= 5.4.6 - 2026-03-23 =

We heard you — upgrading to 5.4.x broke tracking for many of you. Visitor counts dropped to
zero, IPs were masked without your permission, and a consent banner appeared on sites that
never asked for one. This release fixes all of that. After updating, your site works the way
it did before 5.4.0 — no manual steps required.

If you want to enable GDPR features

• Consent banner: Settings → Tracker → Data Protection → GDPR Compliance Mode = On, then
  Settings → Tracker → Consent Management → choose SlimStat Banner, WP Consent API, or
  Real Cookie Banner
• Anonymize IPs: Settings → Tracker → Data Protection → Anonymize IP Addresses = On
• Hash IPs: Settings → Tracker → Data Protection → Hash IP Addresses = On

Fixed

• Visitor counts dropping to zero after upgrading: a consent banner was silently enabled on
  every site, blocking all anonymous visitors. The banner is now off by default. If you had
  configured opt-in or opt-out privacy features in an earlier version, we detect that and
  keep consent enabled for you automatically.
• IPs being masked or hashed without your permission: v5.4.0 changed IP storage defaults,
  so full IP addresses were replaced with anonymized or hashed values. Your IPs are now
  stored in full again, matching pre-5.4 behavior.
• Tracking broken on sites using WP Rocket, W3TC, or other caching plugins: fresh installs
  defaulted to server-side tracking, which doesn't work with page caching. We've restored
  browser-based (JavaScript) tracking as the default — it works with every caching setup.
• Ad-blocker bypass failing after plugin updates: the bypass URL included the plugin version,
  so cached pages had a stale URL after every update. The bypass URL is now stable across
  versions, and we flush the rewrite rules on activation so caching plugins route it correctly.
• Internal tracking URLs and bypass file URLs appearing as pages in the Access Log. All
  SlimStat-internal URLs are now filtered from both reports and server-side tracking.
• Access Log pagination showing the same rows when clicking the next-page arrow. The second
  page now correctly shows the next set of results.
• Pageviews silently lost when a transport fails: the tracker now tries adblock-bypass, AJAX,
  and REST fallbacks before giving up.
• Stale cached tracker data causing abandoned pageviews: the tracker recovers gracefully.
• "Respect Do Not Track" setting only working when GDPR mode was on: DNT is now honored
  regardless of your GDPR setting. The DNT toggle is now always visible in settings.
• Migration admin notice linking to a non-existent settings page. The link now correctly
  opens Settings → Tracker → Data Protection.

Improved

• Tracker health diagnostics now distinguish between fatal errors and recoverable warnings.
• Session cookies are restored by default — returning visitors are recognized across pages
  again, just like in v5.3.x.
• Cookie info registered with WP Consent API now uses proper plural-aware translations.

Fixed

• Hardened user exclusion logic — fixed consent-upgrade path, capability key matching, and defensive wp_get_current_user() calls (#246)
• GDPR consent cookie domain, cached page banner display, and anonymous nonce handling
• Removed double-escaping in report filters and tightened XSS sanitization (#243, #244)
• Strict fingerprint input sanitization (#244)
• Output escaping in reports default case (#244)
• Store attachment content_type as cpt:attachment (#236)
• Narrowed dashboard nested widget CSS selectors to avoid style conflicts (#247)
• Increased Access Log widget height on WP Dashboard
• Synced stat before ensureVisitId to prevent ID loss on finalization
• Skipped REST nonce for anonymous users on non-consent tracking endpoints, removed dead adblock fallback URL

Security

• Restored nonce verification for all consent endpoints

Improved

• Refactored isUserExcluded() into standalone method with full test coverage
• Inlined get_current_user_id() in nonce guards for clarity

= 5.4.4 - 2026-03-17 =

Fixed

• Chart data not showing due to incorrect bounds check (PR #232)
• Weekly chart not showing today's data and not respecting start_of_week setting (PR #235)

Improved

• Added cpt: prefix guidance to content type exclusion setting

Fixed

• Fixed fatal error on servers without the PHP calendar extension (PR #229)
• Added defensive fallback for corrupted start_of_week option in calendar-related reports

Improved

• Moved day names array to a class constant in DataBuckets for better maintainability

Fixed

• Fixed tracking data not being recorded on some server configurations — REST API and admin-ajax endpoints now return responses correctly (PR #218)
• Fixed visitor locations showing a proxy server IP instead of the real visitor IP on Cloudflare-powered sites (#150)
• Fixed 503 errors that could occur on high-traffic sites due to inefficient visit ID generation (#155)
• Fixed excessive server requests when WP-Cron is disabled, caused by repeated geolocation lookups (#164)
• Fixed a CSS rule that could accidentally disable animations across your entire site, not just on SlimStat pages (#167)
• Fixed outbound link clicks, file downloads, and page-exit events not being recorded — a silent regression in recent versions (#174)
• Fixed consent rejections being ignored — visitors who declined tracking could still be tracked, and unconfigured consent types were incorrectly treated as granted (PR #178)
• Fixed a crash when the WP Consent API plugin is not installed alongside SlimStat (PR #172)
• Fixed a crash during background geolocation database updates (#180)
• Fixed geolocation database updates not retrying after a failed download — previously blocked retries for up to a month (PR #185)
• Fixed admin page styling conflicts with WordPress core styles (PR #175)
• Fixed Email Reports page layout not matching other SlimStat admin pages (PR #177)
• Fixed browser detection failing due to a library compatibility issue (#187)
• Fixed the external page tracking snippet being completely broken — the snippet only set the legacy ajaxurl parameter while the tracker expects transport-specific endpoints (#220)

Improved

• Every fix in this release is backed by ~329 automated tests across 46 test files — covering tracking, geolocation, consent, performance, and upgrade safety
• Restored the server-side tracking API (wp_slimstat::slimtrack()) for themes and plugins that track visits programmatically (#171)
• Unique visitor counts now work correctly even when IP addresses are anonymized or hashed (PR #178)
• 261+ previously untranslated strings are now available for translation in all languages (#173)
• Geolocation now works consistently across all request types, including background tasks
• DB-IP restored as the default geolocation provider for new installations
• Faster admin page loads by removing redundant database queries (PR #189)

Release v5.4.0 — Real-Time, Real Privacy

Full release notes → Slimstat 5.4 – Real-Time, Real Privacy

Breaking

• Legacy internal REST/tracker APIs changed; custom add-ons using old internals must update. See the Migration Guide for details.

New

• View real-time site stats directly from the WordPress admin bar
• Interactive tooltips on real-time chart bars
• Redesigned header and richer real-time visuals
• CMP integration for GDPR compliance (WP Consent API)
• GDPR Compliance Mode toggle
• Consent change listener for automatic tracking resume
• Centralized Consent class for tracking eligibility and PII operations
• GDPR-compliant salted hash IP with daily salt rotation
• IP-based rate limiting for AJAX tracking
• Privacy Policy content registration for GDPR Article 13/14
• Admin migration tools for database index optimization

Enhancements

• Footer script enqueuing for better page load times
• Redesigned date picker with persistent date range
• Improved flag icon rendering and readability
• Refactored geolocation with DB-IP, MaxMind, and Cloudflare support
• Refactored GDPR architecture delegated to external CMPs
• Smart IP handling with consent-based upgrade
• Code modernization with PSR-4, namespaces, and Query builder pattern
• Default 420-day data retention for GDPR compliance

Fixes

• Fixed SlimStat JS API accessibility after esbuild bundling (#121, #109)
• Fixed FingerprintJS v4 compatibility
• Fixed date-range, timezone, and report-filter issues
• Fixed IP processing and geolocation edge cases
• Enhanced query security and database indexing
• Proper consent revocation and cookie cleanup

Security

• Stronger SQL/XSS protections, stricter nonce validation, timing-safe HMAC checks, and improved IP hashing/anonymization

Changelog

• Security: Hardened plugin security

Changelog

• Security: Hardened plugin security

= 5.3.3 - 2025-12-17 =
Maintenance: Stability and compatibility improvements.

Changelog

• Fix: Minor improvements & Hardened plugin security.