Fixed: token revocation now persists correctly. The sanitize_settings callback used truthiness checks to distinguish programmatic writes from form submissions; when revoke_token() set token_hash to an empty string the sanitizer treated it as absent and silently restored the old hash. Switched to array_key_exists() so an explicitly-set empty value is persisted.
Fixed: bundled translations under languages/ are now loaded explicitly via load_plugin_textdomain() on init. WordPress’ just-in-time loader only checks the global wp-content/languages/plugins/ directory, so without this call the bundled .mo files were never picked up.
Fixed: PO file Project-Id-Version headers updated from 1.5.3 to 1.5.4; typographic quote escaping corrected in de_DE, da_DK, and nl_NL translations.
Added: Quick Setup guide on the settings page when no token is configured, with numbered steps and a direct link to the Integrations page.
Added: “Get OutscoreAgent Pro” and “Support” action links on the Plugins page alongside the existing “Settings” link.
Fixed: IndexNow key route now works on Multisite subdirectory installs by stripping the site’s base path from REQUEST_URI before regex matching.
Fixed: autoload set to false on publish log and IndexNow route health options to prevent alloptions cache invalidation storms on sites with persistent object caching (Redis/Memcached).
Fixed: AIOSEO v4 Models API call wrapped in try/catch so a missing table no longer blocks article publishing.
Added: X-Forwarded-Proto detection in HTTPS enforcement for Cloudflare Flexible SSL and other reverse-proxy TLS termination setups.
Added: WP-Cron status detection on the Diagnostics tab with a warning when DISABLE_WP_CRON is true.
Changed: callback_url and callback_token fields are now editable after initial setup (previously required DB intervention to change).
Changed: replaced network admin settings page with an informational notice directing super-admins to per-site configuration.
Improved: readme description, tags, and FAQ optimized for discoverability (AI content generation, SEO decay, content refresh keywords).
1.5.3
Hardened: the the_content filter callback that prepends the featured-image credit now passes its returned HTML through wp_kses_post() before concatenation. The credit block was already built from escaped fragments (esc_html / esc_url / esc_attr around the photographer name, URL, and source label), but the wordpress.org review process requires the escape to be visible at the filter callback’s return site, not only inside the helpers that assemble the string.
1.5.2
Fixed: plugin text domain renamed from outscoreagent-publisher to outscoreagent to match the WordPress.org plugin slug. All translation strings, the language template (languages/outscoreagent.pot), and the distribution zip’s top-level folder are updated. Internal storage keys (outscoreagent_settings, outscoreagent_publish_log) are unchanged, so existing installs preserve their token and configuration.
Hardened: register_setting() sanitize callback now runs sanitize_text_field() on the programmatically-written site_id and token_hash values before persisting them.
Hardened: the public GET /status REST endpoint now returns only { success, plugin_version } to unauthenticated callers. WordPress/PHP versions, site name, post types, categories, and token state are returned only when the request carries a valid API token. The endpoint remains public so the OutscoreAgent platform can detect the plugin before a token is configured.
1.5.1
Fixed: removed the Plugin URI: header from the main plugin file. It pointed to the same URL as Author URI:, which the WordPress.org reviewer flagged. Author URI: is retained so users can find the plugin author; a dedicated plugin page can be added back later via Plugin URI: once one exists.
1.5.0
Renamed: the plugin text domain and distribution folder are now outscoreagent-publisher to match the WordPress.org slug. Internal storage keys (settings, publish log) and the brand prefix on functions/classes are unchanged, so existing installs keep their token and configuration after upgrading.
Renamed: the admin settings page slug is now ?page=outscoreagent-publisher (was ?page=outscoreagent). The “Settings” link on the Plugins page is updated automatically; refresh any direct bookmarks.
1.4.0
Added: IndexNow route self-test on the Diagnostics tab. Click “Run probe now” to hit the plugin’s own /<key>.txt URL from inside WordPress and classify the result (ok, not_found, forbidden, wrong_body, redirected, server_error, loopback_failed). Each status comes with a one-line remediation hint so a customer can tell whether a route failure is local (cache, WAF, hijacked hook) or external (CDN, DNS, reverse proxy).
Added: non-blocking advisories on the Settings tab for active plugins that frequently interfere with the IndexNow route without owning IndexNow themselves — page caches (WP Super Cache, W3 Total Cache, WP Rocket, LiteSpeed, Cache Enabler) and security/WAF plugins (Wordfence, iThemes Security, Sucuri, NinjaFirewall).
Added: detection of other plugins/themes hooked on template_redirect at priority <= 1, which could short-circuit the request before the IndexNow handler runs. Surfaced only when the loopback probe is failing, to keep the page calm in the happy path.
Added: route-health signal. If flush_rewrite_rules() cannot install our rule (.htaccess unwritable, mod_rewrite disabled, nginx misconfigured), a clear notice now appears on the Settings tab instead of failing silently.
Hardened: stored IndexNow key value is validated on read; a corrupted option no longer produces a confusing “another key is being served” symptom in the loopback probe.
1.3.1
Fixed: the “Text only — no clickable links” and “Disabled” image-credit modes now also rewrite the credit in the stored post content, not only at front-end render time. Previously the linked credit remained visible in the block editor, REST API, and any theme/feed that bypasses the_content filter. Articles whose figure-level marker class survived a Gutenberg edit are transformed at save time on the next publish/update.
Note: with this change, switching from “Text only” or “Disabled” to “Active links” or “Active links (nofollow)” no longer takes effect retroactively — anchors stripped at save time cannot be restored by the render-time filter. Re-publish the article from the dashboard to restore links under the new mode.
1.3.0
Authenticated REST endpoints now accept a namespaced X-OutscoreAgent-Token header in addition to Authorization: Bearer. The custom header sidesteps third-party JWT auth plugins (e.g. “JWT Authentication for WP-API”) which intercept any Authorization: Bearer … value and reject our osk_ tokens with jwt_auth_invalid_token / “Wrong number of segments” before our route handler can run. The OutscoreAgent platform now sends the new header by default; the Bearer fallback is retained for backwards compatibility.
1.2.1
Compatibility release tracking server-side fixes. Multi-organization users editing site integrations and IndexNow keys are now correctly authorized via any of their org memberships (previously could see “Site not found or access denied” when their first listed org did not own the site). Plugin behaviour is unchanged — the fix lives entirely on the OutscoreAgent platform — but the version bump is published in lockstep so plugin and platform stay aligned in support diagnostics.
Bumped Tested up to header to track the latest stable WordPress release.
1.2.0
Featured images are now downloaded into the WordPress media library by default and set as the post’s native featured image. Themes and the block editor pick them up automatically — no theme changes required.
Added a “Download featured image to media library” toggle in the settings page. When disabled, the previous behaviour (remote URL stored in _thumbnail_ext_url post meta) is retained.
Repeat syncs of the same article reuse the existing media library attachment instead of re-downloading.
Sideload failures fall back to the external-URL path so posts never end up without an image reference.
Added External services disclosure and privacy details to readme (WordPress.org submission compliance).
Raised minimum PHP version to 8.1.
1.1.0
Added HTTPS enforcement for outbound callback URLs (defense-in-depth).
Added per-token rate limiting (30 requests/minute) on all authenticated REST endpoints.
Added “Settings” link on the Plugins page for quick access.
Added Plugin URI and Author URI linking to outscoreagent.com.
