nBlick Signal Agent

Server-side, non-blocking request logging with a local queue, batched delivery, exponential-backoff retries, a circuit breaker, query-parameter redaction, and path filtering. Admin actions use the WordPress REST API.

Configuration

Settings -> nBlick Signal Agent. Set the API key (or define NBLICK_SIGNAL_API_KEY in wp-config.php), enable logging, and use the Status tab to send a test event.

External services

This plugin connects to the nBlick Signal API, a third-party service, to provide bot detection and traffic analysis. This connection is essential to the plugin’s purpose: request data collected on your site is transmitted to nBlick for analysis, and the plugin does nothing useful without it.

What is sent, and when:

• The plugin sends batches of request metadata to the nBlick Signal ingest endpoint (default: https://api.trynblick.com/signals/wordpress) on a recurring background schedule (via WP-Cron) whenever logging is enabled and queued data exists, and once when you click “Send Test Event”.
• Each request record may contain: the visitor’s IP address, the request method, host, path, HTTP status code, user agent, referer, response size, request duration, a timestamp, query-string parameters (with sensitive keys such as passwords and tokens redacted), a per-site identifier (UUID), and a schema version number.
• Only public front-end traffic is sent. WordPress admin, login, REST API, AJAX, cron, WP-CLI, and any paths you exclude are never collected or transmitted.
• Authentication uses an API key you provide, sent in the X-NBlick-Signal-Key request header.

The IP address is transmitted in full because it is required for the service’s bot-detection and reverse-DNS analysis.

This service is provided by nBlick. By using the plugin you are sending the data described above to nBlick. Please review their terms and privacy policy:

• Terms of service: https://trynblick.com/terms-of-service
• Privacy policy: https://trynblick.com/privacy-policy

Privacy

• The plugin is server-side only. It sets no cookies and performs no client-side or browser tracking.
• Sensitive query parameters (configurable; by default password, pass, token, auth, authorization, apikey, api_key, secret, card, cc, ssn and similar) are redacted to “[REDACTED]” before storage and transmission.
• Captured data is queued in a local database table and removed after it is sent successfully, or purged after the configured retention period (default 7 days).
• When the Sodium PHP extension is available, the API key is encrypted at rest using your site’s authentication salts; defining NBLICK_SIGNAL_API_KEY in wp-config.php avoids database storage entirely.
• Because the plugin transmits visitor IP addresses to a third party, you may need to disclose this in your own site’s privacy policy depending on your jurisdiction (e.g. GDPR/CCPA).