Skip to content

Changelog

1.2.0

Fixed

  • ESI nonce feature actually ships now. The required MU-plugin at wp-content/mu-plugins/cacheability-nonce-esi.php is now installed automatically on plugin activation and kept in sync on every admin page load (previously operators had to copy it by hand and most never did).
  • No more placeholder leaks into URLs, inline JS, or data-attributes. Under the previous behaviour, enabling ESI could result in literal __ESINONCE__... strings reaching the browser inside href="?_wpnonce=...", wp_localize_script JSON, data-nonce, and inline <script> blocks — breaking REST calls and every logout/trash link for anonymous visitors. Placeholder mode is now gated by an explicit per-action whitelist, and any action not on the list returns a real nonce.

New

  • Nonce action whitelist under Cache Controls → ESI Support. Accepts one action per line, wildcards with * supported (e.g. woocommerce-*). Filter: cacheability_pro_esi_nonce_actions.
  • MU-plugin status card on the settings page shows where the MU-plugin was installed, or the manual-copy snippet when wp-content/mu-plugins/ isn't writable.
  • Production Varnish VCL bundled at vcl/cacheability-pro.vcl (also shown inline on the settings page) — ready to include from your main VCL.
  • Expanded test coverage for the feature: wildcard whitelist matching, auto-install recovery after deletion, whitelist option round-trip, inert-by-default behaviour, and opt-in <esi:include> emission at origin.

Notes

  • ESI remains an anonymous-visitor only feature. Logged-in users continue to get real nonces.
  • Only whitelist actions whose nonces render into <input> elements. Actions that end up in URLs / JS / data-attributes are not ESI-reachable on Varnish and will not be post-processed — including them is what caused the previous leaks.

1.1.0

New Features

  • Resource Hints - Auto DNS prefetch, preconnect, and font preloading for external resources
  • Defer JavaScript - Adds defer attribute to scripts for faster page rendering
  • Image Dimensions - Adds missing width/height to images to prevent layout shift (CLS)
  • Heartbeat Control - Disables heartbeat on frontend, reduces frequency on admin
  • Emoji Cleanup - Removes WordPress emoji polyfill script, styles, and DNS prefetch
  • Page Optimization admin page - New settings page showing all active optimizations

Improvements

  • Smarter diagnostics scanner - Context-aware pattern matching reduces false positives
  • Skips admin-only files and code inside is_admin() blocks
  • Skips header reads/removals (only flags header setting)
  • Skips string assignments and array values
  • Dismiss findings - Hide false positive scan results site-wide
  • Deactivate plugin - Disable problematic plugins directly from diagnostics
  • MkDocs documentation - Comprehensive feature documentation for advanced users

1.0.15

  • Bump version

1.0.14

  • Remove Beta labels from features
  • Show "Start Free Trial" for free users

1.0.13

  • Add review solicitation notice after 7 days of active use

1.0.12

  • Enable 14-day trial
  • Remove beta labels
  • Add value metrics dashboard