[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCUog7uRyng2OarHOFXRD_6fYtI-65-cWOC_EGtRamA4":3,"$f3hFvy3v4e3onBjUXEObEQXuhOtme_4RfZyXRpxLjFMU":471,"$fPlck0IeMF56BRnjWO63_V7TI-jawgMZd3BVaNoqHW9Q":476},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":32,"crawl_stats":28,"alternatives":38,"analysis":130,"fingerprints":457},"better-speed","Why So Slow?","2.1","bettersecurity","https:\u002F\u002Fprofiles.wordpress.org\u002Fbettersecurity\u002F","\u003Cp>This plugin will allow you to easily remove bloat and turn off unused features, in order to streamline your website and reduce file requests.\u003C\u002Fp>\n\u003Cp>It also includes the following additional functionality:\u003Cbr \u002F>\n– Include \u003Ca href=\"https:\u002F\u002Finstant.page\" rel=\"nofollow ugc\">instant.page\u003C\u002Fa> library (v5.1.0) with settings\u003Cbr \u002F>\n– Add Server-Timing headers to enable better debugging\u003Cbr \u002F>\n– Use passive event listengers to improve scroll performance\u003C\u002Fp>\n\u003Cp>This plugin is NOT a caching plugin, but should play well with any caching plugin you decide to use.\u003C\u002Fp>\n","Improve the loading speed of your website by removing bloat and unused features (formerly named Better Speed)",100,3883,4,"2024-09-28T09:43:00.000Z","6.6.5","5.0","7.0",[19,20,21,22,23],"better","bloat","performance","security","speed","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.zip",92,0,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":26,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},5,440,30,88,"2026-05-19T21:57:29.193Z",[39,59,79,96,115],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":47,"downloaded":48,"rating":49,"num_ratings":50,"last_updated":51,"tested_up_to":52,"requires_at_least":16,"requires_php":53,"tags":54,"homepage":57,"download_link":58,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"staatic","Staatic – Static Site Generator","1.12.2","Team Staatic","https:\u002F\u002Fprofiles.wordpress.org\u002Fstaatic\u002F","\u003Cp>Staatic lets you create and deploy a streamlined static version of your WordPress site, enhancing performance, SEO, and security simultaneously.\u003C\u002Fp>\n\u003Cp>Features of Staatic include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Powerful Crawler to transform your WordPress site quickly.\u003C\u002Fli>\n\u003Cli>Supports multiple deployment methods, e.g. GitHub, Netlify, AWS (Amazon Web Services) S3 or S3-compatible providers + CloudFront integration, or even your local server (dedicated or shared hosting).\u003C\u002Fli>\n\u003Cli>Very flexible out of the box (allows for additional urls, paths, redirects, exclude rules, etc.).\u003C\u002Fli>\n\u003Cli>Supports HTTP (301, 302, 307, 308) redirects, custom “404 not found” page and other HTTP headers.\u003C\u002Fli>\n\u003Cli>CLI command to publish from the command line.\u003C\u002Fli>\n\u003Cli>Compatible with WordPress MultiSite installations.\u003C\u002Fli>\n\u003Cli>Compatible with WPML (multilingual) installations.\u003C\u002Fli>\n\u003Cli>Supports HTTP basic auth protected WordPress installations.\u003C\u002Fli>\n\u003Cli>Various integrations to improve compatibility with popular WordPress plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Depending on the chosen deployment method, additional features may be available.\u003C\u002Fp>\n\u003Ch3>Staatic Premium\u003C\u002Fh3>\n\u003Cp>In order to support ongoing development of Staatic, please consider going Premium. In addition to helping the authors maintain Staatic, Staatic Premium adds additional functionality.\u003C\u002Fp>\n\u003Cp>For more information visit \u003Ca href=\"https:\u002F\u002Fstaatic.com\u002Fwordpress\u002F\" rel=\"nofollow ugc\">Staatic\u003C\u002Fa>.\u003C\u002Fp>\n","Staatic lets you create and deploy a streamlined static version of your WordPress site.",2000,66979,84,22,"2026-04-14T13:48:00.000Z","6.9.4","7.1",[21,22,55,23,56],"seo","static","https:\u002F\u002Fstaatic.com\u002Fwordpress","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstaatic.1.12.2.zip",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":69,"num_ratings":13,"last_updated":70,"tested_up_to":71,"requires_at_least":72,"requires_php":73,"tags":74,"homepage":24,"download_link":77,"security_score":78,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"specify-a-vary-accept-encoding-header","Specify a Vary: Accept-Encoding Header","1.0.0","lithiumsixteen","https:\u002F\u002Fprofiles.wordpress.org\u002Flithiumsixteen\u002F","\u003Cp>Many WordPress performance plugins are bloated and include features that you don’t need. This plugin does just one thing. It adds a “Vary: Accept-Encoding Header” to boost website performance.\u003C\u002Fp>\n\u003Cp>When browsers make a request, they include HTTP headers for the server to decide what to send back. The Vary header describes what information identifies a request. Caches should only be used if the request matches the Vary information in the cache.\u003C\u002Fp>\n\u003Cp>This plugin adds a rewrite rule to your WordPress directory’s \u003Ccode>.htaccess\u003C\u002Fcode> Apache file.\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u003C IfModule mod_headers.c >\n\n  \u003C FilesMatch \\\".(js|css|xml|gz|html)$\\\" >\n\n    Header append Vary: Accept-Encoding\n\n  \u003C \u002FFilesMatch >\n\n\u003C \u002FIfModule >\n\u003C\u002Fcode>\u003C\u002Fpre>\n","This plugin fixes a \"Vary: Accept-Encoding Header\" message and boosts website performance.",200,5788,80,"2018-04-13T03:29:00.000Z","4.9.29","3.0.1","5.2",[75,21,22,23,76],"accept","vary","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fspecify-a-vary-accept-encoding-header.1.0.0.zip",85,{"slug":80,"name":81,"version":82,"author":83,"author_profile":84,"description":85,"short_description":86,"active_installs":11,"downloaded":87,"rating":11,"num_ratings":88,"last_updated":89,"tested_up_to":52,"requires_at_least":16,"requires_php":90,"tags":91,"homepage":94,"download_link":95,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wp-avoid-slow","The Off Switch (formerly WP Avoid Slow)","1.9.8","Abhishek Deshpande","https:\u002F\u002Fprofiles.wordpress.org\u002Fdeshabhishek007\u002F","\u003Cp>WordPress prioritises backwards compatibility.\u003Cbr \u002F>\nThat’s a feature. It also means every install ships with things you didn’t ask for.\u003C\u002Fp>\n\u003Cp>An emoji CDN script. An oEmbed script. A Windows Live Writer manifest (discontinued 2017).\u003Cbr \u002F>\nDashicons loaded for logged-out visitors. Heartbeat polling every 15 seconds.\u003Cbr \u002F>\nA version tag that tells the world exactly which WordPress you’re running.\u003C\u002Fp>\n\u003Cp>None of these are bugs. They’re just not needed on most sites.\u003C\u002Fp>\n\u003Cp>Disable what you don’t need. Keep what you do.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>The Off Switch lets you disable each one, individually.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Ch4>The Off Switches\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Emoji script\u003C\u002Fstrong> – ~15 KB + 1 HTTP request. Browsers handle emoji natively.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Embed script\u003C\u002Fstrong> – ~4 KB + oEmbed discovery links in \u003Ccode>\u003Chead>\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>RSD link\u003C\u002Fstrong> – Really Simple Discovery. Only needed for legacy XML-RPC clients.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WLW manifest\u003C\u002Fstrong> – Windows Live Writer has been discontinued since 2017.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WP version tag\u003C\u002Fstrong> – Stops advertising your WordPress version to the world.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Shortlink\u003C\u002Fstrong> – Removes \u003Ccode>\u003Clink rel=\"shortlink\">\u003C\u002Fcode> from \u003Ccode>\u003Chead>\u003C\u002Fcode> and HTTP headers. Search engines ignore it.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Asset query strings\u003C\u002Fstrong> – Strips \u003Ccode>?ver=\u003C\u002Fcode> from scripts, styles, and WP 6.5+ Script Modules so CDNs and proxies cache correctly.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC\u003C\u002Fstrong> – Closes a common brute-force attack vector.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Heartbeat API\u003C\u002Fstrong> – Reduces admin polling from every 15 s to every 60 s.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Dashicons (frontend)\u003C\u002Fstrong> – ~35 KB (CSS + font) saved for every logged-out visitor.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST API Discovery Link\u003C\u002Fstrong> – Removes \u003Ccode>\u003Clink rel=\"https:\u002F\u002Fapi.w.org\u002F\">\u003C\u002Fcode> from \u003Ccode>\u003Chead>\u003C\u002Fcode>. Safe to remove on standard sites.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>RSS Feed Links\u003C\u002Fstrong> – Removes feed autodiscovery \u003Ccode>\u003Clink>\u003C\u002Fcode> tags from \u003Ccode>\u003Chead>\u003C\u002Fcode>. Modern browsers no longer act on them. Leave enabled if you publish an RSS feed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Speculation Rules (WP 6.8+)\u003C\u002Fstrong> – Disables the WP 6.8+ Speculation Rules API that prefetches links before users click. Can inflate analytics, increase server bandwidth, and trigger consent flows on unfetched pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable All Feeds\u003C\u002Fstrong> – Redirects all RSS and Atom feed URLs to the homepage. For sites with no RSS subscribers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comment Auto-Links\u003C\u002Fstrong> – Stops WordPress from converting plain-text URLs in comments into clickable links.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Editor Autosave\u003C\u002Fstrong> – Deregisters the autosave script that POSTs editor content to the server every 60 seconds. For teams that prefer explicit saves.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>DNS Prefetch\u003C\u002Fstrong> – Removes all \u003Ccode>\u003Clink rel=\"dns-prefetch\">\u003C\u002Fcode> hints from \u003Ccode>\u003Chead>\u003C\u002Fcode>. Redundant when Emojis and Embeds are already disabled.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recent Comments Inline CSS\u003C\u002Fstrong> – WordPress outputs a small inline \u003Ccode>\u003Cstyle>\u003C\u002Fcode> block in \u003Ccode>\u003Chead>\u003C\u002Fcode> whenever the Recent Comments widget is active. Remove it if your theme already styles the widget.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Script & Style Control\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>jQuery Migrate\u003C\u002Fstrong> – ~30 KB. Modern themes don’t need it.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block Library CSS\u003C\u002Fstrong> – ~7 KB loaded on every page, even with no Gutenberg blocks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Global Styles (theme.json CSS)\u003C\u002Fstrong> – 10-50 KB inline CSS from block themes.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>SVG Duotone Filters\u003C\u002Fstrong> – Hidden SVG blob injected on every page, even with no duotone images.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Script\u002FStyle type attributes\u003C\u002Fstrong> – \u003Ccode>type=\"text\u002Fjavascript\"\u003C\u002Fcode> and \u003Ccode>type=\"text\u002Fcss\"\u003C\u002Fcode> are redundant in HTML5.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Defer non-critical JavaScript\u003C\u002Fstrong> – Adds \u003Ccode>defer\u003C\u002Fcode> so scripts don’t block HTML parsing. jQuery is never deferred.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Move scripts to footer\u003C\u002Fstrong> – Relocates enqueued scripts from \u003Ccode>\u003Chead>\u003C\u002Fcode> to just before \u003Ccode>\u003C\u002Fbody>\u003C\u002Fcode>. jQuery is never moved.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>WordPress Behaviour Tweaks\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Self-pingbacks\u003C\u002Fstrong> – WordPress pings your own posts when you link between them – a wasted HTTP request that creates an unwanted comment on the target post.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Capital P filter\u003C\u002Fstrong> – WordPress corrects “WordPress” to “WordPress” on every rendered string. Remove if you don’t need the autocorrect.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Limit post revisions\u003C\u002Fstrong> – WordPress stores unlimited revisions per post. Caps revisions at 3 to prevent silent database growth on active editorial sites.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Attachment pages\u003C\u002Fstrong> – WordPress creates a full template page for every uploaded file. These waste crawl budget on most sites. Sends a 301 redirect to the parent post instead.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Comments\u003C\u002Fstrong> – Closes all comments and pingbacks site-wide, hides existing comments on the frontend, and removes comment-related UI from wp-admin (Comments menu, admin bar node, dashboard widget). Enable only if your site does not use comments.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Search\u003C\u002Fstrong> – Redirects all WordPress search queries (\u003Ccode>\u002F?s=\u003C\u002Fcode>) to the homepage with a 301, preventing bots from triggering repeated database queries. Also removes search forms rendered via \u003Ccode>get_search_form()\u003C\u002Fcode>. Hardcoded forms in theme templates are not affected.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>oEmbed Provider\u003C\u002Fstrong> – WordPress registers a REST endpoint at \u003Ccode>\u002Fwp-json\u002Foembed\u002F1.0\u002Fembed\u003C\u002Fcode> so other sites can embed your content via the oEmbed protocol. Remove it if you don’t want your content embeddable externally. Does not affect your ability to embed others’ content.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Database & Query\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Expired Transients\u003C\u002Fstrong> – Schedules a daily cleanup of expired transient rows in wp_options. Useful on low-traffic sites where WP-Cron can go days without firing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Abandoned Auto-Drafts\u003C\u002Fstrong> – WordPress creates an auto-draft every time the post editor opens. Abandoned sessions leave these rows permanently. Runs a daily sweep to delete auto-drafts older than 30 days.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Skip Row Count on Singles\u003C\u002Fstrong> – On every single post or page, MySQL runs SQL_CALC_FOUND_ROWS to count total matching rows – a full index scan only needed for paginated archives. Removes that sub-query on all singular views.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Adjacent Post Links\u003C\u002Fstrong> – WordPress queries the previous and next post on every single post page to output \u003Ccode>\u003Clink rel=\"prev\u002Fnext\">\u003C\u002Fcode> in \u003Ccode>\u003Chead>\u003C\u002Fcode>. Two extra DB queries per page load. Google dropped support for these SEO hints in 2019.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reduce Trash Retention\u003C\u002Fstrong> – WordPress keeps trashed items for 30 days before permanent deletion. Reducing to 7 days keeps wp_posts leaner on active editorial sites without affecting normal recovery workflows.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Image Performance\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Google Fonts display:swap\u003C\u002Fstrong> – Without \u003Ccode>font-display:swap\u003C\u002Fcode>, the browser hides text while your Google Font downloads (FOIT). Adds \u003Ccode>display=swap\u003C\u002Fcode> to every Google Fonts URL so visitors see text immediately.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Add missing image dimensions\u003C\u002Fstrong> – Images without \u003Ccode>width\u003C\u002Fcode> and \u003Ccode>height\u003C\u002Fcode> attributes cause layout shifts (CLS). Reads dimensions from attachment metadata and injects them automatically.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>LCP image priority\u003C\u002Fstrong> – Adds \u003Ccode>fetchpriority=\"high\"\u003C\u002Fcode> to the first content image so the browser loads it before lower-priority resources. Adds \u003Ccode>fetchpriority=\"low\"\u003C\u002Fcode> and \u003Ccode>decoding=\"async\"\u003C\u002Fcode> to all others.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Lazy load images\u003C\u002Fstrong> – Adds \u003Ccode>loading=\"lazy\"\u003C\u002Fcode> to images below the fold. The first image is never lazy-loaded – it is the LCP candidate and must load immediately.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable PDF thumbnails\u003C\u002Fstrong> – WordPress generates thumbnail previews for every uploaded PDF when ImageMagick is available. Rarely used on the frontend; adds significant upload processing time.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable scaled images\u003C\u002Fstrong> – WordPress 5.3+ creates a downsized -scaled copy of any image whose longest side exceeds 2560 px on upload. On most sites this extra file is never served. Disabling it stores the original as-uploaded. Applies to new uploads only.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable extra image sizes\u003C\u002Fstrong> – WordPress 5.3 added 1536×1536 and 2048×2048 intermediate sizes to every image upload. These oversized copies are rarely requested and waste disk space. Theme and plugin image sizes are not affected. Applies to new uploads only.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Security & Admin Hardening\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Block User Enumeration\u003C\u002Fstrong> – WordPress redirects \u003Ccode>?author=1\u003C\u002Fcode> to \u003Ccode>\u002Fauthor\u002Fusername\u002F\u003C\u002Fcode>, exposing registered usernames. Intercepts those requests and redirects to the homepage before the username is revealed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Author Archives\u003C\u002Fstrong> – Redirects all \u003Ccode>\u002Fauthor\u002Fusername\u002F\u003C\u002Fcode> pages to the homepage. For sites with no author profile pages.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable File Editor\u003C\u002Fstrong> – Defines \u003Ccode>DISALLOW_FILE_EDIT\u003C\u002Fcode> to remove the plugin and theme code editor from wp-admin. Eliminates a code-injection surface a compromised admin account could exploit.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Application Passwords\u003C\u002Fstrong> – Removes the Application Passwords UI and stops all tokens from being accepted. For sites that don’t use REST API or XML-RPC integrations.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Suppress Admin Email Check\u003C\u002Fstrong> – Disables the periodic full-screen prompt asking admins to confirm their email address. One less interruption, no functional change.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove X-Pingback Header\u003C\u002Fstrong> – Strips \u003Ccode>X-Pingback:\u003C\u002Fcode> from every HTTP response, stopping the site from advertising its XML-RPC endpoint URL to scanners.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Clean Admin Bar\u003C\u002Fstrong> – Removes the WordPress logo dropdown, the duplicate “Visit Site” link, and the admin bar search for a less cluttered editing environment.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Update Nag for Non-Admins\u003C\u002Fstrong> – Hides the core update notice from editors and contributors who cannot action it. Administrators still see it normally.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict REST API to Logged-In Users\u003C\u002Fstrong> – The REST API is publicly accessible by default, allowing unauthenticated enumeration of posts, users, and other data. Restricting access to authenticated users reduces the attack surface. Will break public REST consumers such as headless frontends.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Redirect Unauthenticated Admin Access\u003C\u002Fstrong> – By default, visiting \u002Fwp-admin\u002F without being logged in redirects to the login page, confirming a WordPress admin area exists. This redirects unauthenticated requests to the homepage instead, reducing information disclosure to scanners. AJAX, Cron, WP-CLI, and admin-post.php requests are never affected.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Author Sitemap\u003C\u002Fstrong> – WordPress 5.5 added a built-in XML sitemap that includes a users file listing the author archive URL for every user with published posts — up to 2,000 usernames, publicly accessible. Removes the users entry from the sitemap index entirely (WP 5.5+, default ON).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove X-Redirect-By Header\u003C\u002Fstrong> – WordPress 5.1+ adds an X-Redirect-By: WordPress header on every redirect, openly advertising that the site runs WordPress. Removes it from all redirects (default ON).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide PHP Version Header\u003C\u002Fstrong> – PHP sends an X-Powered-By: PHP\u002Fx.x.x header on every response, exposing your exact PHP version to every visitor and scanner. Removes it from all responses (default ON).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Generic PHP Error Messages\u003C\u002Fstrong> – WordPress fatal error messages can include internal file paths and line numbers. Replaces them with a generic response that reveals nothing about server structure (default ON).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Hide Admin Bar on Frontend\u003C\u002Fstrong> – Removes the WordPress admin toolbar from the public-facing site for all logged-in users. Reduces frontend CSS\u002FJS overhead for logged-in sessions (default OFF).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove Dashboard Welcome Panel\u003C\u002Fstrong> – Removes the “Welcome to WordPress” panel from the dashboard home screen for all users (default OFF).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove Default Dashboard Widgets\u003C\u002Fstrong> – Removes four default dashboard widgets including WordPress Events and News, which makes an outbound HTTP request to api.wordpress.org on every dashboard load (default OFF).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove Admin Footer Text\u003C\u002Fstrong> – Removes the “Thank you for creating with WordPress” text and WordPress version number from the wp-admin footer (default OFF).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable REST Users Endpoint\u003C\u002Fstrong> – WordPress’s REST API exposes \u003Ccode>\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fcode> publicly, returning usernames and slugs for all users with published posts. Removes this endpoint for unauthenticated requests only — Gutenberg and plugins that need it while logged in are unaffected (default ON).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Email Change Notifications\u003C\u002Fstrong> – WordPress sends emails to users when their email address or password changes. On agency-managed sites these are noise. Suppresses both notification types (default OFF).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Auto-Update Emails\u003C\u002Fstrong> – WordPress emails after every automatic core, plugin (WP 5.5+), and theme (WP 5.5+) update. On sites where auto-updates are routine these arrive constantly (default OFF).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Block Editor\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Remote Block Patterns\u003C\u002Fstrong> – WordPress fetches patterns from api.wordpress.org on every editor load. An outbound HTTP request that adds latency even if editors never use the Pattern inserter. Local patterns from themes and plugins are unaffected.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Core Block Patterns\u003C\u002Fstrong> – Removes WordPress’s built-in block patterns (headers, galleries, CTAs) from the Pattern inserter. For sites using custom patterns or none at all.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Block Directory\u003C\u002Fstrong> – The editor includes a live search of wordpress.org that lets users install new blocks without leaving the editor. Remove it to keep block installation under your control.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Font Library (WP 6.5+)\u003C\u002Fstrong> – WordPress 6.5 added a Font Library panel for uploading custom fonts and browsing Google Fonts in the Site Editor. Remove it if fonts are managed through your theme or code.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Widget Block Editor (WP 5.8+)\u003C\u002Fstrong> – WordPress 5.8 replaced the classic Widgets screen with a block-based editor. Restores the classic screen for classic themes, sidebar widgets, and page builders.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>WooCommerce\u003C\u002Fh4>\n\u003Cp>\u003Cem>These toggles are only shown when WooCommerce is active.\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Cart Fragments\u003C\u002Fstrong> – wc-cart-fragments.js fires an AJAX request to keep mini-cart counts accurate when the Cart Widget is rendered (~3 KB + 1 request). Disable on stores where the Cart Widget is not used, or where real-time cart accuracy across tabs is not needed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WooCommerce Generator Tag\u003C\u002Fstrong> – Removes \u003Ccode>\u003Cmeta name=\"generator\" content=\"WooCommerce x.x.x\">\u003C\u002Fcode> from \u003Ccode>\u003Chead>\u003C\u002Fcode>. Same reason as the WordPress version tag: stops advertising which version of WooCommerce you’re running.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WC Scripts on Non-WC Pages\u003C\u002Fstrong> – WooCommerce loads ~114 KB of CSS and JS on every page (woocommerce-general, woocommerce-layout, woocommerce-smallscreen, woocommerce.js, wc-add-to-cart.js, and woocommerce-blocktheme on block themes). Dequeues them all on non-shop, non-cart, non-checkout, and non-account pages. Up to ~30 KB gzipped saved per non-WooCommerce page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Strength Meter\u003C\u002Fstrong> – WooCommerce already restricts wc-password-strength-meter to checkout and My Account pages where a password is required. This toggle is a secondary safety net for themes or plugins that enqueue the script more broadly, removing zxcvbn (~80 KB gzipped) wherever it loads unnecessarily.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Status Dashboard Widget\u003C\u002Fstrong> – Removes the WooCommerce Status meta box from the WordPress admin dashboard. For stores managed from the WooCommerce screens directly.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WC Block Patterns\u003C\u002Fstrong> – WooCommerce registers its own block patterns in the editor inserter. Remove them if your store does not use WooCommerce-provided patterns for page design – declutters the inserter and removes a small init overhead.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WC Legacy Widgets\u003C\u002Fstrong> – WooCommerce registers 12 legacy widgets on every page load even on block-based themes. Unregistering them removes the initialisation overhead and hides them from Appearance -> Widgets.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WC Version Header\u003C\u002Fstrong> – Removes the X-WooCommerce-Version HTTP response header that some WooCommerce extensions inject, closing the same version-leakage vector as the generator tag toggle.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Stripe Gateway Scripts\u003C\u002Fstrong> – Prevents the WooCommerce Stripe Gateway from loading Stripe.js on product and cart pages when the Payment Request Button (Apple Pay \u002F Google Pay) is disabled in the Stripe settings.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Related Products\u003C\u002Fstrong> – On every product page WooCommerce queries products sharing the same categories or tags. On large catalogues this is a slow JOIN query. Removes both the query and the “Related products” section. Up-sells and cross-sells are not affected.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Login Page\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Hide Login Error Details\u003C\u002Fstrong> – WordPress returns different errors for “unknown username” vs “incorrect password”, letting attackers confirm which usernames exist. Replaces all messages with a single generic response. Enabled by default.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Email Login\u003C\u002Fstrong> – WordPress 4.5+ allows login with an email address. On sites where emails are publicly visible this widens the brute-force surface. Enforces username-only login.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove Register Link\u003C\u002Fstrong> – Removes the “Register” link from the login page without disabling registration itself. Useful for invite-only setups with a direct registration URL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Remove Language Switcher\u003C\u002Fstrong> – WordPress 5.9+ adds a locale switcher to the login form. Removes it on single-language sites.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Disable Password Reset\u003C\u002Fstrong> – Disables the lost-password flow entirely and removes the “Lost your password?” link from the login form. For sites where passwords are managed externally or by admins only (default OFF).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>A nod to YSlow\u003C\u002Fh4>\n\u003Cp>In 2007 Yahoo! released YSlow – a browser tool that graded pages against a checklist of performance rules: fewer HTTP requests, smaller payloads, nothing the browser didn’t ask for. Steve Souders and  &hellip;\u003C\u002Fp>\n","Disable unused WordPress features and remove bloat. 85 toggles for performance, security hardening, and WooCommerce — pure PHP, no .",6780,6,"2026-03-25T17:55:00.000Z","7.4",[20,92,93,21,23],"core-web-vitals","optimize","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwp-avoid-slow\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-avoid-slow.1.9.8.zip",{"slug":97,"name":98,"version":99,"author":100,"author_profile":101,"description":102,"short_description":103,"active_installs":104,"downloaded":105,"rating":11,"num_ratings":106,"last_updated":107,"tested_up_to":52,"requires_at_least":108,"requires_php":109,"tags":110,"homepage":113,"download_link":114,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"zenpress","ZenPress","2.2.5","Quentin Le Duff","https:\u002F\u002Fprofiles.wordpress.org\u002Fquentinldd\u002F","\u003Cp>ZenPress is a lightweight, high-performance plugin that improves your WordPress and WooCommerce sites through a range of supportive actions.\u003Cbr \u002F>\nCombined with \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcache-enabler\u002F\" rel=\"ugc\">Cache Enabler\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fautoptimize\u002F\" rel=\"ugc\">Autoptimize\u003C\u002Fa> and \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsqlite-object-cache\u002F\" rel=\"ugc\">SQLite Object Cache\u003C\u002Fa>, you can use ZenPress as a reliable, free alternative to major premium performance plugins.\u003Cbr \u002F>\nBy integrating directly into the WordPress core interface, ZenPress provides a simpler experience without the need for complex custom dashboards. You can improve your site’s performance and security without ads, pro versions, or database clutter.\u003C\u002Fp>\n\u003Ch4>Why choose ZenPress?\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Use curated settings presets to help you optimize your site instantly.\u003C\u002Fli>\n\u003Cli>Experience deep integration with the WordPress core interface for a lightweight, familiar experience.\u003C\u002Fli>\n\u003Cli>Choose a free, reliable alternative to premium performance plugins.\u003C\u002Fli>\n\u003Cli>Keep your site fast and clean by disabling unused features.\u003C\u002Fli>\n\u003Cli>Harden your security by turning off unused features and protecting weak spots.\u003C\u002Fli>\n\u003Cli>Reduce bloat from third-party plugins.\u003C\u002Fli>\n\u003Cli>Enjoy an ultra-lightweight and future-proof design.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cp>ZenPress includes the following features:\u003C\u002Fp>\n\u003Ch4>Dashboard Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Navigate easily between categories like Core, Gutenberg, and WooCommerce using a structured tabbed interface.\u003C\u002Fli>\n\u003Cli>Identify features quickly with visual icons organized by Performance, Security, and User Interface.\u003C\u002Fli>\n\u003Cli>Select from three ready-to-use presets: Corporate, Blog, or E-commerce: each optimized for your specific site type.\u003C\u002Fli>\n\u003Cli>Understand every choice with concise descriptions that explain the benefits to your site.\u003C\u002Fli>\n\u003Cli>Use a fully accessible interface that includes ARIA-compliant tabs and full keyboard navigation support.\u003C\u002Fli>\n\u003Cli>Benefit from a design that matches the WordPress core look and feel, supporting the latest block editor features.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Core Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Block user enumeration.\u003C\u002Fli>\n\u003Cli>Clean up the admin bar.\u003C\u002Fli>\n\u003Cli>Disable “WordPress” spelling correction.\u003C\u002Fli>\n\u003Cli>Disable all feeds (RSS, Atom, comments).\u003C\u002Fli>\n\u003Cli>Disable application passwords.\u003C\u002Fli>\n\u003Cli>Disable author archives.\u003C\u002Fli>\n\u003Cli>Disable autosave (classic editor).\u003C\u002Fli>\n\u003Cli>Disable Dashicons (admin icons).\u003C\u002Fli>\n\u003Cli>Disable default lazy loading for images.\u003C\u002Fli>\n\u003Cli>Disable DNS prefetch.\u003C\u002Fli>\n\u003Cli>Disable jQuery Migrate script.\u003C\u002Fli>\n\u003Cli>Disable login language selector.\u003C\u002Fli>\n\u003Cli>Disable oEmbed.\u003C\u002Fli>\n\u003Cli>Disable password strength meter.\u003C\u002Fli>\n\u003Cli>Disable PDF thumbnails.\u003C\u002Fli>\n\u003Cli>Disable pingbacks and trackbacks.\u003C\u002Fli>\n\u003Cli>Disable prev\u002Fnext post links in head.\u003C\u002Fli>\n\u003Cli>Disable shortlink.\u003C\u002Fli>\n\u003Cli>Disable Windows Live Writer link.\u003C\u002Fli>\n\u003Cli>Disable WordPress emoji scripts and styles.\u003C\u002Fli>\n\u003Cli>Disable XML-RPC and RSD link.\u003C\u002Fli>\n\u003Cli>Hide WordPress version.\u003C\u002Fli>\n\u003Cli>Limit post revisions to 10.\u003C\u002Fli>\n\u003Cli>Limit REST API to logged-in users.\u003C\u002Fli>\n\u003Cli>Remove “Thanks for using WordPress” from footer.\u003C\u002Fli>\n\u003Cli>Remove Help tab.\u003C\u002Fli>\n\u003Cli>Remove REST API links from page source.\u003C\u002Fli>\n\u003Cli>Remove WordPress logo from admin bar.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Gutenberg Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable default pattern categories in Site Editor.\u003C\u002Fli>\n\u003Cli>Load block styles separately.\u003C\u002Fli>\n\u003Cli>Remove WordPress default block patterns.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>WooCommerce Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable Stripe scripts on product and cart pages.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce cart fragments.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce scripts and styles on non-shop pages.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce widgets.\u003C\u002Fli>\n\u003Cli>Hide WooCommerce version.\u003C\u002Fli>\n\u003Cli>Remove WooCommerce default block patterns.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Ads-blocker Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Clean up the Dashboard.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Tools Settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Protect login from brute force.\u003C\u002Fli>\n\u003Cli>Show cache actions in admin bar.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Integrations\u003C\u002Fh4>\n\u003Cp>ZenPress integrates with Cache Enabler, Autoptimize, and SQLite Object Cache. When any of these plugins is active, the Tools tab shows integration status and one-click autoconfig actions.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Admin bar: Adds a ZenPress menu to the admin bar with “Clear all caches” and options for each active cache (page, static files, object cache). Only appears when Cache Enabler, Autoptimize, or SQLite Object Cache is active. Hides those plugins’ own admin bar buttons.\u003C\u002Fli>\n\u003Cli>Autoptimize: Minify JS and CSS, combine CSS, static file caching, 404 fallbacks.\u003C\u002Fli>\n\u003Cli>Cache Enabler: Clear cache on content changes, WebP, compression, minify HTML.\u003C\u002Fli>\n\u003Cli>SQLite Object Cache: Enable “Use APCu” in the plugin if available.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Presets\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Corporate website: For business sites and portfolios. Focuses on security, performance, and removing unused features like RSS and author archives.\u003C\u002Fli>\n\u003Cli>Blog: For content-focused blogs. Keeps RSS and other blog features while improving performance and security.\u003C\u002Fli>\n\u003Cli>E-commerce: For WooCommerce stores. Performance and security plus WooCommerce optimizations for faster checkout.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Accessibility\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>You can navigate the dashboard with confidence using an interface built to WCAG 2.1 AA accessibility standards.\u003C\u002Fli>\n\u003Cli>Move through settings efficiently using only your keyboard; we fully support the use of Tab, Arrow keys, Home, End, and Enter for all interactions.\u003C\u002Fli>\n\u003Cli>Experience faster navigation with automatic tab activation, which displays panels immediately as you move focus between sections.\u003C\u002Fli>\n\u003Cli>Always identify your position on the page through highly visible focus indicators on every interactive button and link.\u003C\u002Fli>\n\u003Cli>Every element is optimized for screen readers and assistive technologies with descriptive ARIA labels to provide clear context for every setting.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Roadmap\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Use new Gutenberg Icon component for categories & subcategories icons instead of Dashicons.\u003C\u002Fli>\n\u003Cli>Additional presets for specific use cases.\u003C\u002Fli>\n\u003Cli>Documentation pages with detailed guides.\u003C\u002Fli>\n\u003Cli>Manage Heartbeat API (frontend + backend + admin whitelist).\u003C\u002Fli>\n\u003Cli>Remove “site health” page.\u003C\u002Fli>\n\u003Cli>Remove “Privacy tools”.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce tracking.\u003C\u002Fli>\n\u003Cli>Disable marketing hub.\u003C\u002Fli>\n\u003Cli>Disable dashboard setup widget.\u003C\u002Fli>\n\u003Cli>Disable new product editor.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce blocks.\u003C\u002Fli>\n\u003Cli>Disable WooCommerce promo emails.\u003C\u002Fli>\n\u003Cli>Disable CF7 CSS & JS.\u003C\u002Fli>\n\u003Cli>Disable Elementor bloat.\u003C\u002Fli>\n\u003Cli>Disable WP Bakery bloat.\u003C\u002Fli>\n\u003Cli>Disable Divi bloat.\u003C\u002Fli>\n\u003Cli>Disable Yoast SEO bloat.\u003C\u002Fli>\n\u003Cli>Disable Jetpack bloat.\u003C\u002Fli>\n\u003Cli>Disable Updraft bloat.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy Statement\u003C\u002Fh3>\n\u003Cp>ZenPress is private by default and always will be. It does not store any data. It does not send data to any third party, nor does it include any third party resources.\u003C\u002Fp>\n\u003Ch3>Accessibility Statement\u003C\u002Fh3>\n\u003Cp>ZenPress aims to be fully accessible to all of its users.\u003C\u002Fp>\n","Speed up and harden your site with a single click: cleans up unused features, protects security gaps, and configures cache integrations automatically.",50,1854,3,"2026-02-26T16:30:00.000Z","6.0","8.1",[20,111,21,22,112],"optimization","woocommerce","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fzenpress\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fzenpress.2.2.5.zip",{"slug":116,"name":117,"version":62,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":27,"num_ratings":27,"last_updated":124,"tested_up_to":52,"requires_at_least":16,"requires_php":90,"tags":125,"homepage":128,"download_link":129,"security_score":11,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"optimator","Optimator – Simplify and streamline WordPress by removing unnecessary data and functionalities","Engramium","https:\u002F\u002Fprofiles.wordpress.org\u002Fengramium\u002F","\u003Cp>Fast-loading websites improves the user experience, increases the website views, and can even help with WordPress SEO. Introducing Optimator, the most useful WordPress speed optimization plugin to boost WordPress performance and speed up your website.\u003C\u002Fp>\n\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FLp1IjxLUmbk?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\n\u003Ch4>✨ FEATURES ✨\u003C\u002Fh4>\n\u003Cp>** Quick-toggle options **\u003Cbr \u002F>\n* Disable emojis\u003Cbr \u002F>\n* Disable embeds\u003Cbr \u002F>\n* Disable dashicons\u003Cbr \u002F>\n* Disable XML-RPC\u003Cbr \u002F>\n* Remove jQuery migrate\u003Cbr \u002F>\n* Hide WP Version\u003Cbr \u002F>\n* Remove wlwmanifest link\u003Cbr \u002F>\n* Remove RSD link\u003Cbr \u002F>\n* Remove shortlink\u003Cbr \u002F>\n* Disable RSS feeds\u003Cbr \u002F>\n* Remove RSS feed links\u003Cbr \u002F>\n* Disable self pingbacks\u003Cbr \u002F>\n* Disable REST API\u003Cbr \u002F>\n* Remove REST API links\u003Cbr \u002F>\n* Disable Google Maps\u003Cbr \u002F>\n* Disable password strength meter\u003Cbr \u002F>\n* Disable Comments\u003Cbr \u002F>\n* Disable Comments URL\u003Cbr \u002F>\n* Add blank favicon\u003Cbr \u002F>\n* Disable Global Styles\u003Cbr \u002F>\n* Disable HeartBeat\u003Cbr \u002F>\n* Set heartbeat frequency\u003Cbr \u002F>\n* Limit Post Revisions\u003Cbr \u002F>\n* Autosave Interval\u003Cbr \u002F>\n* Disable Thumbnail Size\u003Cbr \u002F>\n* Disable Medium Size\u003Cbr \u002F>\n* Disable Large Size\u003Cbr \u002F>\n* Disable Medium Large\u003Cbr \u002F>\n* Disable 1536×1536\u003Cbr \u002F>\n* Disable 2048×2048\u003C\u002Fp>\n\u003Ch3>Requirements\u003C\u002Fh3>\n\u003Cp>To use the plugin there aren’t any extra requirements. But it’s always recommended to use the latest version of WordPress.\u003C\u002Fp>\n","Simplify and streamline WordPress by removing unnecessary data and functionalities.",10,3420,"2026-01-10T14:04:00.000Z",[93,21,23,126,127],"tweaks","unbloat","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Foptimator\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Foptimator.1.0.0.zip",{"attackSurface":131,"codeSignals":285,"taintFlows":443,"riskAssessment":444,"analyzedAt":456},{"hooks":132,"ajaxHandlers":281,"restRoutes":282,"shortcodes":283,"cronEvents":284,"entryPointCount":27,"unprotectedCount":27},[133,139,143,146,148,150,152,156,161,164,167,169,172,175,179,182,185,189,193,196,199,202,205,208,210,213,215,218,221,223,226,229,232,235,239,242,245,249,253,257,260,264,268,271,274,277],{"type":134,"name":135,"callback":136,"priority":27,"file":137,"line":138},"action","after_setup_theme","better_speed_after_setup_theme","better-speed.php",46,{"type":134,"name":140,"callback":141,"priority":27,"file":137,"line":142},"shutdown","better_speed_shutdown",47,{"type":134,"name":144,"callback":145,"priority":27,"file":137,"line":104},"setup_theme","better_speed_setup_theme",{"type":134,"name":135,"callback":136,"priority":27,"file":137,"line":147},55,{"type":134,"name":140,"callback":141,"priority":27,"file":137,"line":149},56,{"type":134,"name":144,"callback":145,"priority":27,"file":137,"line":151},59,{"type":134,"name":153,"callback":154,"file":137,"line":155},"pre_ping","closure",78,{"type":157,"name":158,"callback":159,"file":137,"line":160},"filter","emoji_svg_url","__return_false",96,{"type":157,"name":162,"callback":154,"file":137,"line":163},"tiny_mce_plugins",97,{"type":157,"name":165,"callback":159,"file":137,"line":166},"embed_oembed_discover",111,{"type":157,"name":162,"callback":154,"file":137,"line":168},112,{"type":157,"name":170,"callback":154,"file":137,"line":171},"rewrite_rules_array",115,{"type":157,"name":173,"callback":159,"file":137,"line":174},"xmlrpc_enabled",127,{"type":157,"name":176,"callback":159,"priority":177,"file":137,"line":178},"pings_open",9999,128,{"type":157,"name":180,"callback":154,"file":137,"line":181},"wp_headers",129,{"type":157,"name":183,"callback":154,"file":137,"line":184},"the_generator",138,{"type":134,"name":186,"callback":154,"priority":187,"file":137,"line":188},"template_redirect",1,163,{"type":157,"name":190,"callback":154,"priority":191,"file":137,"line":192},"rest_authentication_errors",20,184,{"type":134,"name":194,"callback":154,"priority":11,"file":137,"line":195},"wp_print_styles",194,{"type":134,"name":197,"callback":154,"file":137,"line":198},"wp_loaded",201,{"type":134,"name":200,"callback":154,"file":137,"line":201},"widgets_init",215,{"type":157,"name":203,"callback":159,"file":137,"line":204},"show_recent_comments_widget_style",217,{"type":134,"name":186,"callback":154,"priority":206,"file":137,"line":207},9,219,{"type":134,"name":186,"callback":154,"file":137,"line":209},224,{"type":134,"name":211,"callback":154,"file":137,"line":212},"admin_init",229,{"type":134,"name":197,"callback":154,"file":137,"line":214},234,{"type":157,"name":216,"callback":154,"priority":191,"file":137,"line":217},"comments_array",244,{"type":157,"name":219,"callback":154,"priority":191,"file":137,"line":220},"comments_open",247,{"type":157,"name":176,"callback":154,"priority":191,"file":137,"line":222},250,{"type":134,"name":224,"callback":154,"priority":177,"file":137,"line":225},"admin_menu",254,{"type":134,"name":227,"callback":154,"file":137,"line":228},"admin_print_styles-index.php",265,{"type":134,"name":230,"callback":154,"file":137,"line":231},"admin_print_styles-profile.php",268,{"type":134,"name":233,"callback":154,"file":137,"line":234},"wp_dashboard_setup",271,{"type":157,"name":236,"callback":237,"file":137,"line":238},"pre_option_default_pingback_flag","__return_zero",274,{"type":157,"name":240,"callback":154,"priority":191,"file":137,"line":241},"comments_template",278,{"type":157,"name":243,"callback":159,"file":137,"line":244},"feed_links_show_comments_feed",281,{"type":134,"name":246,"callback":247,"file":137,"line":248},"init","better_speed_init",286,{"type":157,"name":250,"callback":251,"file":137,"line":252},"wp_default_scripts","better_speed_wp_default_scripts",297,{"type":134,"name":254,"callback":255,"file":137,"line":256},"wp_enqueue_scripts","better_speed_wp_enqueue_scripts",319,{"type":134,"name":254,"callback":258,"file":137,"line":259},"better_speed_enqueue_instant_page",330,{"type":157,"name":261,"callback":262,"priority":122,"file":137,"line":263},"script_loader_tag","better_speed_defer_scripts",339,{"type":157,"name":265,"callback":266,"file":137,"line":267},"body_class","better_speed_body_class",353,{"type":157,"name":269,"callback":154,"file":137,"line":270},"whitelist_options",414,{"type":134,"name":224,"callback":272,"file":137,"line":273},"better_speed_menus",961,{"type":134,"name":211,"callback":275,"file":137,"line":276},"better_speed_settings",962,{"type":134,"name":278,"callback":279,"file":137,"line":280},"admin_enqueue_scripts","better_speed_admin_scripts",973,[],[],[],[],{"dangerousFunctions":286,"sqlUsage":287,"outputEscaping":290,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":27,"bundledLibraries":442},[],{"prepared":288,"raw":27,"locations":289},2,[],{"escaped":187,"rawEcho":291,"locations":292},74,[293,296,298,300,302,304,306,308,310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,418,420,422,424,426,428,430,432,434,436,438,440],{"file":137,"line":294,"context":295},345,"raw output",{"file":137,"line":297,"context":295},444,{"file":137,"line":299,"context":295},448,{"file":137,"line":301,"context":295},450,{"file":137,"line":303,"context":295},453,{"file":137,"line":305,"context":295},457,{"file":137,"line":307,"context":295},458,{"file":137,"line":309,"context":295},459,{"file":137,"line":311,"context":295},529,{"file":137,"line":313,"context":295},530,{"file":137,"line":315,"context":295},534,{"file":137,"line":317,"context":295},537,{"file":137,"line":319,"context":295},552,{"file":137,"line":321,"context":295},553,{"file":137,"line":323,"context":295},554,{"file":137,"line":325,"context":295},555,{"file":137,"line":327,"context":295},568,{"file":137,"line":329,"context":295},569,{"file":137,"line":331,"context":295},570,{"file":137,"line":333,"context":295},574,{"file":137,"line":335,"context":295},575,{"file":137,"line":337,"context":295},576,{"file":137,"line":339,"context":295},580,{"file":137,"line":341,"context":295},581,{"file":137,"line":343,"context":295},582,{"file":137,"line":345,"context":295},586,{"file":137,"line":347,"context":295},587,{"file":137,"line":349,"context":295},588,{"file":137,"line":351,"context":295},592,{"file":137,"line":353,"context":295},593,{"file":137,"line":355,"context":295},594,{"file":137,"line":357,"context":295},598,{"file":137,"line":359,"context":295},599,{"file":137,"line":361,"context":295},600,{"file":137,"line":363,"context":295},604,{"file":137,"line":365,"context":295},605,{"file":137,"line":367,"context":295},606,{"file":137,"line":369,"context":295},610,{"file":137,"line":371,"context":295},611,{"file":137,"line":373,"context":295},612,{"file":137,"line":375,"context":295},616,{"file":137,"line":377,"context":295},617,{"file":137,"line":379,"context":295},618,{"file":137,"line":381,"context":295},622,{"file":137,"line":383,"context":295},623,{"file":137,"line":385,"context":295},624,{"file":137,"line":387,"context":295},693,{"file":137,"line":389,"context":295},698,{"file":137,"line":391,"context":295},699,{"file":137,"line":393,"context":295},702,{"file":137,"line":395,"context":295},706,{"file":137,"line":397,"context":295},707,{"file":137,"line":399,"context":295},780,{"file":137,"line":401,"context":295},788,{"file":137,"line":403,"context":295},796,{"file":137,"line":405,"context":295},804,{"file":137,"line":407,"context":295},812,{"file":137,"line":409,"context":295},820,{"file":137,"line":411,"context":295},828,{"file":137,"line":413,"context":295},836,{"file":137,"line":415,"context":295},844,{"file":137,"line":417,"context":295},852,{"file":137,"line":419,"context":295},860,{"file":137,"line":421,"context":295},868,{"file":137,"line":423,"context":295},876,{"file":137,"line":425,"context":295},884,{"file":137,"line":427,"context":295},892,{"file":137,"line":429,"context":295},906,{"file":137,"line":431,"context":295},915,{"file":137,"line":433,"context":295},920,{"file":137,"line":435,"context":295},921,{"file":137,"line":437,"context":295},930,{"file":137,"line":439,"context":295},947,{"file":137,"line":441,"context":295},956,[],[],{"summary":445,"deductions":446},"The 'better-speed' v2.1 plugin exhibits a seemingly strong security posture based on the provided static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the potential attack surface. Furthermore, the analysis indicates no dangerous functions, file operations, or external HTTP requests, all positive signs. The use of prepared statements for all SQL queries is also a commendable practice.  However, a major concern arises from the extremely low percentage of properly escaped output (1%). This suggests that user-supplied data or dynamic content is likely being rendered without adequate sanitization, posing a significant risk of Cross-Site Scripting (XSS) vulnerabilities.  The lack of nonce and capability checks across all entry points, combined with the minimal output escaping, creates a substantial blind spot. The absence of known CVEs and historical vulnerabilities is positive, but it does not negate the risks identified in the code analysis.  The plugin's strengths lie in its limited attack surface and secure database interactions. Its primary weakness is the pervasive lack of output escaping, which, if not addressed, can lead to serious security flaws.",[447,450,453],{"reason":448,"points":449},"Extremely low output escaping percentage",15,{"reason":451,"points":452},"No nonce checks on entry points",8,{"reason":454,"points":455},"No capability checks on entry points",7,"2026-03-16T21:12:17.184Z",{"wat":458,"direct":463},{"assetPaths":459,"generatorPatterns":460,"scriptPaths":461,"versionParams":462},[],[],[],[],{"cssClasses":464,"htmlComments":465,"htmlAttributes":466,"restEndpoints":467,"jsGlobals":469,"shortcodeOutput":470},[],[],[],[468],"\u002Fwp-json\u002Fwhysoslow\u002Fv1\u002Fsettings",[],[],{"error":472,"url":473,"statusCode":474,"statusMessage":475,"message":475},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fbetter-speed\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":33,"versions":477},[478,485,492,499,506],{"version":6,"download_url":479,"svn_tag_url":480,"released_at":28,"has_diff":481,"diff_files_changed":482,"diff_lines":28,"trac_diff_url":483,"vulnerabilities":484,"is_current":472},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.2.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbetter-speed\u002Ftags\u002F2.1\u002F",false,[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbetter-speed%2Ftags%2F2.0&new_path=%2Fbetter-speed%2Ftags%2F2.1",[],{"version":486,"download_url":487,"svn_tag_url":488,"released_at":28,"has_diff":481,"diff_files_changed":489,"diff_lines":28,"trac_diff_url":490,"vulnerabilities":491,"is_current":481},"2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.2.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbetter-speed\u002Ftags\u002F2.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbetter-speed%2Ftags%2F1.2&new_path=%2Fbetter-speed%2Ftags%2F2.0",[],{"version":493,"download_url":494,"svn_tag_url":495,"released_at":28,"has_diff":481,"diff_files_changed":496,"diff_lines":28,"trac_diff_url":497,"vulnerabilities":498,"is_current":481},"1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbetter-speed\u002Ftags\u002F1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbetter-speed%2Ftags%2F1.1&new_path=%2Fbetter-speed%2Ftags%2F1.2",[],{"version":500,"download_url":501,"svn_tag_url":502,"released_at":28,"has_diff":481,"diff_files_changed":503,"diff_lines":28,"trac_diff_url":504,"vulnerabilities":505,"is_current":481},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbetter-speed\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fbetter-speed%2Ftags%2F1.0&new_path=%2Fbetter-speed%2Ftags%2F1.1",[],{"version":507,"download_url":508,"svn_tag_url":509,"released_at":28,"has_diff":481,"diff_files_changed":510,"diff_lines":28,"trac_diff_url":28,"vulnerabilities":511,"is_current":481},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbetter-speed.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fbetter-speed\u002Ftags\u002F1.0\u002F",[],[]]