0 Day Analytics

WP Panel Module – User Guide

By sdobreff on · 12 min read · WP Panel · 0-day-analytics, documentation
Table of Contents

The WP Panel module is a centralised control panel for toggling WordPress core features and settings. It lets administrators enable or disable comments, revisions, auto-updates, XML-RPC, the REST API, emojis, embeds, heartbeat behaviour, frontend asset loading, and more — all from a single, organised admin page.

Who is this for?
You need the Administrator role (the manage_options capability) to access the WP Panel module. Other user roles will not see the menu item.

Enable / Disable the Module

The WP Panel module can be enabled or disabled independently of any other Advanced Analytics feature.

  1. Navigate to Error Logs → Settings in the WordPress admin sidebar.
  2. Click the “WP Panel Options” tab (or scroll to the section headed WP Panel options).
  3. Toggle the “Enable WP Panel module” checkbox.
  4. Click Save Changes.
wp-admin/admin.php?page=advan_logs_settings#aadvana-options-tab-wp-panel
Important: Disabling the module removes the WP Panel sub-menu from the admin. All settings you previously configured remain stored in the database but stop being enforced while the module is disabled. Re-enabling the module restores enforcement of the saved settings immediately.

Accessing the WP Panel

When the module is enabled, a new WP Panel sub-menu item appears under the Error Logs menu in the WordPress admin sidebar.

wp-admin/admin.php?page=advan_wp_panel

Click it to open the WP Panel settings page.

Page Layout

The WP Panel page is organised into collapsible sections, each grouping related settings. Every section contains individual toggle cards.

  • Section header — Click any section header to collapse or expand it. The chevron icon indicates the current state.
  • Toggle card — Each setting has a card showing the setting name, a description, and a toggle switch (or input field for numeric/select settings).
  • Save button — A single Save Changes button at the bottom of the page saves all settings at once.

The eight sections are:

Section Settings Count Description
Content & Editing 6 Comments, revisions, autosave, block editor, file editing
Security & API 10 XML-RPC, REST API, application passwords, security headers
Updates 4 Core, plugin, theme auto-updates, update notifications
Front-end & Performance 8 Emojis, embeds, RSS, pingbacks, generator tags
Dequeue Frontend Assets 9 Remove specific scripts/styles from the front-end
Media 1 Attachment page redirects
Admin 1 Admin bar visibility on front-end
Heartbeat Control 5 Heartbeat API mode, frequency, per-location disabling
WP Back-end Extend 2 Last login and registration date columns in Users list

Content & Editing

These settings control WordPress content features such as comments and the post editor.

Disable Comments

Completely disables the WordPress commenting system. When enabled:

  • Closes comments and pings on all posts and pages
  • Returns an empty comments array
  • Removes the Comments admin menu
  • Removes comment support from posts and pages
  • Hides the comments link in the admin bar

Disable Post Revisions

Prevents WordPress from storing any post revisions. Helps reduce database size on content-heavy sites. Sets WP_POST_REVISIONS to false.

Note: If this toggle is OFF, you can still limit revisions using the Revisions Limit field below.

Revisions Limit

When post revisions are not fully disabled, this numeric field sets the maximum number of revisions to keep per post. Accepts values between 1 and 100. Default: 10.

Disable Autosave

Disables the WordPress autosave feature in the post editor by deregistering the autosave script.

Disable Block Editor (Gutenberg)

Reverts to the classic WordPress editor for all post types by returning false from use_block_editor_for_post and use_block_editor_for_post_type.

Disable File Editing

Disables the built-in theme and plugin file editors in the WordPress admin by defining DISALLOW_FILE_EDIT as true.

Security & API

These settings harden your site by controlling API access, removing discovery headers, and adding security headers.

Disable XML-RPC

Disables the XML-RPC interface and removes the X-Pingback header. Recommended unless you use Jetpack or the WordPress mobile app.

Restrict REST API to Logged-in Users

Requires authentication for all REST API requests. Unauthenticated requests receive a 401 error. This does not affect authenticated requests or requests that have already been validated by other plugins.

Caution: Some plugins and themes (especially headless setups, contact forms, or caching plugins) rely on public REST API access. Enabling this may break their functionality.

Disable Application Passwords

Removes the Application Passwords feature introduced in WordPress 5.6.

Removes the REST API discovery <link> tag from the HTML <head> section.

Removes the prev / next relational link tags for adjacent posts from the HTML head.

Disable REST API JSONP

Disables JSONP support in the WordPress REST API.

Removes the Link HTTP header that advertises the REST API URL from front-end responses.

Remove Version Query Strings

Strips the ?ver= query string from enqueued CSS and JS files. This helps with caching and hides version information from the public.

Remove X-Pingback Header

Removes the X-Pingback HTTP header from server responses to prevent pingback URL discovery.

Add Security Headers

Adds the following HTTP security headers to all responses:

  • X-Frame-Options: SAMEORIGIN — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME type sniffing
  • Referrer-Policy: no-referrer-when-downgrade — controls referrer information

Updates

Control how WordPress handles automatic updates and update notifications.

Disable Core Auto-Updates

Prevents WordPress from automatically updating the core software, including both major and minor releases.

Security Risk: Disabling minor auto-updates means security patches will not be applied automatically. Only disable this if you have a maintenance workflow to apply updates manually.

Disable Plugin Auto-Updates

Prevents all plugins from being automatically updated.

Disable Theme Auto-Updates

Prevents all themes from being automatically updated.

Disable Update Notifications

Hides the “WordPress X.X is available! Please update now.” admin notice from the dashboard.

Front-end & Performance

Remove unnecessary scripts, styles, and meta tags from the front-end to improve page load speed and reduce HTML output.

Disable Emojis

Removes the inline emoji detection script and styles from the front-end, saving an HTTP request. Also removes the emoji DNS prefetch hint and the TinyMCE wpemoji plugin.

Disable oEmbed / Embeds

Disables the WordPress oEmbed provider and consumer. Removes embed-related scripts, discovery links, and the TinyMCE wpembed plugin from the front-end.

Disable RSS Feeds

Returns a 404 response for all RSS, Atom, and RDF feed requests. Also removes feed link tags from the HTML head.

Disable Self-Pingbacks

Prevents WordPress from sending pingback requests to its own URLs when you link to your own posts.

Remove WP Generator Tag

Removes the WordPress version meta tag (<meta name="generator">) from the HTML head. Helps conceal which WordPress version you are running.

Removes the Windows Live Writer manifest link from the HTML head. Only needed if you use Windows Live Writer to publish posts.

Removes the Really Simple Discovery (RSD) link from the HTML head. Only needed if you use external blog clients that rely on RSD.

Removes the shortlink tag from the HTML head and the Link HTTP header.

Dequeue Frontend Assets

Selectively remove WordPress core scripts and styles from the front-end. Useful for performance optimisation on sites that do not use certain features.

Caution: Removing assets that your theme or plugins depend on will break your site’s front-end. Test thoroughly after enabling any of these toggles.
Toggle Asset Handle Type Description
Dequeue wp-embed wp-embed Script Removes the embed script. Disables embedding WordPress posts on other sites.
Dequeue wp-block-library wp-block-library Style Removes Gutenberg block library CSS. Not needed if using only the classic editor.
Dequeue wp-block-library-theme wp-block-library-theme Style Removes the block library theme CSS.
Dequeue wc-block-style wc-block-style Style Removes WooCommerce block styles. Only effective when WooCommerce is active.
Dequeue jQuery jquery, jquery-core Script Removes jQuery entirely. May break plugins and themes that depend on jQuery.
Dequeue jQuery Migrate jquery-migrate Script Removes the jQuery Migrate compatibility script.
Dequeue Global Styles global-styles Style Removes global styles inline CSS generated by the block editor.
Dequeue Classic Theme Styles classic-theme-styles Style Removes classic theme compatibility styles.
Dequeue Core Block Supports core-block-supports Style Removes core block supports inline CSS.

Media

Disable Attachment Pages

Redirects attachment pages to the parent post (or the home page if no parent exists) with a 301 redirect. This prevents thin-content pages from being indexed and helps with SEO.

Admin

Hide Admin Bar on Front-end

Hides the WordPress admin bar when viewing the front-end of the site for all users, including administrators.

Heartbeat Control

The WordPress Heartbeat API sends periodic AJAX requests (every 15–60 seconds) to keep the admin interface responsive. These requests can increase server load, especially on shared hosting.

Heartbeat Mode

Choose how to handle the Heartbeat API:

Option Behaviour
Default (no changes) Leave the Heartbeat API unchanged.
Modify interval Change the heartbeat frequency to a custom interval (see Heartbeat Frequency below).
Disable globally Completely deregister the heartbeat script site-wide.

Heartbeat Frequency

When the mode is set to Modify interval, this field controls the heartbeat interval in seconds. Accepts values between 15 and 300. Default: 60. Lower values increase responsiveness but also increase server load.

Disable By Location

Even when the heartbeat mode is set to Default or Modify interval, you can disable it on specific locations:

Toggle Location Note
Admin Pages All admin pages except the post editor Safe to disable in most cases.
Post Editor The post/page editor only Disabling this also disables auto-save and post-lock warnings.
Front-end The public-facing site Most themes do not need the heartbeat on the front-end.
Note: The per-location toggles are hidden when the heartbeat mode is set to “Disable globally” (since the heartbeat is already fully disabled).

WP Back-end Extend

These settings add useful columns to the WordPress Users list table.

Last Login Column

Adds a sortable Last Login column to the Users list table (wp-admin/users.php). Shows the date and time of each user’s most recent login in the site’s configured date/time format. Displays “Never” for users who have not logged in since the feature was enabled.

Note: Login tracking starts only after this setting is enabled. Historical logins before activation are not retroactively recorded.

Registration Date Column

Adds a sortable Registration Date column to the Users list table showing when each user account was created. Uses WordPress’s built-in user_registered field, so it works for all users immediately.

Saving Settings

  1. Toggle any settings you want to change across all sections.
  2. Scroll to the bottom of the page and click Save Changes.
  3. A green success notice confirms the settings have been saved.

All settings are saved at once. You do not need to save per-section. After saving, settings take effect immediately on the next page load.

Full Settings Reference

Setting Section Type Default
Disable Comments Content & Editing Toggle Off
Disable Post Revisions Content & Editing Toggle Off
Revisions Limit Content & Editing Number (1–100) 10
Disable Autosave Content & Editing Toggle Off
Disable Block Editor Content & Editing Toggle Off
Disable File Editing Content & Editing Toggle Off
Disable XML-RPC Security & API Toggle Off
Restrict REST API Security & API Toggle Off
Disable Application Passwords Security & API Toggle Off
Disable REST Link in Head Security & API Toggle Off
Disable Adjacent Posts Rel Links Security & API Toggle Off
Disable REST JSONP Security & API Toggle Off
Disable REST Link Header Security & API Toggle Off
Remove Version Query Strings Security & API Toggle Off
Remove X-Pingback Header Security & API Toggle Off
Add Security Headers Security & API Toggle Off
Disable Core Auto-Updates Updates Toggle Off
Disable Plugin Auto-Updates Updates Toggle Off
Disable Theme Auto-Updates Updates Toggle Off
Disable Update Notifications Updates Toggle Off
Disable Emojis Front-end & Performance Toggle Off
Disable Embeds Front-end & Performance Toggle Off
Disable RSS Feeds Front-end & Performance Toggle Off
Disable Self-Pingbacks Front-end & Performance Toggle Off
Remove WP Generator Tag Front-end & Performance Toggle Off
Remove WLW Manifest Link Front-end & Performance Toggle Off
Remove RSD Link Front-end & Performance Toggle Off
Remove Shortlink Front-end & Performance Toggle Off
Dequeue wp-embed Dequeue Frontend Assets Toggle Off
Dequeue wp-block-library Dequeue Frontend Assets Toggle Off
Dequeue wp-block-library-theme Dequeue Frontend Assets Toggle Off
Dequeue wc-block-style Dequeue Frontend Assets Toggle Off
Dequeue jQuery Dequeue Frontend Assets Toggle Off
Dequeue jQuery Migrate Dequeue Frontend Assets Toggle Off
Dequeue Global Styles Dequeue Frontend Assets Toggle Off
Dequeue Classic Theme Styles Dequeue Frontend Assets Toggle Off
Dequeue Core Block Supports Dequeue Frontend Assets Toggle Off
Disable Attachment Pages Media Toggle Off
Hide Admin Bar on Front-end Admin Toggle Off
Heartbeat Mode Heartbeat Control Select Default
Heartbeat Frequency Heartbeat Control Number (15–300) 60
Admin Pages Heartbeat Heartbeat Control Toggle Off
Post Editor Heartbeat Heartbeat Control Toggle Off
Front-end Heartbeat Heartbeat Control Toggle Off
Last Login Column WP Back-end Extend Toggle Off
Registration Date Column WP Back-end Extend Toggle Off

Troubleshooting

A plugin or theme stopped working after toggling a setting

Some settings (such as disabling the REST API, jQuery, or the block editor) can break plugins and themes that depend on these features. Go back to the WP Panel, disable the problematic toggle, and click Save Changes.

Settings are not taking effect

  • Ensure the WP Panel module is enabled in Error Logs → Settings → WP Panel Options.
  • Clear any caching plugins or server-level caches after changing settings.
  • Some settings (like WP_POST_REVISIONS and DISALLOW_FILE_EDIT) use PHP constants. If these constants are already defined in wp-config.php, the WP Panel cannot override them.

The “Last Login” column shows “Never” for all users

The module begins tracking logins only after the Last Login Column toggle is enabled. Users who logged in before activation will show “Never” until their next login.

I disabled the heartbeat and now auto-save does not work

The WordPress autosave feature depends on the Heartbeat API. If you disable the heartbeat globally or on the post editor, auto-save will stop working. Consider using the Modify interval mode instead and only disabling the heartbeat on non-editor locations.

Need developer documentation?
See WP Panel Module Developer Documentation for class references, WordPress filters/actions used, settings storage details, and code examples for extending the WP Panel module programmatically.
← 0 Day Analytics – REST API Module Developer Documentation 0 Day Analytics – WP Panel Module Developer Documentation →
Share this page
Back to top