Freemius SDK state options (fs_accounts, fs_options, fs_gdpr) are no longer autoloaded when it is a guaranteed net win: a persistent object cache is active, or Cacheability Pro is the only Freemius-powered plugin on the site (its SDK never boots on the frontend, so nothing reads these options there). This removes up to ~100 KB of licensing data from the alloptions blob WordPress loads and unserializes on every request — the long-standing Freemius/wordpress-sdk#400 bloat that the SDK's own garbage collector shrinks but never de-autoloads. The flip is sticky (the SDK persists with $autoload = null, which never changes an existing row's flag), self-healing, and reversible — if conditions change (e.g. another Freemius plugin appears without an object cache), stock autoloaded behavior is restored automatically. Nothing is ever deleted.
2.1.2
Improved
The Freemius licensing SDK no longer loads on frontend requests. The premium-license decision is cached in a lightweight autoloaded option, refreshed on every admin/cron/WP-CLI request and instantly on license activation or deactivation (Freemius after_license_change / after_account_connection events). Frontend page loads skip the entire SDK bootstrap (~200 files plus its autoloaded fs_accounts data — a well-documented per-request tax), so every visitor hit is lighter. License enforcement, trials, premium update delivery, and the License & Account page behave exactly as before.
2.1.1
New
Full-Page Cache documentation page covering enabling via the WP_CACHE constant, disk + Redis storage tiers, the on-disk layout that matches WP Rocket and W3TC, nginx try_files and Apache mod_rewrite snippets, the two ESI strategies (post_process and skip), the bypass catalogue, the dual-sourced purge model (Varnish HTTP Purge hooks + WP fallback), Varnish coexistence as a passive listener, the X-Cache diagnostics catalogue, and the CACHEABILITY_FPC_DISABLED kill switch.
Improved
Removed the dead "WooCommerce bypass" checkbox from the Full-Page Cache admin tab. WooCommerce cart and checkout cookies (wp_woocommerce_session_*, woocommerce_items_in_cart, woocommerce_cart_hash) have always triggered an unconditional bypass via the hard-coded rejected-cookies list — the checkbox state was never read at runtime. The toggle was misleading, so it's gone. The always-on behavior is unchanged and is now locked by a regression test.
2.1.0
New
Native full-page cache. Bundled wp-content/advanced-cache.php drop-in installs from the new "Full-Page Cache" admin tab, removing the requirement to run Varnish or NGINX FastCGI Cache in front of WordPress. Disk-first storage with pre-gzipped sibling files (W3TC / WP Rocket-compatible layout, drop-in compatible with existing nginx try_files rules), optional Redis tier reusing the Phase 1 connection.
Bypass semantics mirror WP Rocket (16-test catalogue minus mobile-UA sniffing), so migrations are transparent.
ESI tags continue to work without an upstream proxy. When the disk backend serves an ESI-bearing page, the drop-in resolves <esi:include> tags via loopback HTTP, keeping per-request nonces dynamic.
WP_CACHE constant manager — idempotent writer for wp-config.php, refuses to clobber user-authored defines, exposes the state in Tools → Site Health.
Purge integration. VHP-driven purge hooks (after_purge_url, after_full_purge, after_purge_tags) drop FPC entries automatically. Without VHP installed, the FPC subscribes to WP-internal content-change events so consistency holds on any stack.
2.0.0
New
Redis object cache backend. Bundled wp-content/object-cache.php drop-in installs from the new "Object Cache" admin tab. PhpRedis-only (no Predis), honors the standard WP_REDIS_* constants so you can swap from Till Krüss's redis-cache or Pantheon's wp-redis without touching wp-config.php. Single-round-trip MGET, scalar fast-path storage, SCAN+UNLINK flush scoped to the current site (never FLUSHDB), object-injection-safe deserialization via an allowed_classes safelist, TLS + Redis 6 ACL, WP_REDIS_DISABLED kill switch, signature-based detection of competing drop-ins.
CI test matrix proves the plugin both caches when Redis is available (cross-request persistence verified by INFO commandstats delta) and doesn't break sites without Redis (no-redis / no-phpredis / redis-down profiles all green on every PR).
Improved
Deactivation cleanup. Now cleanly removes the bundled object-cache.php drop-in (only when the file still carries our version stamp — never touches a foreign drop-in).
1.2.0
Fixed
ESI nonce feature actually ships now. The required MU-plugin at wp-content/mu-plugins/cacheability-nonce-esi.php is now installed automatically on plugin activation and kept in sync on every admin page load (previously operators had to copy it by hand and most never did).
No more placeholder leaks into URLs, inline JS, or data-attributes. Under the previous behaviour, enabling ESI could result in literal __ESINONCE__... strings reaching the browser inside href="?_wpnonce=...", wp_localize_script JSON, data-nonce, and inline <script> blocks — breaking REST calls and every logout/trash link for anonymous visitors. Placeholder mode is now gated by an explicit per-action whitelist, and any action not on the list returns a real nonce.
New
Nonce action whitelist under Cache Controls → ESI Support. Accepts one action per line, wildcards with * supported (e.g. woocommerce-*). Filter: cacheability_pro_esi_nonce_actions.
MU-plugin status card on the settings page shows where the MU-plugin was installed, or the manual-copy snippet when wp-content/mu-plugins/ isn't writable.
Production Varnish VCL bundled at vcl/cacheability-pro.vcl (also shown inline on the settings page) — ready to include from your main VCL.
Expanded test coverage for the feature: wildcard whitelist matching, auto-install recovery after deletion, whitelist option round-trip, inert-by-default behaviour, and opt-in <esi:include> emission at origin.
Notes
ESI remains an anonymous-visitor only feature. Logged-in users continue to get real nonces.
Only whitelist actions whose nonces render into <input> elements. Actions that end up in URLs / JS / data-attributes are not ESI-reachable on Varnish and will not be post-processed — including them is what caused the previous leaks.
1.1.0
New Features
Resource Hints - Auto DNS prefetch, preconnect, and font preloading for external resources
Defer JavaScript - Adds defer attribute to scripts for faster page rendering
Image Dimensions - Adds missing width/height to images to prevent layout shift (CLS)
Heartbeat Control - Disables heartbeat on frontend, reduces frequency on admin
Emoji Cleanup - Removes WordPress emoji polyfill script, styles, and DNS prefetch
Page Optimization admin page - New settings page showing all active optimizations