BaseCloud Boost

1.1.9

Dashboard: honest cache status when a reverse proxy is in front

• The dashboard now explains the hit rate when a reverse proxy (Varnish) is active. On stacks like Cloudways, a reverse proxy caches Boost’s optimized pages and serves most visits without ever reaching PHP — so Boost’s hit counter (which only sees PHP requests) reads 0% even though every page is cached and served fast. When Varnish purging is enabled (or a proxy is detected), the dashboard now shows a short note clarifying that pages are cached at the proxy and the hit rate reflects only direct PHP requests, so the 0% is no longer mistaken for a caching failure.

1.1.8

Combine CSS now also folds stylesheets printed in the <body> (Elementor/Astra/Gravity Forms)

• Page-builder stylesheets printed late in the <body> are now combined too. Combine CSS only folded stylesheets in the <head>, but Elementor, Astra and Gravity Forms print widget/form CSS in the body, where it stayed as many separate render-blocking requests — adding network latency and, because that CSS styles above-the-fold elements (the nav menu, a contact form), causing layout shifts when it loaded after the content had already painted. Boost now folds those same-origin body stylesheets into a single bundle placed ahead of the content they style. It is intentionally kept render-blocking (not async, unlike the head bundle) precisely because it styles above-the-fold elements — so the menu and form are styled before first paint instead of flashing/reflowing. Fewer requests and steadier layout (CLS) on page-builder sites.

1.1.7

Cloudways (managed Varnish) support + reverse-proxy bypass cookie

• New Varnish “Reverse Proxy Type” setting. The existing Varnish integration assumed a self-managed Varnish whose VCL you control (PURGE for a URL, BAN for the whole site). Managed hosts like Cloudways don’t let you edit the VCL and use a different purge protocol, so those purges silently failed and the reverse proxy kept serving stale HTML. Choose Cloudways under Advanced → Purge Varnish and Boost now purges the way Cloudways expects: URLPURGE for a single URL and a PURGE to /?purgeall for the whole zone, sent to the proxy front-end (defaults to 127.0.0.1:8080). Purge requests to internal proxy ports are correctly sent over HTTP.
• New bcboost-nocache bypass cookie. Boost now sets this cookie for visitors who must always get a fresh page (logged in, or with an active WooCommerce cart) and clears it once they’re anonymous again — emitting the cookie only on that transition so normal anonymous pages stay cacheable. Add bcboost-nocache to your reverse proxy’s excluded-cookies list (on Cloudways: Application → Varnish Settings → Excluded Cookies) so the proxy bypasses its cache for those visitors. Boost’s own page cache honours the same cookie.

1.1.6

Fixed: Delay/Defer JS broke Elementor menus & widgets even after scripts loaded (no more excluding the whole Elementor stack)

• The order-safe loader now holds jQuery’s ready until every delayed script has run. Libraries like Elementor self-initialise on jQuery ready the instant their script executes. Because the loader runs delayed scripts one at a time, Elementor would initialise before later scripts (Elementor Pro’s element handlers, SmartMenus, etc.) had registered — so dropdown menus and some widgets never bound their behaviour and appeared dead, even once everything had loaded. Boost now pauses jQuery ready the moment jQuery is defined and releases it only after the whole queue drains, so all components initialise together exactly as on a normal page load. This removes the need to exclude jQuery/Elementor from Delay JS to keep menus working — keeping the full Total-Blocking-Time benefit on Elementor sites.

1.1.5

Fixed: Delay JS made the first click on menus/buttons do nothing (dropdowns appeared broken)

• The first click after a page loads now works with Delay JS enabled. Delay JS holds scripts until the first user interaction, but that very interaction — usually a click on a navigation dropdown, accordion or button — was being “spent” loading the scripts and never reached the handler that had just loaded, so the element looked dead until you clicked a second time (most visibly: Elementor/SmartMenus dropdown menus wouldn’t open). The loader now captures that first click, suppresses its default action so nothing navigates prematurely, and replays it on the original element once the scripts have loaded and bound their handlers — so a single click behaves exactly as it would without Delay JS. Normal links still navigate as expected.

1.1.4

Fixed: Critical CSS was corrupted on save (broke hero/background images)

• Saving settings no longer escapes quotes in your Critical CSS. WordPress adds slashes to submitted form data, and the settings handler stored the Critical CSS without removing them, so background-image: url(“…”) was saved as url(“…”). That is invalid CSS, so any rule relying on a quoted value — most visibly above-the-fold section/hero background images — silently failed to render once Critical CSS was enabled. Boost now unslashes the submitted settings before saving (the standard WordPress behaviour), preserving quotes and valid CSS escape sequences. If you enabled Critical CSS on 1.1.3 and a background went missing, re-save your settings on 1.1.4 and clear the cache.

1.1.3

Faster LCP on page-builder sites: CSS background images now go through WebP + CDN, and the hero image is preloaded

• CSS background-image files are now served as WebP/AVIF and from your CDN. Boost already rewrote <img> tags to modern formats and to the CDN host, but section/hero backgrounds set in CSS (the bulk of Elementor, Divi, Bricks, etc. layouts) were missed — they stayed as full-size origin JPG/PNGs baked into the combined stylesheet. Boost now rewrites those url() targets to the WebP/AVIF copy when one exists and to your CDN hostname, exactly as it does for images in the markup. On hero-heavy pages this can cut hundreds of KB off the single most important image. (Requires Combine CSS; clear the Boost cache after updating so the bundle is rebuilt.)
• The hero / LCP background image is now preloaded with fetchpriority=”high”. A section background lives inside the CSS, so the browser cannot discover it until the stylesheet has downloaded and parsed — a major Largest-Contentful-Paint delay on page-builder sites. Boost now detects the first full-width section that carries a background image and adds a high-priority <link rel=”preload” as=”image”> for it in the <head>, so it loads in parallel with the CSS instead of after it. Fully automatic, falls back to no preload when no hero is found, and can be turned off with the Preload LCP image option.

1.1.2

Font display + safer Critical CSS

• font-display: swap is now applied to fonts inside your stylesheets. Boost already added swap to Google Fonts links and inline @font-face blocks, but icon-font packs (Themify, Linearicons, ElementsKit, Font Awesome, …) declare their @font-face inside external stylesheets, where it was untouched. Boost now injects font-display: swap into those @font-face rules while minifying/combining CSS, so text and icons stay visible during font load (the “Font display” PageSpeed item). Governed by the existing Optimize Google Fonts toggle.
• Critical CSS is no longer corrupted on save. The Critical CSS field was sanitised with a text filter that strips every %xx URL-encoded sequence, which silently broke url() values (such as inline SVG data URIs) in pasted critical CSS. It now uses CSS-safe sanitisation that removes HTML tags but preserves valid CSS.

1.1.1

Combine CSS & Async CSS now work when a CDN is enabled (major mobile fix)

• Fixed: Combine CSS and Async CSS did nothing when BunnyCDN URL rewriting was on. The CDN rewriter swaps every asset URL to your pull-zone hostname (e.g. yourzone.b-cdn.net) before Boost folds the page’s stylesheets. Boost only recognised origin URLs, so it treated every CDN-hosted stylesheet as “external” and skipped it — leaving the whole page’s CSS render-blocking even with Combine CSS + Async CSS (or the Optimize for PageSpeed preset) enabled. On a CSS-heavy Elementor site that left dozens of stylesheets blocking first paint and capped the mobile PageSpeed score. Boost now maps CDN asset URLs back to their local files, so all same-origin stylesheets are combined into one bundle and that bundle is delivered asynchronously — and the bundle itself is served from the CDN. This is the single biggest mobile First-Contentful-Paint / Largest-Contentful-Paint fix for sites running BunnyCDN. After updating, clear the Boost cache (and purge your BunnyCDN pull zone) so pages are rebuilt.

WooCommerce: fixed “ghost products” added to the cart + safer real-time cart on cached pages

• Fixed: products silently appearing in the cart (“ghost products”). Boost’s link prefetch (on hover/tap) and the Speculation Rules engine were speculatively loading WooCommerce “Add to cart” links — which are ordinary ?add-to-cart=ID URLs marked rel=”nofollow”. Loading one actually runs the action, so simply hovering or tapping near a product button could add it to the cart. Both engines now skip every rel=”nofollow” link and any URL carrying a cart/AJAX/nonce action parameter (add-to-cart, remove_item, undo_item, wc-ajax, add_to_wishlist, _wpnonce), as well as the cart/checkout/my-account pages. Add-to-cart, remove and quantity changes now only happen when the shopper actually clicks.
• Real-time cart keeps working with Delay JS. The cart-fragments / add-to-cart scripts were already kept out of Defer/Delay so the mini-cart updates on cached pages, but jQuery — which they depend on — was still being delayed, so on a WooCommerce store those scripts could run before jQuery was ready. When WooCommerce is active Boost now also keeps jQuery running immediately, so the mini-cart, add-to-cart and quantity updates stay live. (On non-WooCommerce sites jQuery is still delayed for the Total-Blocking-Time win.)

1.1.0

Order-safe JavaScript engine — fixes broken sliders/menus and unlocks a big PageSpeed gain

• Defer & Delay JS no longer break themes (major fix). Previously Boost only added defer (or the delay marker) to enqueued script files, but left the inline initializers a theme or page-builder hard-codes in the page running during parsing — before the libraries they call had loaded. On sliders, popups and many WPBakery/ThemeForest themes that meant … is not a function errors and broken layouts. Boost now treats inline and external scripts as one ordered unit: every eligible script is run through a single loader that executes them strictly in their original order, waiting for each external file to finish before the next. Inline initializers (RevSlider, WPBakery, theme setup) and a script’s localized config keep working exactly as the theme intended.
• Delay JS is now safe and on by default. Because order is preserved, holding all JavaScript (including jQuery) until the first interaction — with a 5-second fallback for passive visitors — no longer breaks pages. This is the single biggest Total-Blocking-Time / PageSpeed lever and is now part of the recommended setup. After the delayed scripts run, Boost re-fires the page’s DOMContentLoaded and load events so everything still initializes. Use Delay JS Exclusions to keep specific scripts (analytics, chat, etc.) running immediately, or add data-no-delay / data-cfasync=”false” to a tag to opt it out.
• “Optimize for PageSpeed” now includes Async CSS. The one-click preset (Tools → Optimize for PageSpeed) now also enables Async CSS alongside Combine CSS so the combined stylesheet stops blocking first paint. Test your homepage after applying — themes that don’t inline their above-the-fold CSS may briefly flash unstyled.
• Async CSS now covers single-stylesheet sites too. When Combine CSS has only one local stylesheet to work with, that sheet is now loaded asynchronously (with a <noscript> fallback) instead of staying render-blocking.

1.0.9

Asynchronous CSS delivery — the mobile First Contentful Paint fix

• Combine CSS can now load asynchronously. Combining stylesheets reduces the number of requests, but the single bundle was still render-blocking — on a CSS-heavy page-builder site that one large file can hold up first paint on a slow mobile connection. With Async CSS (Lazy CSS) enabled alongside Combine CSS, the combined bundle now loads without blocking the first paint (media=”print” + onload swap, with a <noscript> fallback). The theme’s inline above-the-fold CSS paints immediately and the bundle applies as soon as it arrives — and because the stylesheet is no longer hogging the connection, the LCP image can start downloading sooner too. This is the single biggest lever for mobile First Contentful Paint / Largest Contentful Paint on heavy Elementor/Divi sites. Enable both under File Optimization. (When Combine CSS is off, Async CSS continues to load each stylesheet asynchronously as before.)

1.0.8

Faster Largest Contentful Paint + one-click PageSpeed setup

• Your hero image no longer waits for JavaScript (big LCP win). Many themes and plugins ship their own JavaScript “lazy loader” that replaces every image — including your above-the-fold hero — with a tiny placeholder and only loads the real picture once scripts run. On a slow mobile connection that can push your Largest Contentful Paint many seconds later, and the browser’s fetchpriority=”high” hint is wasted on the placeholder. Boost now detects the LCP/above-the-fold image, restores its real source immediately (from the usual data-src / data-orig-src / data-srcset attributes), removes the lazy-load hooks so it can’t be hidden again, and preloads it — using the responsive imagesrcset/imagesizes set when one is present so the browser fetches the exact size it will display. The hero starts downloading right away instead of after the page’s JavaScript has executed.
• Combine CSS now catches page-builder stylesheets (major fix). Combine CSS previously merged files at the point WordPress builds the page, which runs before Elementor, Divi and similar builders register most of their stylesheets — so on those sites it folded only a handful of files and left dozens of render-blocking requests behind (and, worse, served the rest un-minified). Combine now runs on the finished HTML, so it reliably collapses every eligible same-origin stylesheet — including the late builder/plugin ones — into a single minified bundle, preserving cascade order. External stylesheets (Google Fonts, CDNs) and print/media-query sheets are left alone. This is the difference between “combine did almost nothing” and “70 requests become 1” on a typical Elementor site.
• “Optimize for PageSpeed” one-click setup (new). Tools → Optimize for PageSpeed applies our recommended high-impact configuration in a single click — page cache, CSS & JS minify and combine, JavaScript defer plus delay-until-interaction, image lazy-load and WebP, GZIP and browser caching — then clears the cache so pages rebuild optimised. It’s the fastest way to get a strong Core Web Vitals baseline without learning every individual toggle. Your CDN, Cloudflare, webhook and other credentials are left untouched, and you can fine-tune anything afterwards.

1.0.7

Two features that silently didn’t work now do

• Cache preloading now actually runs. The preloader queued URLs and showed progress, but its background worker was never registered, so the crawl never started and progress sat at 0%. The batch-processing cron and its schedule are now booted on every request (including WP-Cron), so “Preload Cache” properly warms the site in the background.
• Multisite: deleting a network site now clears its cache. Cache is stored by URL, but deletion looked for a non-existent per-blog-ID folder, so a removed site’s cached pages were left behind. Deletion now purges the cached pages for the site’s actual domain and path.

1.0.6

Critical CSS fix + automatic database cleanup

• Critical CSS toggle now works. Pasting CSS into the Critical CSS box had no effect unless you also knew it was applied regardless of the on/off switch, while a second (per-URL) code path read a store that was never populated and did nothing. Now the Enable Critical CSS toggle properly controls whether your above-the-fold CSS is inlined, and the dead per-URL path has been removed.
• Scheduled database cleanup (new). Database → Automatic Cleanup can now run a safe, unattended cleanup on a daily or weekly schedule — post revisions, auto-drafts, spam comments, expired transients and orphaned post meta. Destructive/heavy operations (emptying trash, OPTIMIZE TABLE) are deliberately left to the manual buttons. Off by default.

1.0.5

PageSpeed / Core Web Vitals improvements

• Self-host Google Fonts (new). Boost can now download the Google Fonts stylesheet and its woff2 files to your server once and inline the localised @font-face CSS directly in the page. This removes the render-blocking request to fonts.googleapis.com and the extra DNS/TLS handshake to fonts.gstatic.com — both common PageSpeed Insights flags — and serves fonts from your own origin with font-display: swap. The download happens on a single cache-priming request and is reused for every visitor; the now-redundant Google Fonts preconnect hints are dropped automatically. Enable under Media → Google Fonts → Self-Host Google Fonts.
• LCP image control (new). A new “Never Lazy-Load These Images” list (Media → LCP / Above-the-Fold Images) lets you protect your hero/banner from lazy loading by URL fragment or CSS class, for the cases the automatic detection can’t infer.
• Safer Delay JavaScript. Delayed scripts now honour the data-no-delay attribute and the widely-used data-cfasync=”false” opt-out, so scripts that must run immediately keep working.

1.0.4

Geolocation / currency pricing now survives caching, plus WooCommerce and stability fixes

• Per-country & per-cookie cache variants. The page cache used to store one frozen HTML file per URL, so a geolocation/currency switcher would “stick” on whichever currency the first visitor saw — e.g. a South African visitor being shown USD. Boost now stores a separate cached copy per visitor country and per currency cookie, so geo pricing keeps working while pages are still served from cache. Enable Page Cache → Geolocation & Currency → Separate Cache per Country; common currency-switcher cookies (Aelia, WOOCS, WPML, etc.) are handled automatically, and a new BCBOOST_resolve_country filter lets a theme supply the country when there’s no GeoIP header. Variant responses are marked private so a CDN can’t collapse them back into one.
• WooCommerce cache exclusions now actually apply. The BCBOOST_cache_reject_uri / BCBOOST_cache_reject_cookies / BCBOOST_do_generate_cache developer filters were documented but never executed, so WooCommerce’s own cart/checkout/account exclusions silently did nothing. They are now enforced on the cache-write path.
• WooCommerce mini-cart fix. Cart-fragments and add-to-cart scripts are no longer deferred/delayed, so the mini-cart and cart count keep updating on cached pages.
• Mobile cache actually works now. The separate-mobile-cache option served mobile visitors but never wrote a mobile cache file, so mobile pages were re-rendered on every request. Mobile variants are now written and served correctly. Because most themes are responsive (identical HTML for both), separate mobile cache now defaults to off on new installs for a higher cache hit rate — turn it on only if you run a separate mobile theme or AMP. Existing sites keep their current setting.
• Targeted purges now clear every variant. Purging a URL removes all of its cached variants (desktop/mobile/country/cookie, plus their GZIP/Brotli copies) instead of a fixed handful of filenames.
• HTML minifier can no longer blank a page. On very large pages a single regex hitting PHP’s pcre.backtrack_limit could return null and wipe the whole document. Every step now falls back to the original HTML, so a failed optimisation simply skips itself instead of breaking the page.
• LCP fix — stop lazy-loading the hero image. The lazy loader treated the first <img> in the DOM (usually the header logo) as the LCP, gave it fetchpriority=”high”, and then lazy-loaded the real hero image even when the theme had already marked it fetchpriority=”high” and preloaded it. It now respects an existing priority/eager image as the LCP, never lazy-loads it, doesn’t steal priority for the logo, and won’t emit a duplicate preload. Also fixed malformed <img … / fetchpriority> output from appending attributes after a self-closing slash.
• Google Fonts hints no longer corrupted. The optimizer was appending ?display=swap to preconnect/dns-prefetch hints (e.g. href=”https://fonts.googleapis.com?display=swap”). It now only rewrites the actual font stylesheet link.
• Corrected nginx serving rules. The recommended nginx snippet omitted the scheme directory (so it never matched the real cache files) and mishandled pre-compressed files (raw Brotli/GZIP served without Content-Encoding). The new snippet is variant-aware (mobile, currency/geo cookies, per-country), skips the cache safely for logged-in/cart/query-string requests, and uses gzip_static/brotli_static for correct compressed serving.

Server cache & object cache compatibility (no clashes)

• Varnish / reverse-proxy support. When enabled (Advanced → Server Cache & Compatibility), every BaseCloud Boost purge now also clears Varnish over HTTP — a PURGE for single URLs and a BAN for site-wide clears — so the proxy never serves stale HTML. Supports separate Varnish server addresses (preserving the site host in the Host header) and ships a ready-to-paste, ACL-restricted VCL snippet.
• Object Cache Pro / Redis / Memcached: guaranteed coexistence. BaseCloud Boost is a page cache and runs alongside a persistent object cache. It never installs a competing object-cache.php drop-in and never calls wp_cache_flush() (which would wipe the object cache on every page purge), and it registers its own group as non-persistent. The Advanced screen now detects and reports the active object cache backend.
• Hosting auto-detection now actually runs. The host detector (WP Engine, Kinsta, SiteGround, LiteSpeed, Cloudways, Pantheon, and more) was defined but never booted, so its host-specific tweaks did nothing. It now runs: on hosts that provide their own full-page cache (WP Engine, Kinsta, Pagely, Pantheon, WP.com VIP) BaseCloud Boost’s file cache disables itself to avoid double-caching, and host/LiteSpeed/SiteGround caches are purged alongside ours.

1.0.3

Combine CSS is now safe — big win for Elementor and other builder sites

• Combining CSS now rewrites relative url() and @import paths to absolute URLs. Previously, combining stylesheets into a single bundle could break web fonts (e.g. Font Awesome icons turning into boxes) and CSS background images, because their relative paths resolved against the bundle’s location. This made Combine CSS unsafe on page-builder sites with many stylesheets — exactly where it helps most. It now works correctly, letting heavy Elementor/ElementsKit pages collapse dozens of render-blocking CSS requests into a handful.
• Per-file CSS minification also rewrites relative paths now, so individually minified stylesheets never lose their fonts or images either.
• Combining no longer folds media=”print” (or other non-screen) stylesheets into the main bundle, so print styles can’t leak onto the screen.

1.0.2

Critical Bug Fix

• Fixed a JavaScript minification bug that could break a site’s scripts — most visibly leaving a theme “preloader”/loading screen spinning forever so the page never appeared. The minifier preserved quoted strings before stripping comments, so an apostrophe inside a code comment (e.g. “don’t”, “we’re”) was mistaken for the start of a string and swallowed real code, producing invalid JavaScript. The minifier is now a proper single-pass lexer that correctly understands strings, template literals, regular expressions, and comments, and never breaks Automatic Semicolon Insertion. Minify JavaScript is safe to leave enabled again.

1.0.1

Performance

• Major front-end speed improvements: cached the modern-image (WebP/AVIF) format lookups so pages no longer hit the disk for every image on every request.
• Removed a redundant full-page processing pass in the lazy loader — less PHP work per uncached request and faster Time to First Byte.

Bug Fixes

• Fixed “I cleared the cache but still see the old page.” HTML pages were being sent to browsers with a long cache lifetime, so browsers (and shared caches) kept serving their own copy for hours and a server-side purge could not reach them. HTML is now always revalidated by the browser (a cheap 304 when unchanged), while static assets keep their long-term caching — so content edits appear immediately after a purge. Logged-in admins/editors now always see live, uncached content.
• The drop-in and .htaccess rules now self-heal on update: updating the plugin no longer leaves a stale advanced-cache.php behind, so fixes take effect without a manual deactivate/reactivate.
• Fixed lazy loading hiding images, iframes, and videos. The previous JavaScript placeholder approach could leave media permanently invisible if a script failed to run. Lazy loading now uses the browser’s reliable native loading=”lazy” and never hides content.
• The “Boost Cache” button in the admin toolbar no longer reloads you back to the dashboard. It now clears the cache instantly via AJAX with a rocket animation and keeps you on the current page.

New Features

• Image compression: BaseCloud Boost now generates high-quality WebP copies of JPEG/PNG uploads automatically. A new Bulk Compress tool on the Media screen compresses your entire existing media library in the background, with live progress. Originals are kept untouched, so quality and your media library are never broken.

Security

• API keys and secrets (Cloudflare API token, BunnyCDN API key, webhook secrets, PageSpeed Insights API key) are now encrypted at rest in the database using authenticated encryption.
• Secret fields are now masked in the admin UI and are never printed into page source.
• PageSpeed Insights audits now run through a secure server-side proxy, so your API key is no longer exposed to the browser.

1.0.0

• Initial public release.
• Full-page HTML caching with GZIP and Brotli compression variants.
• HTML, CSS, and JavaScript minification and combining.
• JavaScript defer and delay strategies.
• Critical CSS extraction and inline injection.
• Native lazy loading for images, iframes, and videos.
• WebP and AVIF next-gen image serving.
• YouTube and Vimeo video facade (click-to-play thumbnails).
• Sitemap-based cache preloader with real-time progress tracking.
• Cloudflare API cache purge integration.
• BunnyCDN API cache purge integration and URL rewriting.
• Generic CDN hostname rewriting.
• Database optimizer (revisions, transients, orphaned postmeta).
• Security headers module (HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy).
• Heartbeat API throttle to reduce admin-area server load.
• Performance metrics webhook for external monitoring.
• WP-CLI commands for cache management.
• WordPress Multisite support.
• WooCommerce cart and checkout cache exclusion.
• Google Fonts optimization with font-display=swap.