Product Update v3.21.0: Security, Performance, and Smarter Infrastructure

v3.21.0 is one of our most security-focused releases to date. From distributed attack detection and webshell scanning to nginx rate limiting and page builder performance improvements, this release hardens your WordPress infrastructure at every layer; without you needing to touch a thing.

What’s New

#1 – Native Support Ticket Portal

From 12th March onwards, our users can now create, view, and track support tickets directly from the dashboard. The new support pages, Create, List, and Show, give customers a dedicated place to submit issues and follow up on them, without leaving the platform. A cleaner help experience for users, and less friction between a problem and its resolution.

#2 – InstaWP CLI

A new CLI token type and V2 run-cmd endpoint enable programmatic site management from the command line.

Full details at GitHub – InstaWP/cli: InstaWP CLI – Create and manage WordPress sites from the terminal · GitHub

#3 – Domain Mapping Diagnostics

Domain mapping failures now surface clear, actionable error messages; DNS misconfiguration, hostname conflicts, and more — instead of failing silently.

#4 – Guest OTP Verification

Shared snapshot and template launch pages now require email OTP verification. A one-site-per-guest limit is enforced to prevent abuse.

#5 – CDN Static Asset Caching for Logged-In Users

CSS, JS, images, and fonts now stay cached via Bunny CDN even when a user is logged into WordPress. Only dynamic PHP pages bypass the cache.

#6 – Granular Bot Detection Settings

Shield now lets you configure per-detector sensitivity and aggression levels; request integrity, IP address, and browser fingerprint; directly from the settings panel.

#7 – MCP & Local Mount Bypass

The /insta-mcp and /insta-mount endpoints now bypass Bunny Shield edge rules, so Claude Code MCP connections and WebDAV mounts work correctly through Shield.

#8 – WaaS Payment History Filter

Payment history can now be filtered by individual WaaS site or order.

#9 – Promotional Banner Admin

Promotional banners are now managed from the Backpack admin panel instead of .env variables.

#10 – Hide Account Info (Plugin)

A new CONNECT_HIDE_ACCOUNT_INFO constant hides the connected account email and team name from the plugin UI — useful for agencies who don’t want clients to see their account details.

#11 – PHP 8.5 & WordPress 6.9.x Support

Both are now supported across the platform.

Improvements

1. Site Upgrade Modal — The site create and site upgrade modals now share a unified design for a consistent experience.
2. Free Sites Without Credit Card — New users can create free-tier sites without adding a payment method. A card is only required when upgrading.
3. Onboarding Sidebar — Updated layout with a dismiss button for the onboarding checklist.
4. Max Execution Time — PHP max execution time cap raised from 120s to 300s.

Fixes

1. “View Usage” 404 — Fixed the payment history “View Usage” link returning 404 for specific accounts and PPU users on historical billing periods.
2. Billing History — Resolved status sync bugs causing empty status values, a missing first billing cycle, and incorrect subscription invoice display.
3. WaaS Orders in Billing — WaaS v3 orders and orders with soft-deleted products now correctly appear in the hosting sales tab.
4. Payment Failure Handling — Failure escalation no longer skips users with an active subscription. Legacy team flag is correctly restored when a new Stripe subscription is created.
5. WaaS Team Visibility — WaaS entries are now visible to all team members and admins, not just the creator.
6. Webhook CSV Export — Webhook History CSV exports no longer download as empty files.
7. Bunny CDN SSL — SSL certificates are now always provisioned when adding a custom domain, even when the hostname already exists on the pull zone.
8. Shield Downgrade — DDoS protection type, WAF settings, and image optimizer are correctly reset when downgrading Shield plans. Fixed 403 errors on the Shield page after a plan downgrade.
9. Preview Link — Site preview link now updates immediately after successful domain mapping.
10. Email Fixes — Fixed broken unsubscribe links, onboarding email button rendering, and improved copy across welcome, site-expired, and user-deleted email templates.
11. SQLite Heartbeat — Resolved “database locked” errors in connect heartbeat writes.
12. Logout Error — Fixed a 500 error on logout when notifications are enabled.
13. Plugin: Curl Error — Fixed “Class Curl not found” error in the InstaWP Connect plugin.
14. Plugin: Select2 403 — Fixed 403 errors on Select2 remote AJAX fields by auto-embedding a security nonce.
15. Local Mount on Windows — Fixed directory listing not showing contents for Windows WebDAV clients.
16. SFTP Long User Lists — Raised the SFTP Match User line limit from 8,192 to 16,384 characters for servers with large user counts.
17. Plugin Access Control (CWE-862) — Fixed broken access control in 4 AJAX handlers where any authenticated WordPress user could perform admin-only actions. All AJAX security checks are now centralized into a single verify_ajax_request() method, replacing 22 scattered nonce/capability blocks.
18. Server Security — Hardened server-level security and monitoring across the fleet.

Enterprise

1. Whitelabel Domain Mapping Alerts — Slack notifications when a whitelabel customer’s domain mapping fails, including actionable error details.
2. Fleet IP Management — Centralized IP whitelist and unblock API to prevent re-blocking of legitimate enterprise customer IPs across the server fleet.
3. Backup Alerts — Slack alerts for stuck backup jobs, orphan cleanup, heartbeat failures, and zombie worker detection, with per-alert-type toggles.
4. Push-Only Migration — A new migration mode that pushes directly to the destination without requiring the Connect plugin. Particularly useful when migrating demo sites.
5. Migration Funnel — Redesigned migration page, import site modal, and site creation modal with an improved overall UX.

Conclusion

This release is the broadest InstaWP update in recent memory — touching nearly every layer of the platform. Support is now native and trackable. The CLI opens the door to serious automation workflows. Security gets smarter with granular bot detection and a hardened access control model in the plugin. CDN caching finally works the way logged-in users expect it to. And a long list of billing, email, and WaaS fixes means fewer of those quiet, frustrating edge cases making it to your clients.

For agencies, the Hide Account Info constant and WaaS team visibility fixes alone are worth the upgrade. For developers, the CLI and MCP/Local Mount bypass change how you interact with the platform at a fundamental level. For everyone managing sites at scale, the enterprise alerts and fleet IP management close gaps that previously required manual intervention.

Try the new features now →