Changelog

Object cache label fix

The Site Health OBJ CACHE badge sometimes labeled SQLite Object Cache as "Redis" because the drop-in scanner matched the word "redis" in plugin comments before "sqlite" in the code.

Detection now checks active plugin slugs first (sqlite-object-cache, redis-cache, etc.) and only falls back to keyword scanning by earliest position in the file — so the label matches the actual cache backend in use.

Improved object cache recommendations

The Site Health module now follows a smarter cascade when recommending a persistent object cache:

• Redis available → recommend the Redis Object Cache plugin (unchanged).
• No Redis, but SQLite extension present → recommend the SQLite Object Cache plugin as a solid fallback.
• Neither available → flag the host as unsuitable and link to hosting recommendations.

Previously the plugin pushed Redis only, leaving users on hosts without Redis without a clear next step.

• Fix: Auto Updater no longer shows a stale "update available" notice after a successful upgrade. The injector now compares the cached new_version against the installed version and clears its 6-hour cache the moment our plugin finishes upgrading.
• Fix: Auto Updater self-heals when WordPress's cached package URL has expired. Previously you'd see "The signed download URL has expired" and have to manually click "Check for Updates Now". Now the plugin refreshes the URL inline and the upgrade just works.
• Reported by Bojan — three of his six sites stuck displaying the 1.2.1 update notice while already on 1.2.1. Thanks for the heads-up.

• Fix: Slow Query Analyzer's "Apply Index" suggestions no longer mangle table names on sites with custom $table_prefix values that begin with wp_ (e.g. wp_plugins_). The CREATE INDEX SQL now targets the actual table from MySQL EXPLAIN instead of trying to "fix" it.
• Bonus: If you're reading this in WordPress Updates rather than on the site, congratulations — your Auto Updater works.

• New: Auto Updater module — pulls plugin updates from wpmultitool.com using your Polar license key. No more manual zip uploads.
• New: License & Updates admin page (Pro only) — paste your license key once, then updates flow in via the standard WordPress Updates screen.
• New: One-click "Check for updates now" button bypasses WordPress's 12-hour transient cache.
• Security: Update server uses short-lived signed download URLs (HMAC-SHA256, 30-minute TTL) so zips can't be hot-linked.
• Fix: Slow Callback Finder and Slow Query Analyzer table creation now works reliably across all hosting stacks (LiteSpeed, MariaDB, custom $table_prefix). Replaced WordPress's flaky dbDelta() with an explicit Schema_Manager that captures the real MySQL error and falls back through 4 charsets and 2 storage engines.
• Fix: "Cannot create database table. Check database user permissions." error replaced with the actual MySQL error message, so you can see the real cause when setup fails.
• Fix: Upgrade no longer hangs when WordPress maintenance mode briefly takes the admin URL offline mid-refresh.
• Change: Lite edition skips the Auto Updater entirely (no spurious update rows, no server hits).

• New: Action Scheduler Optimizer — detects and cleans bloated action queue, shows pending/failed/completed action stats, one-click cleanup with configurable retention
• New: Image Manager — smart size analysis detecting duplicate and unused registered image sizes, with usage stats and cleanup recommendations
• Fix: 9 bugs resolved from code review — critical, high, and medium severity issues across multiple modules

• New: Plugin Performance Score module — adds a Performance column to the Plugins page showing benchmark scores, memory usage, and query counts for ~5,000 plugins (data from makewpfast.com)
• New: Security Headers — adds X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security
• New: Sensitive File Removal — auto-deletes readme.html and license.txt (re-deletes after core updates)
• New: User Enumeration Protection — blocks REST API /wp/v2/users and ?author=N for unauthenticated visitors
• New: Login Attempt Limiter — locks out IPs after 5 failed attempts for 15 minutes
• Change: Frontend Optimizer Security section expanded from 1 to 5 toggles

• Fix: Autoloader Optimizer false positives — options from active plugins (EmailKit, Fluent Forms, ACF, Yoast, etc.) no longer incorrectly flagged as orphaned
• Change: Orphan detection now uses get_plugins() with TextDomain metadata instead of guessing prefixes from folder names
• Change: Removed dangerous 2-3 character abbreviated prefix matching that caused false matches
• Change: "Orphaned" category renamed to "Inactive Plugin" — only flags options from deactivated plugins
• New: "Unrecognized" category for options that don't match any installed plugin (informational only, not auto-optimized)

Improvements

• Autoload Optimizer: Fixed optimization card layout - button and description now on separate lines for better readability
• Autoload Optimizer: Added info dialog explaining detection categories (Orphaned, Oversized, Bloat Patterns) with specific rules
• Autoload Optimizer: Added dark theme CSS overrides for the optimization card

• Replaced Datastar PHP SDK with PHP 7.4-compatible single-file implementation
• Fixed memory detection to use WP_MEMORY_LIMIT instead of ini_get
• Fixed memory limit display consistency between dashboard and Config Manager
• Removed AI references from user-facing text

• Added feedback widget with star rating on main settings page
• Feedback emails sent directly to developer via SMTP
• Fixed DataStar PHP SDK not deploying to production (gitignore fix)
• Hidden Upgrade menu in full edition when running from git
• Slow Callback Finder now enabled by default

Bug Fix

• Fix fatal error on activation when hosting provider disables symlink() in PHP (shared hosting compatibility)
• Improved fallback: versioned assets now use file copy when symlink is unavailable

• Added: WP-CLI commands for safe CLI access without wp eval
• Added: Dual-edition conflict prevention
• Added: Pro Features upsell module
• Improved: ClawHub agent skill rewritten to eliminate all wp eval
• Improved: Build system for Lite/Pro edition packaging

• Fix: Fatal error on activation when symlink() is disabled by hosting provider
• Fallback: Copy assets instead of symlink on restricted hosts

• Fix: HTTP/2 detector infinite page reload loop on HTTP/1.1 sites
• Fix: Autoload Optimizer usage table unreadable text in dark theme
• Fix: Config Manager read-only notice now shows file owner and permissions
• Fix: CSS notice styling specificity to avoid overriding plugin-specific notices
• License updated to Proprietary

• Improve Admin UI styling and consistency
• Add additional CSS for better module card presentation

• Major Admin class enhancements
• Improved asset versioning with cache-busting timestamps

• Admin class improvements and code cleanup

• Add service listing assets and screenshots
• Remove deprecated playwright screenshot files