WP Debug Toolkit 1.2.0 Beta 1 expands the wp dbtk CLI introduced in 1.1.0 so any coding agent can become a WP Debug Toolkit agent without taking you out of your editor, makes query recording safer for production, improves compatibility with proxied environments and restrictive hosting platforms, and adds a handful of workflow polish items on the Overview page.

Highlights

• CLI expansion — 29 commands across 6 groups, REST API discovery, endpoint profiling, session-based query recording, filtered log reading, and a published agent skill (npx skills add WP-Debug-Toolkit/wpdt-cli) so your coding agent uses the same commands you do.
• On-demand query recording — Click Record, set a duration (up to 1 hour), and recording stops automatically. Generate shareable, token-secured URLs so support techs or clients can trigger a recording without admin access.
• API discovery with persistent annotations — wp dbtk api discover captures route structure; wp dbtk api edit adds durable per-method annotations (safety, auth, return shape, notes) that survive rediscovery. Export/import packs and bootstrap Markdown briefs make the knowledge portable across sites and agent sessions.
• Log entry grouping — New Group toggle (press G) collapses duplicate entries with count badges and timestamp ranges.
• Proxy and CDN compatibility — New "Disable IP Binding" toggle, plus IP detection for Cloudflare (CF-Connecting-IP), Akamai (True-Client-IP), and standard forwarded headers, validated against trusted proxies.
• Flywheel hosting support — Detects Flywheel's infrastructure-level wp-config.php lock and routes viewer installation to /www/ correctly; debug constants are managed through the Flywheel dashboard.
• wp-config.php writability diagnostics — New Site Health check with safe temporary permission elevation so you know up front whether the plugin can manage debug constants on your host.
• Security hardening — Input validation, API response sanitization, CSRF binding, data exposure prevention, and cleaner deactivation/uninstall lifecycle.

Full Changelog

Added

• Time-limited query recording with shareable URLs and automatic stop — record queries on demand instead of leaving capture always on
• Group duplicate log entries toggle with count badges in the viewer
• Performance warnings on Overview page when debug mode or query logging is enabled
• Proxy and CDN support — disable IP binding toggle for proxied environments, with Cloudflare and Akamai header detection
• Manage session IP binding from the WordPress admin Viewer Settings tab
• View and clear rate-limited IPs from the WordPress admin Viewer Settings tab
• Flywheel hosting compatibility
• wp-config.php writability diagnostics in Site Health with safe temporary permission elevation
• wp dbtk api command group — discover, list, show, search, call, edit, export, import, and bootstrap REST API endpoints from the terminal
• Semantic annotation layer for wp dbtk api edit — method-level descriptions, safety classification, auth notes, return-shape notes, tags, and verification markers; persisted across discovery rescans
• wp dbtk api export / import for portable annotation packs with merge and replace-source modes
• wp dbtk api bootstrap — generate a Markdown brief of a plugin's endpoints for fresh agent sessions
• wp dbtk query-log start/stop/status/read commands for recording control and query analysis from the terminal
• wp dbtk log read command for filtered debug log reading from the terminal
• --summary and --memory flags for wp dbtk query-log read — view per-page performance overview and memory usage from recordings
• --profile flag on wp dbtk api call with full, queries, and summary modes
• CLI documentation suite — setup guide, usage guide, command reference, AI assistant guide, REST endpoint profiling guide
• Q keyboard shortcut to open the query recording dialog, with a shortcut badge on the Record button
• Reinstall Viewer action on the Overview page — regenerates viewer files without re-prompting for password; bound to the I shortcut when the viewer is installed
• "Always Logging" warning pill with tooltip on the Database Queries card when SAVEQUERIES or enhanced logging is persistently enabled

Changed

• Lazy-load services — deferred to point-of-use instead of eager init on every request
• Cache health check results for 5 minutes with auto-invalidation on settings change
• Faster admin page loads — cache license API responses and pass initial settings inline to eliminate redundant API calls
• Settings now work on hosts with restrictive file permissions via automatic permission elevation and restore
• Actionable error messages for admin users when settings fail to save
• Replace SAVEQUERIES with filter-based query capture for safer API endpoint profiling

Security

• Harden standalone viewer — add execution guard, expand blocked files list, and add directory listing protection
• Tighten wp-config backup file permissions to 0600
• Strengthen encryption key generation in viewer manager
• Improve HTTPS detection on local domains (.local, Docker)
• Comprehensive security hardening: input validation and sanitization, API response hardening, session and CSRF improvements, data exposure prevention, and cleaner deactivation/uninstall lifecycle

Fixed

• PHP 8.4 deprecation warning for E_STRICT constant in notifications mu-plugin
• Session IP binding failures behind load balancers and CDNs
• Viewer install no longer blocked by read-only wp-config.php
• Graceful degradation when wp-config.php is not writable
• Settings page showing the wrong status for debug, query logging, and other toggles
• File path detection showing empty in Settings when initial page data is used
• Viewer session authentication failing on local HTTP environments
• Viewer password status showing the wrong value on the Settings page
• Viewer settings modal not closing after a successful save
• Viewer theme out of sync between the sidebar toggle and the Settings modal
• Viewer sidebar "Keyboard Shortcuts" button now opens the shortcuts reference
• License activation state not syncing across admin sections without a page reload
• wp dbtk query-log stop no longer disables global query logging when ending a recording session; stats labels clarified to distinguish session totals from log totals

WP Debug Toolkit's version 1.1.0 Beta 1 is our biggest update yet, bringing a full Query Logger, a new email notification system, and a major round of security hardening for the standalone viewer. 

Highlights

• Query Logger — Real-time database query monitoring with slow query detection, N+1 identification, per-component performance breakdowns, and encrypted logs at rest.
• WP-CLI commands — Manage debug settings, the standalone viewer, license activation, and log files entirely from the terminal (wp dbtk).
• Automatic log cleanup — Configurable delete, archive, or truncate strategies with size limits and age-based rotation.
• Security hardened viewer — Mandatory password protection, SQLite-backed rate limiting with progressive lockout, session timeouts with IP binding, and expanded path traversal prevention.

New From Beta: 

• New: WP-CLI commands for license activation, debug toggling, viewer setup, and log management (wp dbtk)
• Improved: Production and performance warnings in setup wizard for debug mode and query logging
• Improved: "Install without tools" option to set up the viewer without enabling debugging tools
• Security: Query logs encrypted at rest
• Security: Restricted wp-config backup file permissions
• Security: Hardened viewer config and auth files against direct access
• Security: Expanded viewer blocked files list with additional sensitive file patterns
• Security: Added directory listing protection for query log storage
• Improved: Setup wizard defaults tools to disabled — users opt in consciously
• Fix: Query Viewer tail reader no longer returns 0 entries on huge final log line

Full Changelog

• New: Query Logger with real-time database query monitoring and slow query detection
• New: Query Statistics Dashboard with visual performance breakdowns
• New: N+1 query detection with aggregate statistics
• New: Database query error logging with filtering
• New: Query export to CSV, JSON, and TSV formats
• New: Dynamic query statistics that recalculate based on active filters
• New: WP-CLI commands for debug, license, viewer, log, and query-log management (wp dbtk)
• New: Automatic log cleanup with delete/archive/truncate strategies and age-based rotation
• New: PHP memory limit management in Settings
• New: Upload limit controls via WordPress filters
• New: Viewer permissions health check with repair button in Site Health
• New: Email notification system for error alerts with customizable templates
• New: Modular licensing system with grandfathered benefits
• New: Viewer settings for query dashboard limit, tail scan MB, max entry MB
• New: Partner discounts page
• Added: Custom file paths configuration (DBTK_CONFIG_PATH, DBTK_LOG_PATH)
• Added: Error level selection (Debug, Info, Warning, Error)
• Added: Cache busting in Admin and Viewer apps
• Added: WordPress i18n support
• Added: Psalm static analysis with type hints
• Security: Query logs encrypted at rest
• Security: Mandatory password protection for viewer (8-character minimum)
• Security: SQLite-based rate limiting with progressive brute-force protection
• Security: Enhanced session security with 30-minute timeout and IP binding
• Security: Strengthened path traversal prevention with expanded blocklist
• Security: Replaced exec() with token_get_all() for PHP syntax validation
• Security: Fixed wp-config.php case-sensitivity bypass in viewer
• Security: Added protection for secure-debug.php (GridPane)
• Security: Scoped CORS headers to plugin endpoints only
• Security: Restricted wp-config backup file permissions
• Security: Hardened viewer config and auth files against direct access
• Security: Expanded viewer blocked files list with additional sensitive file patterns
• Security: Added directory listing protection for query log storage
• Improved: Settings UI redesign with tabbed interface
• Improved: Redesigned crash recovery with granular plugin/theme controls
• Improved: Viewer installer wizard with step-by-step guidance
• Improved: Setup wizard defaults tools to disabled — users opt in consciously
• Improved: Production and performance warnings in setup wizard for debug mode and query logging
• Improved: "Install without tools" option to set up the viewer without enabling debugging tools
• Improved: License management moved to Settings page
• Improved: Enhanced output buffer management
• Improved: Targeted cache clearing (plugin transients only)
• Improved: Better type safety and code quality across PHP and React
• Fix: Query Viewer tail reader no longer returns 0 entries on huge final log line
• Fix: Viewer auth rate limiter fallback when PDO SQLite is unavailable
• Fix: Directory permission issues on restrictive servers (umask handling)
• Fix: Viewer installation on hosts with WordPress in subfolders
• Fix: Path validation supports relative paths securely
• Fix: Health check properly loads WordPress admin functions
• Fix: Admin CSS isolation prevents conflicts with other plugins
• Fix: Compatibility with UiPress Lite and WP Dark Mode
• Fix: wp-config.php duplicate constants when reinstalling viewer

WP Debug Toolkit's version 1.1.0 Beta 1 is our biggest update yet, bringing a full Query Logger, a new email notification system, and a major round of security hardening for the standalone viewer.

• New: Viewer permissions health check with repair button in Site Health
• Fix: Directory permission issues on restrictive servers (umask handling)
• New: Query Logger - Real-time database query monitoring with slow query detection and performance metrics
• New: Database query error logging with detailed error messages and filtering
• New: N+1 Query Detection - Automatically identifies and highlights repeated queries with aggregate statistics
• New: Query export to CSV, JSON, and TSV formats with accurate component attribution
• New: Dynamic query statistics that recalculate based on active filters
• New: PHP memory limit management (writes to wp-config.php)
• New: Upload limit controls via WordPress filters
• New: Automatic log cleanup with delete/archive/truncate methods, size limits, and age-based rotation
• New: Settings UI redesign
• Security: Password protection now mandatory for viewer
• Security: SQLite-based rate limiting with progressive brute-force protection (5s > 30s > 5min > 30min > 1hr > 24hr lockout)
• Security: Enhanced session security with 30-minute timeout and IP binding
• Security: Strengthened path traversal prevention with expanded blocklist
• Security: Replaced exec() command with token_get_all() for PHP syntax validation
• Security: Fixed wp-config.php case-sensitivity bypass vulnerability in viewer
• Security: Added protection for secure-debug.php (GridPane compatibility)
• Improved: Redesigned crash recovery system with cleaner UI and granular plugin/theme controls
• Improved: License management moved to Settings page
• Improved: Enhanced output buffer management
• Added: Custom file paths configuration
• Added: Error level selection in Settings
• Added: Cache busting mechanisms in Admin and Viewer App
• Added: WordPress internationalization (wp-i18n) support
• Added: Partner discounts page
• Added: Psalm static analysis with type hints throughout the codebase
• Improved: Better type safety and code quality across PHP and React code
• Fixed: Viewer installation on hosts where WordPress files are in subfolders
• Fixed: Path validation now supports relative paths securely
• Fixed: Health check now properly loads WordPress admin functions
• Fixed: Admin CSS isolation prevents conflicts with other plugins
• Fixed: Compatibility with UiPress Lite and WP Dark Mode
• New: Email notification system for error alerts with customizable templates
• New: Modular licensing system with grandfathered benefits for early adopters
• Improved: Viewer installer wizard with step-by-step guidance
• Improved: Targeted cache clearing (only clears plugin-specific transients instead of full cache flush)
• Security: Scoped CORS headers to plugin endpoints only
• Fixed: wp-config.php duplicate constants when reinstalling viewer