Release v1.6.0 — Phase 3 cleanup + CI/CD fix

CHANGELOG.md

@@ -5,7 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 1.3.0 (2026-06-26)
+## 1.6.0 (2026-06-26)
+
+### Cleanup
+
+- Removed dead `admin/partials/display.php` file — confirmed unused (admin UI rendered by `Codetot_Optimization_Admin_Options_Page`)
+- Removed empty boilerplate files: `admin/js/codetot-optimization-admin.js` and `admin/css/codetot-optimization-admin.css`
+
+### Security
+
+- Added `esc_html()` to `$GLOBALS['title']` output in admin options page (prevents XSS)
+- Code style consistency for `$_GET`/`$_POST` access in Gravity Forms class
+
+## 1.5.0 (2026-06-26)
+
+### Added
+
+- **Remove query strings** (`?ver=`) from enqueued scripts and styles — improves cache hit rate on CDN and proxy caches
+- **Disable self pingbacks** — prevents WordPress from sending pingbacks to your own domain
+- **Disable REST API for non-authenticated users** — returns 401 for unauthenticated REST requests; keeps public endpoints intact
+- **Remove default dashboard widgets** — cleans up Quick Draft, WP News, Site Health, At a Glance, Activity, and Welcome panel
+- **Disable attachment pages** — 301 redirects attachment pages to parent post (or homepage if no parent)
+- **Remove jQuery Migrate** — removes the jquery-migrate dependency from jquery on front-end
+- **Disable native XML sitemaps** — disables WordPress 5.5+ built-in sitemaps (let SEO plugins handle it)
+- **Remove front-end dashicons** — dequeues dashicons stylesheet on front-end when not used by theme
+
+## 1.4.0 (2026-06-26)
 
 ### Added
 

README.txt

@@ -4,7 +4,7 @@ Donate link: https://codetot.com
 Tags: optimization, compress, settings, codetot
 Requires at least: 6.0
 Tested up to: 6.8
-Stable tag: 1.3.0
+Stable tag: 1.6.0
 Requires PHP: 8.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -78,6 +78,29 @@ Yes, if you are using our themes.
 
 == Changelog ==
 
+= 1.6.0 =
+* **[Cleanup]** Removed dead `admin/partials/display.php` file (not used anywhere)
+* **[Cleanup]** Removed empty boilerplate `admin/js/codetot-optimization-admin.js` and `admin/css/codetot-optimization-admin.css`
+* **[Security]** Added `esc_html()` to `$GLOBALS['title']` output in admin options page
+* **[Security]** Code style consistency for `$_GET`/`$_POST` access in Gravity Forms class
+
+= 1.5.0 =
+* **[New]** Remove query strings (`?ver=`) from static assets for improved cache hit rate
+* **[New]** Disable self pingbacks to reduce server load
+* **[New]** Disable REST API for non-authenticated users (returns 401)
+* **[New]** Remove default dashboard widgets (Quick Draft, WP News, etc.)
+* **[New]** Disable attachment pages (301 redirect to parent post or home)
+* **[New]** Remove jQuery Migrate script from front-end
+* **[New]** Disable native WordPress XML sitemaps (WP 5.5+)
+* **[New]** Remove dashicons styles on front-end when not used by theme
+
+= 1.4.0 =
+* **[Fix]** `use_block_editor_for_post` filter was incorrectly registered as `add_action` → now uses proper `add_filter`
+* **[Fix]** Plugin deactivation never cleaned up options — `delete_option()` was wrapped in `add_action('init', ...)` that never runs during deactivation
+* **[Fix]** `update_option()` calls for default comment/ping statuses moved from per-request admin to activation hook (runs once)
+* **[Fix]** `uninstall.php` now cleans up plugin options from database
+* **[Perf]** Centralized option loading — `Codetot_Optimization::get_options()` with static cache; 1 DB call per request instead of 3
+
 = 1.3.0 =
 * Official PHP 8.0-8.4 support, bumped Requires PHP to 8.0
 * Fix undefined variable warning in admin options page under PHP 8.0

admin/class-codetot-optimization-admin.php

@@ -104,7 +104,15 @@ public function get_global_keys()
       'disable_feed' => __('Feed', 'codetot-optimization'),
       'disable_shortlink' => __('Shortlink', 'codetot-optimization'),
       'disable_wlw_manifest' => __('WLW Manifest', 'codetot-optimization'),
-      'disable_inline_comment_style' => __('Inline Comment Style', 'codetot-optimization')
+      'disable_inline_comment_style' => __('Inline Comment Style', 'codetot-optimization'),
+      'disable_query_strings' => __('Query Strings from Assets', 'codetot-optimization'),
+      'disable_self_pingbacks' => __('Self Pingbacks', 'codetot-optimization'),
+      'disable_rest_api' => __('REST API (non-auth)', 'codetot-optimization'),
+      'remove_dashboard_widgets' => __('Dashboard Widgets', 'codetot-optimization'),
+      'disable_attachment_pages' => __('Attachment Pages', 'codetot-optimization'),
+      'remove_jquery_migrate' => __('jQuery Migrate', 'codetot-optimization'),
+      'disable_xml_sitemaps' => __('XML Sitemaps', 'codetot-optimization'),
+      'remove_frontend_dashicons' => __('Front-end Dashicons', 'codetot-optimization'),
     ];
   }
 

codetot-optimization.php

@@ -8,7 +8,7 @@
  * Plugin Name:       CT Optimization
  * Plugin URI:        https://codetot.com
  * Description:       Provides settings for enable/disable WordPress core features and some tweaks for ACF, Gravity Forms, such like Enable CDN, Lazyload assets.
- * Version:           1.3.0
+ * Version:           1.6.0
  * Requires at least: 6.0
  * Requires PHP:      8.0
  * Author:            CODE TOT JSC
@@ -24,7 +24,7 @@
 	die;
 }
 
-define( 'CODETOT_OPTIMIZATION_VERSION', '1.3.0' );
+define( 'CODETOT_OPTIMIZATION_VERSION', '1.6.0' );
 define( 'CODETOT_OPTIMIZATION_PATH', plugin_dir_path(__FILE__) );
 define( 'CODETOT_OPTIMIZATION_URL', plugin_dir_url(__FILE__) );
 

includes/class-codetot-admin-options-page.php

@@ -350,7 +350,7 @@ protected function build_menu_page($page_key)
     $this->options = get_option($page_key, array());
     ?>
     <div class="wrap">
-    <h1><?php echo $GLOBALS['title']; ?></h1><?php
+    <h1><?php echo esc_html( $GLOBALS['title'] ); ?></h1><?php
 
     if (!empty($page['sections'])) {
       ?>

includes/class-codetot-optimization-activator.php

@@ -30,7 +30,13 @@ class Codetot_Optimization_Activator {
 	 * @since    1.0.0
 	 */
 	public static function activate() {
-
+    // Ensure default comment/ping statuses are set once on activation,
+    // not on every admin page load.
+    if ( ! get_option( 'ct_optimization_activation_flushed', false ) ) {
+      update_option( 'default_ping_status', 'closed' );
+      update_option( 'default_comment_status', 'closed' );
+      update_option( 'ct_optimization_activation_flushed', true );
+    }
 	}
 
 }

includes/class-codetot-optimization-assets.php

@@ -37,25 +37,12 @@ public final static function instance()
 
   public function __construct()
   {
-    $options = get_option('ct-optimization');
+    $this->options = Codetot_Optimization::get_options();
 
-    if (empty($options)) {
+    if (empty($this->options)) {
       return;
     }
 
-    foreach ($options as $key => $option) {
-      $key = str_replace('-', '_', $key);
-
-      if ($option === 'yes') {
-        // Convert yes/no to true/false
-        $this->options[$key] = true;
-      } elseif ($option === 'no') {
-        $this->options[$key] = false;
-      } else {
-        $this->options[$key] = $option;
-      }
-    }
-
     add_filter('clean_url', array($this, 'add_async_forscript'), 11, 1);
 
     if (!empty($this->options['load_lazysizes_scripts'])) {

includes/class-codetot-optimization-deactivator.php

@@ -26,9 +26,7 @@ class Codetot_Optimization_Deactivator {
 	 * @since    1.0.0
 	 */
 	public static function deactivate() {
-	  add_action('init', function() {
-      delete_option('ct-optimization');
-    });
+	  delete_option('ct-optimization');
 	}
 
 }

includes/class-codetot-optimization-gravity-forms.php

@@ -38,25 +38,12 @@ public final static function instance()
 
   public function __construct()
   {
-    $options = get_option('ct-optimization');
+    $this->options = Codetot_Optimization::get_options();
 
-    if (empty($options)) {
+    if (empty($this->options)) {
       return;
     }
 
-    foreach ( $options as $key => $option ) {
-      $key = str_replace('-', '_', $key);
-
-      if ( $option === 'yes' ) {
-        // Convert yes/no to true/false
-        $this->options[$key] = true;
-      } elseif( $option === 'no' ) {
-        $this->options[$key] = false;
-      } else {
-        $this->options[$key] = $option;
-      }
-    }
-
     if ( ! empty( $this->options['disable_gravity_forms_default_styles'] ) ) {
       add_action('gform_enqueue_scripts', array($this, 'disable_gravity_forms_styles'));
     }
@@ -113,8 +100,8 @@ public function do_wrap_gform_cdata()
     if (
       is_admin()
       || (defined('DOING_AJAX') && DOING_AJAX)
-      || isset($_POST['gform_ajax'])
-      || isset($_GET['gf_page']) // Admin page (eg. form preview).
+      || isset( $_POST['gform_ajax'] )
+      || isset( $_GET['gf_page'] ) // Admin page (eg. form preview).
       || doing_action('wp_footer')
       || did_action('wp_footer')
     ) {