In WordPress, we found various query endpoints that can be malformed to create broken pages. Backlinks to these pages can harm your site’s ranking. In this update, we added advanced query protection, which you can enable via the robots meta settings.

The “Connected Social Pages” input fields will now disappear when you empty them. They have never proven to work, and Google has deprecated them. We also removed the transient caching for JSON-LD scripts, as it wasn’t helping anyone.

On the other hand, we added a new feed indexing option, Discord sharing options (oEmbed, theme color), and the aforementioned advanced query protection option. Support for EDD and Polylang has been expanded, and we reintroduced the hyphen option for titles (which is the new default).

In this update, we bring a few other quality-of-life changes, as well. We added a dozen new filters, touched up the interface, streamlined the query handler, and fixed known corner-case issues and bugs.

Detailed log

> View code changes.
> View closed issues.

For everyone

• Added:
  • Advanced query protection.
    • This protection helps mitigate against a new form of WordPress query exploitation we discovered. This can be invoked either intentionally or accidentally, causing Google to crawl and index thousands of pages that shouldn’t exist.
    • The option for this is enabled automatically for sites that install The SEO Framework for the first time. Otherwise, you’ll have to tick a box.
    • When invoked, the meta tag <meta name="tsf:aqp" value="1" /> will be outputted to indicate it’s in effect, after the noindex,nofollow attribute is set for robots. This tag will help us spot false positives.
    • Found under “Robots Meta Settings > General”.
  • You can now choose to enable or disable oEmbed.
    • This won’t remove the generation of the script endpoints, you can still call them. The pages simply won’t point to them anymore, which is enough.
    • If you want to disable oEmbed entirely, use the Disable Embeds plugin.
    • Found under “Social Meta Settings > General”.
  • You can now specify the theme color.
    • Found under “Social Meta Settings > General”.
  • You can now remove the author name (and author URL) from embeds. This removal is prominently desirable for Discord, but it also affects other sharing services.
    • Found under “Social Meta Settings > oEmbed”.
  • You can specify feed indexing options. This is useful for sites publishing podcasts.
    • Found under “Feed Settings”.
  • You can now register your Baidu Search Resource Platform Code (webmasters verification code).
    • Found under “Webmaster Meta Settings”.
  • With Polylang, now all sitemaps are flushed whenever you publish or update a post or page.
  • Open Graph support for Easy Digital Downloads (EDD v2.9+) “downloads” attribute for og:type.
  • We reintroduced the hyphen, it is now safe from incorrect texturization!
    • Your titles and descriptions will now have the hyphen preserved as entered, making the pixel counter more accurate.
    • However, when more than one sequential hyphen is entered, it will still be texturized by WordPress.
  • Title and description related SEO Bar tests for unsupported transformative syntax. Mainly detecting syntax from Yoast SEO and SEOPress, making your migration to the better plugin more manageable.
    • The test runs after your filters do. So, if you’ve added transformative syntax filters to the right hook, you shouldn’t receive any SEO Bar related errors.
• Improved:
  • Subdirectory issue tests for the robots.txt output is no longer cached and is now more accurate.
  • Implemented WordPress 5.4/Gutenberg 9.4 styling guidelines for the post-SEO box editor.
    • Also improved the painting performance by removing a redundant flexbox wrap.
    • N.B. Advanced Custom Fields overrides the meta box handler styling globally. So, that’s a thing.
  • Thanks to cleaning up leftover IE11 support, the Post SEO Settings header-navigation items can now have their text collapse vertically, as was initially intended.
    • The collapsing now happens 4px before the text touches the icon (instead of 0px). Much neater.
  • Before fetching images from the content, various tags are stripped. This prevents sharing tracking images from donation forms, for example.
  • .apng, .bmp, .ico, .cur, .svg, .tif, and .tiff images are no longer taken from the page content for social sharing.
  • Now, at most 5 images are taken from the content for social sharing.
  • Sanitizing content for description generation is now more accurate and 10 to 1040 times faster. Yip yip yip.
    • But parsing the images more accurately is slower. So that evened it out…
  • Added a warning to the General Post Types settings, since the meaning of these settings wasn’t clear enough.
  • Added a notification to the robots Post Type directive settings when a post type is disabled. The corresponding checkbox is also disabled, to strengthen the significance of the conflict.
• Changed:
  • The default sitemap colors are no longer dark/green, but WordPress colored (darker/blue), instead.
  • The “maximum image preview size” copyright directive bug has been fixed by Google. Therefore, the restrictions and warnings have been lifted.
  • The robots.txt output is now default when the blog is not public. This follows the behavior in WordPress 5.3.
  • The default title separator is now a hyphen -, instead of a pipe |.
  • When you upgrade from TSF v3.2.4 or below, you’ll now maintain the dash (now called hyphen) title-separator option.
• Deprecated:
  • The social profile links fields are deprecated. They will be removed from sight when you leave them empty. Learn more.
• Removed:
  • Caching of the JSON-LD scripts and all related options, it wasn’t helping anyone, and it’ll be redundant when we’ll introduce HTML breadcrumbs.
• Other:
  • We’re maintaining the UTC timestamp workaround brought in version 4.0.4, because it works as intended all around.
• Fixed:
  • The author title is now displayed on author archives without posts. Note that your theme may still not display the name.
  • On non-English websites, the correct “Untitled” title is now used in the “No title found”-SEO Bar warning (when no prior translation was supplied).
  • Global robots settings for post types no longer affect their respective singular-archives (blog, shop).
    • For example, global noindex for post no longer sets noindex for the blog page erroneously.
    • Another example: Global noindex for product no longer sets it for the shop page erroneously.
  • Empty singular-archives (blog, shop) are no longer perceived as unsupported queries.
  • Empty singular-archives (blog, shop) are no longer marked for noindex automatically.
    • We’d rather have this marked as noindex, but the SEO Bar, Sitemap, and other APIs are not consistent with this data.
    • We advise you to mark empty blog pages with noindex, or otherwise redirect them.
  • The “remove blog name” option now has its state reflected in the example output again.
  • Also thanks to cleaning up leftover IE11 support, the Post SEO Settings can now fill the meta box on tablet-sized screens.
  • Feed content and og:image:alt can no longer have its last HTML entity transformed incorrectly.
  • On WordPress Multisite, when a sub-sites is first accessed after an upgrade via FTP, they should now run the proper environmental testing procedure.
  • The correct required PHP version is now stated when the plugin activation fails.
• Patched:
  • Added a workaround to WP Core Trac ticket 49543, where our new theme-color setting’s clear button was misaligned.
    • According to the ticket, this can be removed once WP v5.5 launches.
• Temporary:
  • For the block editor, we added extra padding around the SEO settings. Although this looks as intended on WordPress 5.0 through 5.4-beta, it might turn out to be undesired when WordPress 5.4 or 5.4.1 lands. It surely doesn’t look as we planned it to when using Gutenberg 7.6.0–and we still don’t know why that plugin isn’t marked as a beta-tester plugin. Tracking changes is impossible due to the discrepancy (and lack) of reporting standards between Gutenberg and WP Block Editor. Digression aside, the layout functions as intended (look ≠ function), and we’re awaiting non-transitory improvements to the block-editor from which we can benefit.
• Not fixed:
  • For the block editor using WordPress 5.4-beta or Gutenberg 7.6.0, the sidebar layout is overflowing (see Gutenberg issue 20206 and Core ticket 46964), and that is not for us to fix. Our proposed fix (that’d be 1 line), wasn’t considered. A proper resolution might not land early enough for it to go unnoticed to our users.

For translators

• Added:
  • New translations are now available.
• Updated:
  • The POT translation file.

For developers

• General changes:
  • It is now easier to add and customize columns for quick-and bulk edit.
  • You can now override the post and term metadata dynamically with filters.
  • Added the tsf-is-block-editor class to the postbox class, specifying we’re dealing with Gutenberg/Block-Editor.
  • The wp-util script is now requested when required, instead of us expecting it to be loaded.
• Option notes:
  • Under THE_SEO_FRAMEWORK_SITE_OPTIONS:
    • Added:
      • advanced_query_protection, either 1 or 0.
      • index_the_feed, either 1 or 0.
      • baidu_verification, string.
      • theme_color, string, color hex.
      • oembed_scripts, either 1 or 0.
      • oembed_remove_author, either 1 or 0.
    • Changed:
      • title_separator default value is changed from pipe to hyphen.
    • Removed:
      • cache_meta_schema, this used to enable transient caching for Schema.org output.
• Filter notes:
  • Added:
    • the_seo_framework_image_details
    • the_seo_framework_robots_txt
    • the_seo_framework_enable_noindex_comment_pagination
    • the_seo_framework_use_archive_prefix
    • the_seo_framework_is_singular_archive
    • the_seo_framework_is_product
    • the_seo_framework_is_product_admin
    • the_seo_framework_set_noindex_header
    • the_seo_framework_baidusite_output
    • the_seo_framework_list_table_data
    • the_seo_framework_term_meta, this replaces the old, unstable, and since deprecated the_seo_framework_current_term_meta filter.
    • the_seo_framework_post_meta
• Action notes:
  • Added:
    • the_seo_framework_before_bulk_edit
    • the_seo_framework_after_bulk_edit
    • the_seo_framework_before_quick_edit
    • the_seo_framework_after_quick_edit
• Function notes:
  • the_seo_framework_pre_boot_test() (private) no longer assumes the main blog (WP Multisite) has been tested, although that’s very likely when updated via the interface.
• Method notes:
  • For object the_seo_framework():
    • Added:
      • is_query_exploited()
      • theme_color()
      • get_html_output()
      • get_post_type_real_ID()
      • is_shop()
      • is_product()
      • is_product_admin()
      • s_hyphen()
      • has_yoast_syntax()
      • baidu_site_output()
    • Changed:
      • s_title_raw() now normalizes hyphen entities.
      • s_description_raw() now normalizes hyphen entities.
      • get_separator():
        1. Now utilizes the predefined separator list, instead of guessing the output.
        2. The default fallback value is now a hyphen.
      • robots_txt() is now marked as private (internal use only). You should not call it.
      • get_generated_archive_title():
        1. Now no longer uses get_the_author() to fetch the author’s display name, but uses the provided term object instead.
        2. The first parameter now accepts \WP_User objects.
      • use_generated_archive_prefix():
        1. Added first parameter $term.
        2. Added filter the_seo_framework_use_archive_prefix.
      • robots_meta():
        1. Removed copyright directive bug workaround.
        2. Now sets noindex and nofollow when queries are exploited (requires option enabled).
      • get_robots_meta_by_query() now bypasses singular-archives for no-posts-query-noindex tests.
      • is_singular_archive():
        1. The output is now filterable.
        2. Added caching.
        3. Now has a first parameter $post.
      • is_wc_shop() now has a first parameter $post.
      • check_the_real_ID() no longer tries for WooCommerce shop and AnsPress question IDs.
        • WooCommerce’s check has been moved to a filter via the compatibility file.
        • AnsPress now handles it via the same WordPress Core methods we use.
      • For these methods, the $post_type fallback now uses a real query ID, instead of $GLOBALS['post']; mitigating issues with singular-archives (blog, shop).
        • is_post_type_supported()
        • post_type_supports_taxonomies()
        • is_post_type_disabled()
        • get_hierarchical_taxonomies_as()
        • get_robots_meta_by_query()
        • is_post_type_robots_set()
      • strip_tags_cs():
        1. Added the strip argument index to the second parameter for clearing leftover tags.
        2. Now also clears iframe tags by default.
        3. Now no longer (for example) accidentally takes link tags when only li tags are set for stripping.
        4. Now performs a separate query for void elements; to prevent regex recursion.
      • get_image_details(), its output is now filterable.
      • s_image_details() now faults images with filename extensions APNG, BMP, ICO, TIFF, or SVG.
      • is_blog_public() can now test for non-sanitized ‘blog_public’ option states. (probably a fault from WP<3.0)
      • make_checkbox_array() you can now supply an extra class for the checkbox.
      • trim_excerpt() now decodes the excerpt input, improving accuracy, and so that HTML entities at the end won’t be transformed into gibberish.
    • Removed:
      • Tip: When you call a removed method in the_seo_framework() object, it’ll return null.
      • get_ld_json_transient_name()
      • delete_ld_json_transient()
    • Deprecated:
      • Soft deprecation; no warnings are shown. This will change in an upcoming major update. Reason: Expanding e-commerce tool support.
        • is_wc_shop(), use is_shop() instead.
        • is_wc_product(), use is_product() instead.
        • is_wc_product_admin(), use is_product_admin() instead.
  • For object \The_SEO_Framework\Builders\Images:
    • Changed:
      • get_content_image_details():
        1. Now strips tags before looking for images.
        2. Now only yields at most 5 images.
  • For object \The_SEO_Framework\Bridges\ListTable:
    • Added:
      • get_ajax_dispatch_updated_event(), add (term) or echo (post) this at the end of your AJAX column content to allow binding to the document.addEventListener( 'tsfLeUpdated', cb ); event in JS.
• JS notes:
  • Action tsfLeUpdated is now dispatched on our list edit events, even when no SEO Bar is showing. When expanding on our list edit API, use the new get_ajax_dispatch_updated_event() method to ensure consistency.
• Other:
  • Cleaned up code, like removing more legacy browser syntax.
  • Extended copyright year to 2020.