nBlick Signal ingest
  endpoint (default: https://api.trynblick.com/signals/wordpress) on a recurring
  background schedule (via WP-Cron) whenever logging is enabled and queued data
  exists, and once when you click “Send Test Event”.
• Each request record may contain: the visitor’s IP address, the request method,
  host, path, HTTP status code, user agent, referer, response size, request
  duration, a timestamp, query-string parameters (with sensitive keys such as
  passwords and tokens redacted), a per-site identifier (UUID), and a schema
  version number.
• Only public front-end traffic is sent. WordPress admin, login, REST API, AJAX,
  cron, WP-CLI, and any paths you exclude are never collected or transmitted.
• Authentication uses an API key you provide, sent in the X-NBlick-Signal-Key
  request header.

The IP address is transmitted in full because it is required for the service’s
bot-detection and reverse-DNS analysis.

This service is provided by nBlick. By using the plugin you are sending the data
described above to nBlick. Please review their terms and privacy policy:

• Terms of service: https://trynblick.com/terms-of-service
• Privacy policy: https://trynblick.com/privacy-policy

Privacy

• The plugin is server-side only. It sets no cookies and performs no client-side
  or browser tracking.
• Sensitive query parameters (configurable; by default password, pass, token,
  auth, authorization, apikey, api_key, secret, card, cc, ssn and similar) are
  redacted to “[REDACTED]” before storage and transmission.
• Captured data is queued in a local database table and removed after it is sent
  successfully, or purged after the configured retention period (default 7 days).
• When the Sodium PHP extension is available, the API key is encrypted at rest
  using your site’s authentication salts; defining NBLICK_SIGNAL_API_KEY in
  wp-config.php avoids database storage entirely.
• Because the plugin transmits visitor IP addresses to a third party, you may
  need to disclose this in your own site’s privacy policy depending on your
  jurisdiction (e.g. GDPR/CCPA).