All Announcements16 Mar, 2026

v3.21.0: Security, Performance, and Smarter Infrastructure

New Feature

Improvement

Fix

Added

⚡Support Tickets: Native in-app support ticket portal replacing the Crisp chat widget. Create tickets, attach files, and track status directly from your dashboard.

⚡InstaWP CLI: New CLI token type and V2 run-cmd endpoint for programmatic site management from the command line. https://github.com/InstaWP/cli

⚡Domain Mapping Diagnostics: When domain mapping fails, you now see clear, actionable error messages (DNS misconfiguration, hostname conflicts) instead of a silent failure.

⚡Guest OTP Verification: Shared snapshot and template launch pages now require email OTP verification, with a one-site-per-guest limit for abuse prevention.

⚡CDN Static Asset Caching for Logged-In Users: CSS, JS, images, and fonts now stay cached via Bunny CDN even when users are logged into WordPress. Only dynamic PHP pages bypass cache.

⚡MCP & Local Mount Mount Bypass: /insta-mcp and /insta-mount endpoints now bypass Bunny Shield edge rules so Claude Code MCP connections and WebDAV mounts work through Shield.

⚡WaaS Payment History Filter: Filter payment history by individual WaaS site/order.

🔌Hide Account Info — New CONNECT_HIDE_ACCOUNT_INFO constant hides the connected account email and team name from the plugin UI — useful for agencies who don't want clients to see account details.

⚡PHP 8.5 & WordPress 6.9.x Support: Added across the platform.

Improved

⚡Site Upgrade Modal — Unified design between site create and site upgrade modals for a consistent experience.

⚡Free Sites Without Credit Card : New users can now create free-tier sites without adding a payment method first. Credit card is only required on upgrade.

⚡Onboarding Sidebar: Updated layout with dismiss button for the onboarding checklist.

⚡Max Execution Time: PHP max execution time cap raised from 120s to 300s.

Fixed

⚡"View Usage" 404: Fixed payment history "View Usage" returning 404 for specific accounts and PPU users on historical billing periods.

⚡Billing History: Fixed status sync bugs causing empty status values, missing first billing cycle, and incorrect subscription invoice display.

⚡WaaS Orders in Billing: WaaS v3 orders and orders with soft-deleted products now correctly appear in the hosting sales tab.

⚡Payment Failure Handling: Payment failure escalation no longer skips users who have an active subscription. Legacy team flag is now correctly restored when a new Stripe subscription is created.

⚡WaaS Team Visibility: WaaS entries are now visible to all team members and admins, not just the creator.

⚡Webhook CSV Export: Webhook History CSV no longer downloads an empty file.

⚡Bunny CDN SSL: SSL certificates are now always provisioned when adding a custom domain, even when the hostname already exists on the pull zone.

⚡Shield Downgrade: DDoS protection type, WAF settings, and image optimizer are now correctly reset when downgrading Shield plans. Fixed 403 errors on the Shield page after plan downgrade.

⚡Preview Link: Site preview link now updates immediately after successful domain mapping.

⚡Email Fixes: Fixed broken unsubscribe links, onboarding email button rendering, and improved copy for welcome/site-expired/user-deleted templates.

⚡SQLite Heartbeat: Resolved "database locked" errors in connect heartbeat writes.

⚡Logout Error: Fixed 500 error on logout when notifications are enabled.

🔌Curl Error: Fixed "Class Curl not found" error in the InstaWP Connect plugin.

🔌Select2 403: Fixed 403 errors on Select2 remote AJAX fields by auto-embedding security nonce.

⚡Local Mount on Windows: Fixed directory listing not showing contents for Windows WebDAV clients.

⚡SFTP Long User Lists: Raised SFTP Match User line limit from 8,192 to 16,384 characters for servers with many users.

🔌Plugin Access Control (CWE-862) — Fixed broken access control in 4 AJAX handlers where any authenticated WordPress user (Subscriber/Author/Editor) could perform admin-only actions. Centralized all AJAX security checks into a single verify_ajax_request() method replacing 22 scattered nonce/capability blocks.

Hardening of server level security and monitoring across the fleet.

⚡ - InstaWP App | 🔌 - Connect Plugin