Excluded domains now support wildcard entries: *.example.com matches any subdomain of example.com but not the base domain itself. Plain entries (e.g. example.com) match that exact domain only. Add both to exclude a domain and all its subdomains.
Excluded domains are now honoured by the sitewide JavaScript scan, not just PHP content processing. Previously, links excluded in settings could still be flagged as external by the JS scan on navigation menus, footers, and widgets.
All four class settings (Suppress Icon Class, Suppress Icon Wrapper Class, Force External Class, Force External Wrapper Class) now accept comma-separated values, allowing multiple class names per setting.
Bug Fixes
Excluded domains with target=”_blank” in scope=both mode no longer incorrectly show a modal or redirect warning when processed by the JavaScript scanner. ARIA attributes are still applied for screen reader accessibility.
Sitewide link processing: JavaScript now scans the full rendered page on load and applies warnings to links in navigation menus, footers, sidebars, widgets, and any other theme output — not just post content. All four CSS class rules (wzlw-force-external, wzlw-force-external-wrapper, wzlw-no-icon, wzlw-no-icon-wrapper) work everywhere on the page.
Bug Fixes
Links inside wzlw-no-icon-wrapper now correctly receive data-wzlw-* attributes so the redirect/modal warning still fires; only the visual icon is suppressed.
Add wzlw-force-external / wzlw-force-external-wrapper class support to force links to be treated as external regardless of automatic detection. Both class names are configurable under Settings > Advanced.
The wzlw-no-icon and wzlw-no-icon-wrapper class names are now configurable under Settings > Advanced.
Security
Redirect endpoint now requires an HMAC signature on every URL. Unsigned or tampered URLs are rejected, preventing open-redirect abuse.
Bug Fixes
Redirect URLs with HMAC signatures were broken due to double-encoding of the & separator in HTML output.
Redundant URL encoding in get_redirect_url() caused malformed redirect URLs.
Same-host check now normalises hostnames before comparison, so variants like EXAMPLE.COM or example.com. are treated as internal.
Excluded domains now match correctly when entered with a scheme or trailing path.
Add wzlw-no-icon-wrapper class support — add it to any wrapper element to exclude all links inside it from visual indicators.
Improvements
Enhanced modal accessibility: background content is now hidden from screen readers when the modal is open, URL display includes a screen reader label, buttons have fallback accessible names, and the Continue button announces “opens in a new window” for target=”_blank” links.