Sitewide link processing: JavaScript now scans the full rendered page on load and applies warnings to links in navigation menus, footers, sidebars, widgets, and any other theme output — not just post content. All four CSS class rules (wzlw-force-external, wzlw-force-external-wrapper, wzlw-no-icon, wzlw-no-icon-wrapper) work everywhere on the page.
Bug Fixes
Links inside wzlw-no-icon-wrapper now correctly receive data-wzlw-* attributes so the redirect/modal warning still fires; only the visual icon is suppressed.
Add wzlw-force-external / wzlw-force-external-wrapper class support to force links to be treated as external regardless of automatic detection. Both class names are configurable under Settings > Advanced.
The wzlw-no-icon and wzlw-no-icon-wrapper class names are now configurable under Settings > Advanced.
Security
Redirect endpoint now requires an HMAC signature on every URL. Unsigned or tampered URLs are rejected, preventing open-redirect abuse.
Bug Fixes
Redirect URLs with HMAC signatures were broken due to double-encoding of the & separator in HTML output.
Redundant URL encoding in get_redirect_url() caused malformed redirect URLs.
Same-host check now normalises hostnames before comparison, so variants like EXAMPLE.COM or example.com. are treated as internal.
Excluded domains now match correctly when entered with a scheme or trailing path.
Add wzlw-no-icon-wrapper class support — add it to any wrapper element to exclude all links inside it from visual indicators.
Improvements
Enhanced modal accessibility: background content is now hidden from screen readers when the modal is open, URL display includes a screen reader label, buttons have fallback accessible names, and the Continue button announces “opens in a new window” for target=”_blank” links.
