=== SmallPict – Image Optimization | Compress Images | Convert WebP | Convert AVIF === Contributors: c0redump, kukumber19 Tags: image optimizer, compress images, image optimization, webp, avif Requires at least: 5.8 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.1.8 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Author: Tuxnoob Team Author URI: https://smallpict.tuxnoob.com/ Documentation: https://smallpict.tuxnoob.com/docs/v1/intro Optimize images in 1-click: compress images, convert to WebP & AVIF, and boost your site speed with the simplest WordPress image optimization plugin! == Description == = 🏆 The Simplest Image Optimization Plugin For WordPress = SmallPict is the easiest and most effective way to optimize images and speed up your WordPress site. We automatically compress and convert your images to modern formats (WebP & AVIF), making your pages load instantly without sacrificing visual quality. Image optimization should be simple. With SmallPict, there are no confusing server configurations or complex settings. Install, activate, and you're done! Our cloud-based image compression works smoothly without overloading your own server. ✨ Optimize Images – SmallPict Key Features: * **Smart Compression**: Smart AI technology ensures the smallest possible file size with premium quality. * **Automatic WebP & AVIF**: Serve next-gen formats like WebP and AVIF for superior speed. * **Zero Server Load**: Compression happens safely in our cloud. Your hosting server stays fast. * **Privacy First**: We never store your images. Files go directly back to your WordPress. * **Easy Setup**: Simply magical. No API keys or coding required. = 📸 Compress Images & Reduce Size Without Losing Quality = Is your slow WordPress website scaring away visitors? Large image sizes are usually the culprit. SmallPict acts as your automated image compressor, reducing image weight seamlessly. You’ll get your images automatically optimized at the best compression level and quality. Faster WordPress websites improve user experience and Core Web Vitals, resulting in better SEO rankings. = 🔄 Convert to WebP and AVIF = Take your image optimization a step further by serving next-gen image formats. SmallPict can seamlessly convert images to WebP and AVIF (Pro), replacing heavier formats like JPEG and PNG. By converting to WebP and AVIF, you guarantee lightning-fast load times for your visitors. = 💰 Is SmallPict Free? = Yes! SmallPict offers a generous free tier so you can start compressing and optimizing your images immediately managed via your Freemius account. Need to compress more images or use Pro features like AVIF? Check out our plans via the plugin dashboard! = ✉️ Get In Touch & Documentation = * Documentation & Guides: [https://smallpict.tuxnoob.com/docs/v1/intro](https://smallpict.tuxnoob.com/docs/v1/intro) * Plugin Website: [https://smallpict.tuxnoob.com/](https://smallpict.tuxnoob.com/) == Installation == = 1. WordPress Admin Search (Easiest) = 1. Go to your WordPress administration area and navigate to `Plugins > Add New`. 2. Search for `SmallPict` in the search bar. 3. Click "Install Now" and then "Activate" the plugin. 4. Follow the opt-in wizard to connect your free Freemius account. 5. Configure your compression settings in `Settings > SmallPict`. = 2. Manual Upload (via Zip) = 1. Download the free SmallPict plugin zip file from our website: [https://smallpict.tuxnoob.com](https://smallpict.tuxnoob.com). 2. Go to your WordPress administration area and navigate to `Plugins > Add New`. 3. Click on the "Upload Plugin" button at the top. 4. Choose the zip file you just downloaded and click "Install Now". 5. Click "Activate" immediately after installation finishes. = 3. FTP Method = 1. Download the free SmallPict plugin zip file and extract it on your computer. 2. Upload the extracted `smallpict` folder to your WordPress server into the `/wp-content/plugins/` directory via FTP. 3. Activate the plugin through the 'Plugins' menu in WordPress. 4. Set up your compression preferences in `Settings > SmallPict`. == Frequently Asked Questions == = Does this plugin require an account? = Yes! SmallPict requires a free account (managed securely via Freemius) to access our cloud processing API. This ensures your server isn't bogged down during the compression process. = What makes SmallPict better than other image optimizer tools? = SmallPict is designed to be the most "magical" image optimizer. No complicated server configurations, no API key copy-pasting required. We use smart AI compression to reduce your image weight without sacrificing visual quality, and all processing is handled safely in our cloud. = What happens if I reach my quota? = Your images will simply stop being optimized until your quota resets the next month. You can also upgrade your plan directly in your dashboard to continue optimizing right away. = Will the compression affect my original image quality? = Not at all. Our Smart Compression technology is specifically designed to balance maximum file size reduction with premium visual quality. Your website visitors won't notice a difference in quality, but they WILL notice the faster loading speed. = How does the WebP and AVIF feature work? = SmallPict automatically creates Next-Gen formats (WebP and AVIF) of your uploaded images and serves them conditionally. If a visitor's browser doesn't support WebP or AVIF, they will smoothly receive the original optimized format (like JPEG or PNG) instead. = Are my images stored on your servers? = Absolutely not. We care about your privacy. The image optimization process is performed in real-time in our cloud, and the optimized image is immediately returned to your WordPress website. We do not permanently store or retain copies of your images. = Do you offer support if I run into issues? = Yes! Our dedicated support is ready to help you fix any issue with your image optimizing process. You can reach out directly from your SmallPict settings area. == Screenshots == 1. **SmallPict Settings Panel** — Configure compression mode (Lossy/Lossless), output format (WebP, AVIF, PNG, JPG), image quality, and target file size. The sidebar shows your live monthly quota usage at a glance. 2. **Media Library — Optimized Result (WebP)** — After uploading, SmallPict automatically converts and compresses the image. This shows the Attachment Details of a successfully optimized file: a 2 MB JPEG converted to a 834 KB WebP, a 59% reduction without visible quality loss. 3. **Without SmallPict — Original Heavy File** — Without the plugin, WordPress stores the raw uploaded JPEG as-is: 2 MB at 1719×2560px with no compression or format conversion. Compare this with screenshot 2 to see the difference SmallPict makes automatically. == External services == This plugin connects to our 3rd-party external API to compress and optimize your uploaded images without impacting your local server performance. - **Data sent**: The plugin sends the raw uploaded image file along with your compression preferences (e.g., target format and quality level). This data is sent automatically in real-time every time you upload a new media file to the WordPress Media Library. - **Service Details**: The API receives the data, converting images to modern formats like WebP or AVIF based on your settings, and immediately returns the optimized image to your WordPress site. We do not permanently store or retain your images. - **Terms of Service**: https://smallpict.tuxnoob.com/en/terms - **Privacy Policy**: https://smallpict.tuxnoob.com/en/privacy == Changelog == = 1.1.8 = * New: Lazy Monthly Quota Reset — usage is now tracked per-month using dynamic DynamoDB fields (`usage_YYYY_MM`), so quotas reset automatically at the start of each billing cycle with zero infrastructure cost (no cron job needed). * New: Smart Plan Lifecycle Management — upgrade detection (e.g. Starter → Pro) now updates the billing anchor day and raises the quota limit without resetting current usage. * New: 3-Day Grace Period — if a subscription expires or is not renewed (monthly or annual), the plugin maintains the previous plan tier for 3 days before automatically downgrading to Free. * New: Plugin now works without Freemius SDK (WordPress.org Free installation) — a persistent local install ID is generated from the site URL, allowing Free tier users to authenticate and use the optimization service. * New: Complete onboarding flow overhaul — email-based OTP verification with persistent state across page refreshes, expiry/resend countdown timers, and 429 OTP_REQUESTED_RECENTLY handling. * New: API Key authentication system — replaces legacy session tokens with secure Bearer API key auth for all backend communication. * New: Account management page in WordPress admin — view connection status, copy masked API key, disconnect account, and rotate API keys directly from the dashboard. * New: Automatic activation redirect — redirects to SmallPict settings immediately after plugin activation. * New: Three-state license UI — free users see no license form; pending-activation users see the license key form; active-license users see a "License Active" card with plan details. * New: License state management — `get_license_state()` returns `none`, `pending_activation`, or `active`; `should_show_license_form()` drives conditional UI rendering. * New: `GET /v1/plugin/connection` now returns `has_pending_license` and `license_status` fields for authoritative license state without a separate quota call. * New: Account page now shows a License row with color-coded status badge (Free, Active, Pending Activation) and direct link to activate when pending. * Improvement: Settings page is now stateful — dynamically shows onboarding flow for new users and optimization dashboard for connected users. * Improvement: Structured error handling for OTP operations with clear user-facing messages for invalid, expired, rate-limited, and max-attempts codes. * Improvement: Periodic background sync of connection status and quota (throttled to once per hour) to keep plan and usage data up to date. * Improvement: Comprehensive uninstall cleanup — removes all plugin options, connection data, onboarding state, account limits, and cached capabilities on uninstall. * Fix: Usage & Quota bar was always showing 0% due to incorrect `function_exists('SmallPict')` check — corrected to `class_exists('SmallPict')` with proper `SmallPict::get_instance()` singleton access. * Fix: Fatal PHP error on fresh installs — removed calls to non-existent legacy `SmallPict_Quota_Manager::init_tracking()` and `get_tracking_data()` methods. * Fix: Fatal PHP error — removed duplicate `$is_sandbox` check block that referenced undefined `$fs` and `$site` variables in the WP.org build. * Fix: Plan change detection now correctly uses `if ($old !== $new)` condition instead of a mismatched brace that caused syntax errors. * Fix: `auth_exchange` backend now reads existing tenant data before writing, using `update_item` with partial field updates to preserve `usage_YYYY_MM` fields across re-installs. * Fix: Quota check in `create_upload` and `get_usage` endpoints now reads from the correct monthly field instead of the deprecated `current_usage_mb` field. * Fix: `get_usage` API response now includes `anchor_day`, `next_reset_date`, and `grace_expires_at` fields for accurate UI display. * Fix: DynamoDB reserved keyword `error` now correctly aliased as `#err` in `UpdateExpression` to prevent `ValidationException`. * Fix: `install_id` schema validation now accepts both `int` and `str` for forward compatibility. * Improvement: Quota transient cache reduced from 15 minutes to 5 minutes for faster UI feedback after uploads. * Improvement: Build script (`build-wporg.sh`) no longer creates a `.zip` archive in the build directory, preventing accidental inclusion of the zip file in SVN/WordPress.org deployments. = 1.1.7 = * Enhancement: Added minimalist plugin banner and high-res icon for WordPress.org repository. = 1.1.6 = * Fix: Corrected GitHub Actions deploy workflow — moved `SLUG` and `BUILD_DIR` to env vars (were incorrectly passed as `with:` inputs to `10up/action-wordpress-plugin-deploy`). * Fix: Replaced deprecated `buttonizer/freemius-deploy` GitHub Action with a direct Freemius API Python script, eliminating the `set-output` deprecation warning. * Fix: Corrected Freemius API HMAC-SHA256 signing to match PHP SDK — uses RFC 2822 date, hex HMAC digest, and URL-safe base64 without padding. = 1.1.5 = * Security: Server-side quota enforcement — monthly usage now tracked in DynamoDB and enforced before each job starts. * Security: File size limit per plan is now validated server-side before processing begins (prevents oversized uploads bypassing plan limits). * Security: Removed hardcoded JWT fallback secret — API now returns 500 if `JWT_SECRET` env var is missing. * Security: `is_sandbox` mode is now determined by a server-side environment variable (`ALLOW_SANDBOX`), not a client-supplied flag (prevents quota bypass). * Security: S3 object key is now validated to belong to the authenticated tenant (prevents path traversal attacks). * Security: Replaced `file_get_contents()` S3 upload with streaming cURL (`CURLOPT_INFILE`) to prevent PHP OOM errors on large files. * Security: Admin JS now receives a nonce via `wp_localize_script` for future AJAX request verification. * Performance: Upload polling now uses exponential backoff (2s→5s, max 20 attempts) replacing a flat 60-second blocking loop. * Performance: Bulk imports via WP-CLI and REST API now skip synchronous blocking optimization to prevent timeouts. * Performance: Lambda `/tmp` directory is now fully cleaned after each job (input + output files) to prevent storage leaks across warm invocations. * Performance: Presigned S3 download URLs extended from 15 minutes to 1 hour to support longer async processing jobs. * Fix: `get_usage` API endpoint now returns real usage data from DynamoDB instead of a hardcoded placeholder. * Fix: `image/gif` added to allowed upload content types for animated image support on paid plans. * Fix: Free-tier engine now respects the user-configured quality setting instead of hardcoding 80. * Fix: JWT session token expiry reduced from 7 days to 24 hours for improved security posture. * Compliance: All output variables pass `WordPress.Security.EscapeOutput` PHPCS/WPCS sniffs (confirmed zero violations). * Compliance: cURL streaming usage justified with `phpcs:disable` blocks and documented rationale. = 1.1.4 = * Fix: Addressed WordPress.org review feedback regarding strict late escaping for all output data. * Fix: Replaced raw `json_encode` with `wp_json_encode` to comply with WordPress Coding Standards. * Remove: Stripped Pro UI capabilities and Freemius gating from WordPress.org build. = 1.1.3 = * Fix: Freemius library conflict check. * Fix: Escaping inline CSS outputs. * Update: Added c0redump to Contributors list. * Update: Detailed External Services endpoint in readme. = 1.1.2 = * Fix: Replaced `rename()` function with `WP_Filesystem::move()` to comply with WordPress standards. * Fix: Added `smallpict.pot` template file to satisfy Domain Path requirement. = 1.1.1 = * Security: Improved output escaping and sanitization across settings and admin pages. * Security: Added direct file access protection to all remaining PHP files. * Fix: Removed development logging functions for cleaner production operation. * Fix: Standardized timezone handling to use `gmdate()`. * Fix: Replaced `unlink` with `wp_delete_file` for better filesystem compatibility. = 1.1.0 = * New: Fully managed SaaS architecture (Serverless). * New: Freemius integration for plans, billing, and quota management. * New: Strict backend validation for plan capabilities. * New: Added "Hard Reset" trigger for debugging localhost states (`?sp_reset_license=1`). * Improvement: Enhanced file handling with fallback strategies for Docker/NAS. * Improvement: Adaptive SSL verification for better compatibility. * Fix: Comprehensive cleanup of data during uninstallation. * Fix: Resolved "headers already sent" issues during activation. * Fix: UI synchronization for "Keep Original" format restrictions. = 1.0.0 = * Initial Release. * Serverless Image Optimization via AWS Lambda. * Freemius Integration for Licensing. * WebP Support.