RotiStudio

Frequently Asked Questions and Answers

Documentation

As this plugin has no complex features and no integration with other plugins, developer documentation is not required. Module descriptions are available below.

Performance

Header Cleanup

WordPress adds several links and meta tags to the section by default, most of which are unnecessary for most websites. This feature removes: the generator tag showing WordPress version (also recommended for security reasons), the RSD (Really Simple Discovery) link, the Windows Live Writer manifest link, the shortlink, and the adjacent posts rel links.

Feed Management

WordPress adds three types of feed elements to the : the main posts feed (domain.com/feed/), the comments feed, and additional feeds (categories, authors, tags, etc.). These elements can be disabled individually. Important: this only removes the reference – the feed URLs remain directly accessible via browser.

Disable Emoji

WordPress has had built-in emoji support since version 4.2, which loads an external JavaScript file and a CSS file. If your website doesn't use emojis in content, it's worth disabling these unnecessary resources for faster page loading. This feature also removes the emoji plugin from the editor (TinyMCE).

Disable jQuery Migrate

jQuery-migrate is a compatibility layer that makes older jQuery code run with newer jQuery versions. If all your website's themes and plugins are compatible with the current jQuery version, this package is unnecessary. Only enable this if you're sure none of your scripts require it.

Disable oEmbed

Disables WordPress automatic oEmbed handling for external URLs such as YouTube, Vimeo, Twitter/X, and other sanctioned providers.

How it works:

• Clears the oembed_providers list so trusted providers cannot auto-embed content
• Disables oEmbed discovery via the embed_oembed_discover filter
• Removes oEmbed discovery links and the wp-embed host script from the page head

Important: pasted URLs in content will remain plain links instead of iframe embeds. Do not enable this if your site relies on automatic video or social embeds from pasted URLs.

Note: the REST oEmbed endpoint is not removed in this version, because other plugins may depend on it.

Remove Asset Version Query Strings

WordPress appends a ?ver= query parameter to CSS and JavaScript URLs so browsers fetch fresh files after updates. This module removes that parameter on frontend pages for cleaner URLs and better compatibility with CDNs and reverse proxies that cache assets by path.

Működés:

• Filters style_loader_src and script_loader_src on the frontend only
• Strips the ver argument from same-site asset URLs
• Leaves wp-admin and third-party (external host) assets unchanged

Important: after a theme or plugin update, visitors may briefly receive cached old CSS or JavaScript until browser or CDN cache expires. If stale assets become a problem, pair this feature with server-level cache invalidation or another versioning strategy.

Note: only the ver query argument is removed from URLs handled by WordPress enqueue; other query parameters are preserved. Some CSS or JavaScript files may still show ?ver= in the page source if they are not loaded through the standard enqueue system, if another plugin or theme outputs the URL directly with a version parameter, or if the version string is required for that asset to work correctly.

Post Revisions Limit

WordPress stores an unlimited number of revisions for each post by default, which can unnecessarily increase database size. This setting overrides the maximum number of revisions using the wp_revisions_to_keep filter – without needing to modify wp-config.php. Setting 0 completely disables revisions; a positive integer keeps at most that many revisions per post (older ones are automatically deleted on save). An empty field leaves the WordPress default in effect.

Auto-save Interval

WordPress automatically saves your post content while you're editing to prevent data loss. By default, this happens every 60 seconds. You can increase this interval to reduce server load and database writes. The value is specified in seconds. Recommended values: 120 (2 minutes) or 300 (5 minutes). Setting a higher value means less frequent auto-saves, which can improve performance on busy sites. Note: This does not affect the manual save when you click the Save or Publish button.

Trash Auto-Delete

WordPress keeps deleted posts, pages, and media files in the trash for 30 days by default before permanently deleting them. You can change this period to automatically clean up your database more frequently or keep items longer for recovery purposes. The value is specified in days. Setting a lower value (e.g., 7 days) reduces database size but gives you less time to recover accidentally deleted items.

Heartbeat API Control

The WordPress Heartbeat API is a built-in feature that uses AJAX to communicate between the browser and the server at regular intervals. It powers several real-time features like autosave, post locking (notifying when someone else is editing the same post), and admin notifications. However, frequent Heartbeat requests can increase server load and consume resources, especially on shared hosting or high-traffic sites.

This feature allows you to independently control the Heartbeat API in three different contexts:

1. Admin Heartbeat Controls Heartbeat on the Dashboard and other admin pages (not the post editor). These pages typically don't require frequent updates. Recommended: 60 seconds, medium

2. Frontend Heartbeat Controls Heartbeat on your public-facing website. The Heartbeat API is rarely needed on the frontend unless you have specific plugins that rely on it. Recommended: Disable (not needed on public pages)

3. Post Editor Heartbeat Controls Heartbeat in the post/page editor (Gutenberg and Classic Editor). This is crucial for autosave and post locking features. Recommended: 30-60 seconds WARNING: Disabling the Heartbeat in the editor will also disable autosave and post locking!

Available Options:

• WordPress default: No changes, uses the default interval (typically 15-60 seconds).
• 15 seconds, dense: Very frequent updates, highest server load.
• 30 seconds, frequent: Frequent updates, moderate server load.
• 60 seconds, medium: Balanced updates, recommended for most sites.
• 120 seconds, rare: Less frequent updates, lowest server load.
• Disable: Completely turns off the Heartbeat API in this context.

Example Configuration:

• Admin: 60 seconds, medium (reduces dashboard requests)
• Frontend: Disable (not needed on public pages)
• ost Editor: 30 seconds, frequent (keeps autosave functional)

Performance Impact: Reducing Heartbeat frequency or disabling it on the frontend can significantly reduce server CPU usage, memory consumption, and database queries. This is especially beneficial on shared hosting environments or sites with limited resources.

Security

Disable XML-RPC

XML-RPC is a remote API protocol that allows external applications (mobile apps, desktop clients) and plugins (e.g., Jetpack) to connect to WordPress. Since it can pose a security risk and be a target for brute-force attacks, it's worth disabling if you don't use it. When enabled: all XML-RPC requests receive a 404 Not Found response (making it appear as if the xmlrpc.php file doesn't exist), and the RSD (Really Simple Discovery) tag is automatically removed from the HTML header. This security-through-obscurity approach prevents attackers from knowing that XML-RPC is actively blocked. Don't enable XML-RPC disabling if you use Jetpack synchronization, WordPress mobile app, or other plugins that require XML-RPC!

Disable Trackback/Pingback

The trackback and pingback mechanism is an automatic notification system between WordPress blogs, activated when you link to another WordPress site in a post. Today it's primarily a source of spam and security risk. This feature: closes pings on all existing and new posts (at runtime, without database modification), removes pingback XML-RPC methods (so XML-RPC remains active but pingback features don't), removes the X-Pingback HTTP header and pingback URL () from the source, and rejects direct HTTP trackback requests with a 403.

Disable File Editor

Disables WordPress's built-in plugin and theme editor functionality in the admin area. After activation, the Plugins > Editor and Appearance > Theme Editor menu items disappear from the admin menu and are not accessible via direct URL. This feature works by setting the DISALLOW_FILE_EDIT WordPress constant. This is a recommended security measure as it prevents direct browser-based editing of server files in case of compromised administrator accounts.

Automatic Updates Control

Controls automatic background updates and how often WordPress checks for new versions.

Update types (WordPress default / Enable / Disable):

• Plugins & Themes: Enable all forces automatic updates for every item and overrides per-plugin choices on the Updates screen. Disable all blocks automatic plugin or theme updates.
• Translations: Enable or disable automatic language pack updates.
• Core: Separate controls for minor, major, and development core releases.

Check for updates: Reschedules the wp_version_check, wp_update_plugins, and wp_update_themes cron events. WordPress default is twice daily; you can choose daily or longer intervals (3, 7, or 14 days).

wp-config.php: If AUTOMATIC_UPDATER_DISABLED or WP_AUTO_UPDATE_CORE is defined, those constants take precedence and an admin notice is shown.

Login Error Messages

By default, WordPress provides separate error messages for when the username exists but the password is incorrect, and vice versa. This information can help with brute-force and username enumeration attacks. This feature displays a generic, neutral error message in both cases.

Restrict Admin Access

Determines which WordPress user roles can access the wp-admin area. Users without permission will be redirected to the website homepage when attempting to access admin. The administrator role always has access and cannot be removed from the list. AJAX requests are not affected by this restriction. Important: make sure the administrator role is checked before activating.

REST API Restrictions

Intelligent restriction of certain WordPress REST API endpoints for security reasons. The REST API provides publicly accessible data by default (e.g., usernames, media files), which can pose a security risk in some cases.

How it works:

• Logged-in users: always have access (any role)
• Anonymous requests: receive a 401 Unauthorized error on restricted routes

Access is based on an authenticated WordPress session, not on cookies or HTTP headers that can be spoofed by external clients.

Restrictable endpoints:

• Users endpoint: Restricts the /wp-json/wp/v2/users endpoint, which exposes user data (names, slugs, email addresses). This makes it harder for attackers collecting usernames for brute-force attacks.
• REST index: The /wp-json/ root index requires authentication. This endpoint lists all available REST API routes, which is valuable information for attackers.
• Media endpoint: Restricts the /wp-json/wp/v2/media endpoint, which allows listing and querying uploaded media files.
• Comments endpoint: Restricts the /wp-json/wp/v2/comments endpoint.
• Search endpoint: Restricts the /wp-json/wp/v2/search endpoint, which allows searching within page content.

Important: WooCommerce's own REST API endpoints (/wp-json/wc/v3/, /wp-json/wc-store/v1/) are NOT affected.

Login Limit

Limits failed login attempts based on IP address and username, protecting the website against brute-force attacks.

How it works:

• Counts every failed login attempt both by IP address and by username
• If either reaches the limit, a timed lockout occurs
• Username lockouts are checked before password verification
• Successful login clears the counter

Settings:

• Block "admin" Username Instantly: When enabled, immediately blocks the IP address for 1 hour on the first login attempt with username "admin".
• Maximum attempts: How many failed attempts the system allows (default: 5). Counted separately per IP address and per username.
• Lockout duration: How long login is blocked after reaching the limit in minutes (default: 15 minutes).
• Whitelist IP addresses: IP addresses exempt from the limit (one IP per line).

Storage: Attempt counters use the WordPress Transients API with object-cache support when available.

Note: This feature only works on the wp-login.php page.

Verified Upload

Adds an extra upload security layer when files are sent to the WordPress media library or any flow that uses wp_handle_upload().

Checks performed:

• Filename rules: blocks dangerous extensions, double extensions, and disguised names such as shell.php.jpg
• MIME és magic byte: MIME and magic bytes: compares the declared extension with the detected file type using Fileinfo and file signatures
• Script markers: scans upload content for PHP or script signatures that indicate a disguised executable file

Performance: checks run only during upload, not on normal page views. Typical image uploads add only a few milliseconds of processing time.

Note: this does not replace server-level protection. PHP execution in the uploads directory should still be blocked at the web server level. SVG script sanitization remains handled separately by the SVG Upload module when that feature is enabled.

Visual

Hide Admin Bar

When logged in, WordPress displays an admin bar at the top of the page. This is useful for administrators, but can be distracting for users with other roles (editor, author, subscriber, etc.). The setting allows you to specify exactly which WordPress roles should have the admin bar hidden. The feature only disables the bar for selected role users; when the list is empty, the feature is not active.

Block Visibility (Mobile)

Adds a "Visibility" panel to every Gutenberg block in the block editor (Inspector Controls). You can set whether the block is always visible, appears only on mobile, or only on desktop. The mobile/desktop decision happens server-side using WordPress core's wp_is_mobile() function, so the block's HTML code is completely omitted from the source on the wrong device – not just hidden with CSS. This ensures better performance and cleaner HTML output.

Login Page Customization

Customize the WordPress login page (wp-login.php) logo, background color, primary color, and language switcher visibility. Logo settings: Choose whether to display the WordPress Site Icon (Settings → General → Site Icon) on the login page, or a custom image URL (relative path, e.g., /wp-content/uploads/logo.png). Logo width and height can be specified in pixels (default: 84x84 px). Background color: The login page background color is customizable (default WordPress color: #f0f0f1). Primary color: The "Log In" button background and border color can be modified (default WordPress color: #3858e9). Language Switcher: Option to hide the language selector dropdown from the login screen entirely. Customizations are implemented with CSS injected in the login_head action, safely overriding WordPress default values.

Email

Email Notifications

Individual WordPress system emails can be disabled or redirected to a custom email address:

• Update notifications – emails sent to admin about automatic core/plugin/theme updates; can be redirected to a custom email address instead of disabled.
• New user registration – only disables the admin notification (the newly registered user's welcome email remains).
• Password reset – the notification sent to admin can be disabled (not the password reset link email).
• Comment notifications – all comment moderation and author notifications.
• Privacy (GDPR) notifications – data export, data deletion, consent confirmation emails.
• Critical error email – error notification sent in WordPress recovery mode; can also be redirected to a custom email address.

Email SMTP / Complete Disable

Complete email sending disable: Uses the pre_wp_mail filter to block all wp_mail() calls – no emails are sent from the system. This is useful in development, test, or staging environments. SMTP settings: If complete disable is not enabled and SMTP host is specified, it configures the use of an external SMTP server instead of WordPress's native mail() function via the phpmailer_init action. Configurable options include: SMTP host, port, encryption (SSL/TLS/none), username and password (SMTP Auth), and sender email address and name (setFrom()). The password is stored encrypted with Sodium in the database, with the encryption key derived from a SHA-256 hash of the WordPress AUTH_KEY, SECURE_AUTH_KEY, and NONCE_KEY constants.

Other

Disable Comments

Completely disables the comment system: closes comments on all existing posts at runtime (without database modification), removes comment support from all post types, and blocks submission via both REST API and traditional wp-comments-post.php (403 response). In the admin area, it removes the Comments menu item, the comment icon from the admin bar, the dashboard widget, and the Discussion/Comments metaboxes from the post editor. If WooCommerce is active, checking the "Keep product reviews" option keeps comments (reviews) working on the product post type.

External Links in New Window

Automatically adds target="_blank" and rel="noopener noreferrer" attributes to all links pointing outside your own domain. Internal links (same domain) in posts and widgets are not modified. The rel="noopener noreferrer" is also important for security, preventing the opened page from accessing the original page.

Enable Page Excerpt

By default, WordPress pages (page post type) don't have the excerpt field available in the editor. This feature enables the excerpt field for pages in both Gutenberg and the Classic editor. The excerpt can then be used in templates with the get_the_excerpt() function, as well as in SEO plugins.

Clean Upload Filenames

Automatically cleans image and document filenames during upload. Accented characters are transliterated to ASCII, the name is lowercased, and spaces or special characters such as plus signs are replaced with hyphens.

Example: árvíz tűrő +33!.jpg becomes arviz-turo-33.jpg.

Supported types: common image formats (JPG, PNG, GIF, WebP, AVIF, SVG, and others) and document formats (PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, ODS, ODP, RTF, TXT, CSV). Video, audio, and archive uploads are not renamed.

Performance: runs only during upload and adds negligible processing time.

Note: when Verified Upload is enabled, security checks run first on the original filename before this module renames safe files.

SVG Upload

Allows SVG image files to be uploaded to the media library for selected WordPress roles. Performs security checks before upload: examines whether the SVG contains potentially dangerous code (script, iframe, JavaScript event handlers, etc.). Only users with designated roles can upload SVG; for all other users, SVG remains prohibited.

AVIF Upload

llows AVIF image files to be uploaded to the media library for selected WordPress roles. AVIF is a modern, highly efficient image format that is not supported by default in WordPress versions prior to WP 6.1. The plugin ensures proper MIME type handling on older WP versions as well.

Role Redirects

Set custom redirect URLs per role after login and logout. In the settings, two fields are available for each WordPress role (administrator, editor, author, contributor, subscriber, etc.): Redirect after login – using the login_redirect filter, the user with that role is redirected to the specified path after successful login. Redirect after logout – using the logout_redirect filter, the user with that role is redirected to the specified path after logout. If a user has multiple roles, the first matching role's redirect applies. The website URL is automatically pre-filled, you only need to enter the relative path (e.g., /dashboard/, /my-account/, /). This simplifies configuration and ensures only on-site redirects occur. In case of domain change or staging → production migration, redirects automatically adapt to the new domain.

Tested and working reliably:

• Standard WordPress login/logout (wp-login.php)
• WooCommerce My Account page shortcode-based login/logout
• Admin toolbar logout

Maintenance Mode

Temporarily blocks visitors from accessing the site while allowing authorized users to continue working. Uses the init hook (priority 1) to intercept all requests before any template, REST API, feed, or other WordPress functionality loads. Access Control: Select which WordPress roles can view the site during maintenance (Administrator is always allowed). Logged-in users with permitted roles can access the site normally, while all other visitors receive a 503 Service Unavailable HTTP status with a custom message. Exclusions: The admin area (is_admin()), AJAX requests (wp_doing_ajax()), and cron jobs (wp_doing_cron()) continue to function normally. SEO-Friendly: Returns 503 HTTP status code (not 200) with a Retry-After: 3600 header (1 hour), noindex, nofollow meta tags, ensuring search engines understand this is temporary. Visual Indicators: When active, a red warning notice appears in the admin area showing which roles have access, and the feature card on the dashboard displays with a red border instead of green to indicate a warning state. Custom Message: Optionally specify a custom message for visitors; if left empty, a default maintenance message is shown. The maintenance page displays the site title and message in a clean, centered layout.

Dynamic Year Shortcodes

Provides two shortcodes for displaying dynamic year information anywhere on your site:

1. Current Year: [refi-year] displays the current year (e.g., 2026). Perfect for copyright notices that auto-update: © [refi-year] Company Name

2. Duration Since: [refi-year from="2006"] calculates and displays the years between the specified year and now (e.g., if current year is 2026, displays: 20). Ideal for "Serving clients since 2006 (20 years)" or similar messaging.

Usage Examples:

• © 2006-[refi-year] Company Name → "© 2006-2026 Company Name"
• Proudly serving for [refi-year from="2006"] years → "Proudly serving for 20 years"
• Established [refi-year from="2010"] → "Established 16"

Note: Shortcodes work in posts, pages, text widgets, and most theme areas that support shortcode processing.