v1.6.0 Latest
July 9, 2026

Version 1.6.0 adds a new Pro module — the External Call Optimizer — that fixes one of the sneakiest causes of a slow WordPress admin: update checks that fire on every page load instead of twice a day.

New module: External Call Optimizer

WordPress checks api.wordpress.org for plugin, theme and core updates about twice a day. That schedule is held by a 12-hour timestamp stored inside WordPress's update transients. When a persistent object cache silently drops those transients — a dead Redis, a backend that flushes on every request, an orphaned drop-in — the timer vanishes and WordPress starts firing blocking update requests to api.wordpress.org on every single admin page load, 3–5 seconds each. Your admin crawls and nobody can see why.

  • Keeps the update-check gate reliable. The optimizer mirrors the last good update-check timestamp into its own dependable store and re-injects it when the cache loses it, so the 12-hour gate holds and checks drop back to roughly twice a day.
  • Faithful by design. It only ever restores a timestamp WordPress itself wrote, never re-injects one older than 12 hours (past that it lets a real check run), honours a manual "check now", and never touches api.wordpress.org connectivity — so security updates are never delayed or hidden.
  • Trims chatty third-party phone-homes. Premium-plugin license pings and telemetry that hammer the same endpoint get an automatic timeout-clamp (a proven-slow host costs about 2 seconds instead of 30) and a brief cache on repeated identical polls. No per-host rules, nothing to configure.
  • Safe by default. api.wordpress.org and WP Multitool's own updater are always left alone, streamed downloads bypass the cache, the request method is part of the cache key, and anything carrying cookies or an Authorization header is never cached.

It's a silent optimizer, not a monitor — there's no request log, no database tables, and no scan to run. One status card tells you whether the gate is holding and how many redundant checks it has prevented, with a switch to pause it. External Call Optimizer is a Pro module.

v1.5.4
July 2, 2026

This release adds leftover-table detection to the Database Optimizer and sharpens the orphaned-data report.

  • New — find tables left behind by uninstalled plugins. The Database Optimizer now scans for custom database tables and adds a "Custom Tables" card listing every non-core table with its size and row count. It works out who owns each table by searching the actual source of your installed plugins, mu-plugins, drop-ins and active theme for a reference to it — so tables that no installed code uses are flagged "no matching plugin installed (manual review)", the likely leftovers of a deleted plugin. This report never deletes or drops anything.
  • Improvement — orphaned meta grouped by size. The Orphaned Data preview now groups orphaned post/comment/user meta by key with byte totals, not just row counts, so you can see which leftover meta keys are actually consuming space.
  • Accessibility. Database Optimizer — the info (i) buttons on every card now have screen-reader labels, and the scrollable table lists are keyboard-focusable.
v1.5.3
June 29, 2026

This release is a round of fixes and polish, most of it from customer reports. Thanks to everyone who flagged something.

Fixes

  • Image Manager (Image Sizes) works under the Tools menu. When WP Multitool's menu was nested under the native Tools menu, the Image Sizes screen's buttons — Find Sizes to Disable, Reclaim Space, the per-size toggles — were inert because the page's scripts didn't load. They now load in both menu locations.
  • Config Manager shows feedback again. Saving or removing a constant (and security errors) now shows a visible success/rejection notice. Previously the message area wasn't wired up, so actions gave no on-screen confirmation.
  • Autoloader Optimizer — Save Thresholds and option editing work. Both were silently rejected because the security token wasn't included in the request.
  • Autoloader Optimizer — the Options List Edit popup no longer closes on the first keystroke. You can type into an option's value normally now; pressing Escape still closes the popup. Previously any key press while editing dismissed it, making edits impossible.
  • The "Send Feedback" button is no longer a dead end. It could appear un-clickable (with a "not-allowed" cursor) and no explanation when no star rating was selected. It's now always clickable and tells you what's missing, the rating shows a "(select a rating)" hint until you pick one, and the stars are keyboard-accessible.

Accessibility

  • Image Sizes screen contrast + labels. Each size's on/off toggle now has a descriptive label for screen readers, and the analysis badges, status, and text on flagged/disabled rows now meet WCAG AA contrast (they were dimmed below readability).

Safety

  • Database Optimizer — clearing orphaned WP Cron hooks now backs up first. It writes a restorable backup (with a download link) before removing anything, matching every other cleanup action. Previously this was the one cleanup that deleted without a restore point.
v1.5.2
June 24, 2026

This release puts the admin menu where you want it, makes every notice readable, and fixes a dead link — plus a small quality-of-life touch.

New: Choose where the menu lives

  • WP Multitool can now sit in its own top-level menu (the default) or nested under the native Tools menu — your call. Switch it in Preferences on the WP Multitool screen.
  • Enabling or disabling a module updates the menu live in either location, with no page reload.

Fixed: readable notices everywhere

  • The "Debug logging is ON in production" warning (and notices in general) could render with near-invisible body text on the dark admin theme. Notices now use a single shared, contrast-safe style, so the text is always legible.

Fixed: no more dead link on disabled modules

  • A disabled module's card title used to be a link that led to a "Sorry, you are not allowed to access this page" screen. The title is now a link only when the module is enabled, and it updates the instant you toggle it.

Tweak

  • The plugin version is now shown next to the WP Multitool Settings title.
v1.5.1
June 23, 2026

A small release driven by user feedback: move your configuration between sites in one click, and stop two false alarms on managed hosts.

New: Import / Export settings

  • Export your entire WP Multitool configuration to a JSON file from the new Import / Export screen.
  • Import it on your other sites to clone your set-up instantly — no more reconfiguring each module by hand.
  • Licenses, API keys and other secrets are stripped out automatically, so a shared file never leaks credentials or overwrites the destination site's licensing. Imported values merge over the target's settings without touching its own per-site state.

Fixed: false alarms on managed hosts

  • Object cache: Kinsta, WP Engine, Cloudways, Pantheon and Flywheel all offer Redis as an add-on. Site Health no longer shows a "change hosts" critical on these — it now nudges you to enable your host's Redis add-on. The critical is reserved for hosts that truly can't cache.
  • OPcache: some managed hosts (Kinsta, WP Engine) restrict PHP's OPcache status API, which made WP Multitool think OPcache was off when it was actually running. The check now falls back to the php.ini setting when live stats can't be read — and still warns when OPcache is genuinely disabled.
v1.5.0
June 22, 2026

WordPress has no built-in way to cap or dedupe wp-content/debug.log. One plugin throwing the same PHP deprecation on every request is enough to grow that file to gigabytes and fill your disk — and once it's that big, you can't even open it to find out what happened. 1.5.0 adds a module to deal with exactly that.

New module: Debug Log Guard (Pro)

  • See the real culprit in seconds. It streams the log without ever loading it into memory and shows a grouped, deduped table — message, how many times it fired, which plugin or theme it came from, first and last seen. The worst offender sits at the top.
  • Compact safely. Compact collapses thousands of repeated lines into one annotated entry while preserving your warnings and fatals. In testing a 404 KB spam log came out at 301 bytes. Every action is backup-first and atomic (temp file + rename), so a failed run never corrupts the log.
  • Rotate and Clear too — both keep a backup first — plus a one-click download of the current log.
  • An hourly size guard watches the file and compacts, rotates, or clears it when it passes a threshold you set. The check only reads the file size, never the file, so it can't slow your site down.
  • It finds the right file. WP_DEBUG_LOG doesn't always mean wp-content/debug.log — Debug Log Guard resolves the real active target (honouring WP_DEBUG and php.ini's error_log), and refuses to act on something it can't safely manage, like /dev/stderr.
  • It flags the root cause. If the site reports as production and debug logging is on, you get a clear warning. That's almost always why these files balloon, and a web-reachable debug.log can leak file paths and internals. WP Multitool's job is to surface the obscure-but-important stuff, and this is exactly that.

Built for the log that's already huge

  • Before compacting, it checks free disk and refuses if there isn't room for the temp copy, pointing you at Rotate or Clear instead.
  • Past a hard ceiling it rotates rather than compacts, because compacting a multi-GB file under a time limit is the risky path.
  • Compaction runs against a time budget and aborts with the original left intact if it would overrun. A multi-GB log is summarised from its most recent slice, so the viewer never hangs.

From the command line

Everything is in WP-CLI, and it works even when wp-admin is unreachable — which is usually the case when the disk is full:

  • wp multitool debug-log status — where the log is, how big, and whether WP_DEBUG is on
  • wp multitool debug-log summary — the grouped, deduped table
  • wp multitool debug-log compact — backup, then collapse the repeats
  • wp multitool debug-log clear — backup, then empty it

For people who run a lot of sites

If you maintain client sites, you don't want the first sign of a full disk to be a support ticket from someone whose small blog went down. So 1.5.0 also adds wp multitool healthcheck — a fast check that returns a real exit code (0 ok, 1 warning, 2 critical) and --format=json. Drop it in a cron across every site and you'll know about a runaway debug.log, debug logging left on in production, or autoload bloat before your client does:

  • wp multitool healthcheck || notify-me — non-zero exit means something needs attention

Debug Log Guard reads and post-processes the log; it doesn't yet prevent the duplicate writes at the source. That's the next step.

v1.4.1
June 18, 2026

A small maintenance release: one front-end fix that prevents stale assets behind aggressive caches, plus a round of internal hardening.

Fixed

  • “Remove Version Strings” is now opt-in (off by default): stripping ?ver= can defeat cache-busting behind an aggressive CDN or page cache — after an update the old, version-less asset can keep being served. It already never touched wp-admin; now it stays off until you deliberately turn it on.

Hardened

  • The Autoloader Optimizer options view no longer instantiates objects when previewing serialized option values (unserialize now uses allowed_classes), and internal table-existence checks use prepared statements.
v1.4.0
June 16, 2026

Meet Site Doctor — find the misconfigs that quietly cost you speed

The headline of 1.4 is a brand-new module: Site Doctor, an on-demand health scan that catches the production misconfigurations that don’t show up anywhere else — a thrashing OPcache, an object-cache drop-in pointing at a dead Redis, a page that misses the cache on every hit, a WooCommerce gateway still stuck in test mode — and hands you the exact fix for each one. Alongside it: a WP-CLI rescue kit for when wp-admin won’t even load, a one-shot N+1 query probe, and profiling tools that now ship off by default so a fresh install adds zero frontend overhead.

New

  • Site Doctor — on-demand health scan with fixes: a new module that runs only when you click Run scan (or wp multitool doctor) — never on a page load. It checks OPcache health (OOM restarts, low hit rate, full key table), the object-cache drop-in (a drop-in pointing at a dead backend is flagged critical), LiteSpeed misconfiguration, page caching via a single loopback probe, and WooCommerce payment gateways stuck in test/sandbox mode on a live shop. Every finding comes with concrete remediation — a sized php.ini snippet from your live numbers, the exact gateway setting to flip — not generic advice. A staging-guard quietly downgrades severities on dev hosts so your .loc clone doesn’t cry wolf. It deliberately doesn’t duplicate transient cleanup or cron chasing — those stay in Database Optimizer and Site Health. Built from real client optimization fires.
  • Autoload rescue from WP-CLI: wp multitool autoload analyze classifies your autoloaded options and flags the bloat, optimize disables autoload for safe candidates (after writing a backup), and restore puts every flag back exactly as it was. Built for the moment wp-admin is dying of memory exhaustion and the dashboard is the one place you can’t reach.
  • Module control from WP-CLI: wp multitool modules list, enable <module> and disable <module>. Disabling a module also cleans up its scheduled events and any files it deployed; enabling redeploys them — so the command line stays in sync with the admin toggles.
  • One-shot N+1 query probe: wp multitool slow-queries probe fires a single token-gated request at your front end with query logging on, then shows you which queries repeated, how long they took, and candidate indexes — without leaving query logging running on a live site. The cleanest way to catch a plugin firing the same query 50 times on one page.

Improved

  • Profiling modules ship off by default: on a fresh install the Slow Query Analyzer and Find Slow Callbacks now start disabled, so the plugin adds no per-request profiling cost until you deliberately turn it on. Existing sites keep whatever you already had enabled.
  • Low-memory warning: health checks and CLI commands now warn when the site’s configured memory limit is low, with the exact constant to raise in wp-config.php.
  • Honest autoload expectations: the docs now spell out when autoload optimization actually moves TTFB (large autoload set, no persistent object cache) versus when the win is mostly memory — so you optimize the right thing first.

Fixed / Hardened

  • Crash recovery can never be stripped: the Fatal Error Recovery files are now a deliberate always-on safety net, excluded from module ownership — disabling any module can no longer remove your site’s crash recovery.
  • No zombie artifacts: on activation the plugin no longer re-deploys mu-plugins or drop-ins belonging to a module you’ve disabled.
  • Trustworthy restore counter: autoload restore reports the exact number of options it put back, not an estimate.
v1.3.0
June 2, 2026

Reclaim the image storage you can’t see

The Image Manager grows up. It now finds the image sizes nothing on your site actually uses, then lets you delete the generated files to win back disk — reversibly, and without ever touching your original uploads. Plus a friendlier loader while the heavy tools think.

New

  • Image Manager — Reclaim space: one click deletes the generated files for unused, duplicate or disabled image sizes, per row or in bulk. It’s fully reversible — hit Regenerate to rebuild them — and your original uploads are never touched.
  • Image Manager — smarter unused detection: a new “Content refs” column looks past the post thumbnail and scans post content, Gutenberg blocks, Elementor data, widgets and theme files before a size is ever called unused, with an honest “verify before disabling” nudge.
  • Animated brand loader: the Autoload Optimizer and Database Optimizer overlays now show an animated “M” while they work, so a long scan no longer looks like a frozen screen.

Improved

  • Reference scan hardened for big libraries: the unused-size detection runs on demand, keeps its memory footprint low, and caps the rows it walks — so it stays responsive on large, slow sites instead of stalling on a huge media library.
v1.2.6
May 28, 2026

Maintenance release

Three bug fixes: a WordPress 7.0 block-editor regression, a Plugin Profiler stall on LiteSpeed hosts, and an invalid index suggestion in the Slow Query Analyzer.

Bug fixes

  • Frontend Optimizer: could break the block editor (a blank "Add Post" screen) on some sites. Its front-end output optimizations (script deferring, moving scripts to the footer, ?ver= stripping, wp_head cleanup) ran on every request — including wp-admin, the REST API, AJAX and cron. They are now confined to genuine front-end page views, and script deferring/relocation never touches a page that loads the block editor (which also covers front-end editing plugins). Reported on WordPress 7.0.
  • Plugin Profiler: fixed a stall on heavy LiteSpeed-hosted sites.
  • Slow Query Analyzer: no longer suggests indexes on SELECT-clause column aliases, which aren't real columns and can't be indexed (issue #8).
v1.2.5
May 26, 2026

Security release

This release ships one P1 (XSS) and one P0 (OOM) reported by the supply.family security audit, plus a P0 production fatal in Image Manager.

Security

  • Image Manager: escape size names through esc_html() in the size-details modal before output. Custom image size names containing HTML/JS no longer execute in the admin (P1 XSS, supply.family audit).

Bug fixes

  • Image Manager: fatal Call to undefined function get_current_screen() on front-end and under WP-CLI. The admin bar hook now guards on function_exists before resolving the screen (production Recovery Mode trigger on supply.family).
  • Image Manager: out-of-memory crash in "Find Unused Sizes" scan on sites with large wp_posts tables. Replaced the unbounded GROUP_CONCAT(post_content) with paginated batches (100 posts at a time) and early-exit per size (P0 OOM, supply.family audit).

Internal (no behavior change)

  • Slow Query AI Analyzer admin assets extracted from inline <style> / <script> blocks into properly enqueued files (assets/css/sqaa-admin.css, assets/js/sqaa-admin.js). Better caching.
  • Auto Updater methods renamed snake_case → camelCase across 4 files (get_edition, get_license_key, set_license_key, get_state, set_state, clear_cache). Consistent with the rest of the codebase.
v1.2.4
May 14, 2026

Object cache label fix

The Site Health OBJ CACHE badge sometimes labeled SQLite Object Cache as "Redis" because the drop-in scanner matched the word "redis" in plugin comments before "sqlite" in the code.

Detection now checks active plugin slugs first (sqlite-object-cache, redis-cache, etc.) and only falls back to keyword scanning by earliest position in the file — so the label matches the actual cache backend in use.

v1.2.3
May 14, 2026

Improved object cache recommendations

The Site Health module now follows a smarter cascade when recommending a persistent object cache:

  • Redis available → recommend the Redis Object Cache plugin (unchanged).
  • No Redis, but SQLite extension present → recommend the SQLite Object Cache plugin as a solid fallback.
  • Neither available → flag the host as unsuitable and link to hosting recommendations.

Previously the plugin pushed Redis only, leaving users on hosts without Redis without a clear next step.

v1.2.2
May 7, 2026
  • Fix: Auto Updater no longer shows a stale "update available" notice after a successful upgrade. The injector now compares the cached new_version against the installed version and clears its 6-hour cache the moment our plugin finishes upgrading.
  • Fix: Auto Updater self-heals when WordPress's cached package URL has expired. Previously you'd see "The signed download URL has expired" and have to manually click "Check for Updates Now". Now the plugin refreshes the URL inline and the upgrade just works.
  • Reported by Bojan — three of his six sites stuck displaying the 1.2.1 update notice while already on 1.2.1. Thanks for the heads-up.
v1.2.1
May 6, 2026
  • Fix: Slow Query Analyzer's "Apply Index" suggestions no longer mangle table names on sites with custom $table_prefix values that begin with wp_ (e.g. wp_plugins_). The CREATE INDEX SQL now targets the actual table from MySQL EXPLAIN instead of trying to "fix" it.
  • Bonus: If you're reading this in WordPress Updates rather than on the site, congratulations — your Auto Updater works.
v1.2.0
May 6, 2026
  • New: Auto Updater module — pulls plugin updates from wpmultitool.com using your Polar license key. No more manual zip uploads.
  • New: License & Updates admin page (Pro only) — paste your license key once, then updates flow in via the standard WordPress Updates screen.
  • New: One-click "Check for updates now" button bypasses WordPress's 12-hour transient cache.
  • Security: Update server uses short-lived signed download URLs (HMAC-SHA256, 30-minute TTL) so zips can't be hot-linked.
  • Fix: Slow Callback Finder and Slow Query Analyzer table creation now works reliably across all hosting stacks (LiteSpeed, MariaDB, custom $table_prefix). Replaced WordPress's flaky dbDelta() with an explicit Schema_Manager that captures the real MySQL error and falls back through 4 charsets and 2 storage engines.
  • Fix: "Cannot create database table. Check database user permissions." error replaced with the actual MySQL error message, so you can see the real cause when setup fails.
  • Fix: Upgrade no longer hangs when WordPress maintenance mode briefly takes the admin URL offline mid-refresh.
  • Change: Lite edition skips the Auto Updater entirely (no spurious update rows, no server hits).
v1.1.20
April 22, 2026
  • New: Action Scheduler Optimizer — detects and cleans bloated action queue, shows pending/failed/completed action stats, one-click cleanup with configurable retention
  • New: Image Manager — smart size analysis detecting duplicate and unused registered image sizes, with usage stats and cleanup recommendations
  • Fix: 9 bugs resolved from code review — critical, high, and medium severity issues across multiple modules
v1.1.19
April 8, 2026
  • New: Plugin Performance Score module — adds a Performance column to the Plugins page showing benchmark scores, memory usage, and query counts for ~5,000 plugins (data from makewpfast.com)
  • New: Security Headers — adds X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security
  • New: Sensitive File Removal — auto-deletes readme.html and license.txt (re-deletes after core updates)
  • New: User Enumeration Protection — blocks REST API /wp/v2/users and ?author=N for unauthenticated visitors
  • New: Login Attempt Limiter — locks out IPs after 5 failed attempts for 15 minutes
  • Change: Frontend Optimizer Security section expanded from 1 to 5 toggles
v1.1.18
March 10, 2026
  • Fix: Autoloader Optimizer false positives — options from active plugins (EmailKit, Fluent Forms, ACF, Yoast, etc.) no longer incorrectly flagged as orphaned
  • Change: Orphan detection now uses get_plugins() with TextDomain metadata instead of guessing prefixes from folder names
  • Change: Removed dangerous 2-3 character abbreviated prefix matching that caused false matches
  • Change: "Orphaned" category renamed to "Inactive Plugin" — only flags options from deactivated plugins
  • New: "Unrecognized" category for options that don't match any installed plugin (informational only, not auto-optimized)
v1.1.17
February 24, 2026

Improvements

  • Autoload Optimizer: Fixed optimization card layout - button and description now on separate lines for better readability
  • Autoload Optimizer: Added info dialog explaining detection categories (Orphaned, Oversized, Bloat Patterns) with specific rules
  • Autoload Optimizer: Added dark theme CSS overrides for the optimization card

Ready to optimize your WordPress site?

Join developers using WP Multitool to debug, optimize, and maintain WordPress.

Get WP Multitool