Changelog
2.2.0
New
-
cacheability_pro_skipfilter — a deterministic, explicit opt-out for transactional pages. Returntrueand the plugin gets out of the way entirely: it sets noCache-Controlheader (so a template's ownheader()call, or an earlierwp_headersfilter, stays authoritative) and the page is never written to the Full-Page Cache. This replaces the fragile pattern of overriding the blanket cache header with a lateheader('Cache-Control: …'), which silently no-ops underoutput_buffering=0. Hook it for payment-success, checkout-confirmation, and any page that must not inherit the blanket cache policy:add_filter( 'cacheability_pro_skip', function ( $skip ) { return is_page( 'checkout-thank-you' ) ? true : $skip; } );
2.1.3
Improved
- Freemius SDK state options (
fs_accounts,fs_options,fs_gdpr) are no longer autoloaded when it is a guaranteed net win: a persistent object cache is active, or Cacheability Pro is the only Freemius-powered plugin on the site (its SDK never boots on the frontend, so nothing reads these options there). This removes up to ~100 KB of licensing data from thealloptionsblob WordPress loads and unserializes on every request — the long-standing Freemius/wordpress-sdk#400 bloat that the SDK's own garbage collector shrinks but never de-autoloads. The flip is sticky (the SDK persists with$autoload = null, which never changes an existing row's flag), self-healing, and reversible — if conditions change (e.g. another Freemius plugin appears without an object cache), stock autoloaded behavior is restored automatically. Nothing is ever deleted.
2.1.2
Improved
- The Freemius licensing SDK no longer loads on frontend requests. The premium-license decision is cached in a lightweight autoloaded option, refreshed on every admin/cron/WP-CLI request and instantly on license activation or deactivation (Freemius
after_license_change/after_account_connectionevents). Frontend page loads skip the entire SDK bootstrap (~200 files plus its autoloadedfs_accountsdata — a well-documented per-request tax), so every visitor hit is lighter. License enforcement, trials, premium update delivery, and the License & Account page behave exactly as before.
2.1.1
New
- Full-Page Cache documentation page covering enabling via the
WP_CACHEconstant, disk + Redis storage tiers, the on-disk layout that matches WP Rocket and W3TC, nginxtry_filesand Apachemod_rewritesnippets, the two ESI strategies (post_processandskip), the bypass catalogue, the dual-sourced purge model (Varnish HTTP Purge hooks + WP fallback), Varnish coexistence as a passive listener, theX-Cachediagnostics catalogue, and theCACHEABILITY_FPC_DISABLEDkill switch.
Improved
- Removed the dead "WooCommerce bypass" checkbox from the Full-Page Cache admin tab. WooCommerce cart and checkout cookies (
wp_woocommerce_session_*,woocommerce_items_in_cart,woocommerce_cart_hash) have always triggered an unconditional bypass via the hard-coded rejected-cookies list — the checkbox state was never read at runtime. The toggle was misleading, so it's gone. The always-on behavior is unchanged and is now locked by a regression test.
2.1.0
New
- Native full-page cache. Bundled
wp-content/advanced-cache.phpdrop-in installs from the new "Full-Page Cache" admin tab, removing the requirement to run Varnish or NGINX FastCGI Cache in front of WordPress. Disk-first storage with pre-gzipped sibling files (W3TC / WP Rocket-compatible layout, drop-in compatible with existing nginxtry_filesrules), optional Redis tier reusing the Phase 1 connection. - Bypass semantics mirror WP Rocket (16-test catalogue minus mobile-UA sniffing), so migrations are transparent.
- ESI tags continue to work without an upstream proxy. When the disk backend serves an ESI-bearing page, the drop-in resolves
<esi:include>tags via loopback HTTP, keeping per-request nonces dynamic. WP_CACHEconstant manager — idempotent writer forwp-config.php, refuses to clobber user-authored defines, exposes the state in Tools → Site Health.- Purge integration. VHP-driven purge hooks (
after_purge_url,after_full_purge,after_purge_tags) drop FPC entries automatically. Without VHP installed, the FPC subscribes to WP-internal content-change events so consistency holds on any stack.
2.0.0
New
- Redis object cache backend. Bundled
wp-content/object-cache.phpdrop-in installs from the new "Object Cache" admin tab. PhpRedis-only (no Predis), honors the standardWP_REDIS_*constants so you can swap from Till Krüss'sredis-cacheor Pantheon'swp-rediswithout touchingwp-config.php. Single-round-trip MGET, scalar fast-path storage,SCAN+UNLINKflush scoped to the current site (neverFLUSHDB), object-injection-safe deserialization via anallowed_classessafelist, TLS + Redis 6 ACL,WP_REDIS_DISABLEDkill switch, signature-based detection of competing drop-ins. - CI test matrix proves the plugin both caches when Redis is available (cross-request persistence verified by
INFO commandstatsdelta) and doesn't break sites without Redis (no-redis / no-phpredis / redis-down profiles all green on every PR).
Improved
- Deactivation cleanup. Now cleanly removes the bundled
object-cache.phpdrop-in (only when the file still carries our version stamp — never touches a foreign drop-in).
1.2.0
Fixed
- ESI nonce feature actually ships now. The required MU-plugin at
wp-content/mu-plugins/cacheability-nonce-esi.phpis now installed automatically on plugin activation and kept in sync on every admin page load (previously operators had to copy it by hand and most never did). - No more placeholder leaks into URLs, inline JS, or data-attributes. Under the previous behaviour, enabling ESI could result in literal
__ESINONCE__...strings reaching the browser insidehref="?_wpnonce=...",wp_localize_scriptJSON,data-nonce, and inline<script>blocks — breaking REST calls and every logout/trash link for anonymous visitors. Placeholder mode is now gated by an explicit per-action whitelist, and any action not on the list returns a real nonce.
New
- Nonce action whitelist under Cache Controls → ESI Support. Accepts one action per line, wildcards with
*supported (e.g.woocommerce-*). Filter:cacheability_pro_esi_nonce_actions. - MU-plugin status card on the settings page shows where the MU-plugin was installed, or the manual-copy snippet when
wp-content/mu-plugins/isn't writable. - Production Varnish VCL bundled at
vcl/cacheability-pro.vcl(also shown inline on the settings page) — ready toincludefrom your main VCL. - Expanded test coverage for the feature: wildcard whitelist matching, auto-install recovery after deletion, whitelist option round-trip, inert-by-default behaviour, and opt-in
<esi:include>emission at origin.
Notes
- ESI remains an anonymous-visitor only feature. Logged-in users continue to get real nonces.
- Only whitelist actions whose nonces render into
<input>elements. Actions that end up in URLs / JS / data-attributes are not ESI-reachable on Varnish and will not be post-processed — including them is what caused the previous leaks.
1.1.0
New Features
- Resource Hints - Auto DNS prefetch, preconnect, and font preloading for external resources
- Defer JavaScript - Adds
deferattribute to scripts for faster page rendering - Image Dimensions - Adds missing width/height to images to prevent layout shift (CLS)
- Heartbeat Control - Disables heartbeat on frontend, reduces frequency on admin
- Emoji Cleanup - Removes WordPress emoji polyfill script, styles, and DNS prefetch
- Page Optimization admin page - New settings page showing all active optimizations
Improvements
- Smarter diagnostics scanner - Context-aware pattern matching reduces false positives
- Skips admin-only files and code inside
is_admin()blocks - Skips header reads/removals (only flags header setting)
- Skips string assignments and array values
- Dismiss findings - Hide false positive scan results site-wide
- Deactivate plugin - Disable problematic plugins directly from diagnostics
- MkDocs documentation - Comprehensive feature documentation for advanced users
1.0.15
- Bump version
1.0.14
- Remove Beta labels from features
- Show "Start Free Trial" for free users
1.0.13
- Add review solicitation notice after 7 days of active use
1.0.12
- Enable 14-day trial
- Remove beta labels
- Add value metrics dashboard