FAIR

Federated and Independent Repositories

SmallPict

Plugin Banner

SmallPict

by c0redump

Download
Description

SmallPict is the simplest way to speed up your WordPress site. We automatically compress and convert your images to modern formats (WebP & AVIF), making your pages load instantly without sacrificing visual quality.

Everything you need for a super fast WordPress website:

  • Simply Magical: Install, activate, and done. No confusing server configuration or complicated API keys.
  • Zero Server Load: Compression happens in our cloud, so your hosting server stays light and fast. Works with all hosting types.
  • Premium Quality: Smart AI technology ensures the smallest possible file size without sacrificing visual quality.
  • Your Images Stay Safe: We never store your images. After optimization, files go directly back to your WordPress — no copies kept on our servers.
  • Modern Formats: Automatically serves next-gen formats like WebP and AVIF (Pro) for superior speed.

Why SmallPict?
* Faster WordPress website
* Sharp images
* No complex settings
* Your images stay private

External services

This plugin connects to our 3rd-party external API to compress and optimize your uploaded images without impacting your local server performance.

  • Data sent: The plugin sends the raw uploaded image file along with your compression preferences (e.g., target format and quality level). This data is sent automatically in real-time every time you upload a new media file to the WordPress Media Library.
  • Service Details: The API receives the data, converting images to modern formats like WebP or AVIF based on your settings, and immediately returns the optimized image to your WordPress site. We do not permanently store or retain your images.
  • Terms of Service: https://smallpict.tuxnoob.com/en/terms
  • Privacy Policy: https://smallpict.tuxnoob.com/en/privacy
  1. Upload the plugin files to the /wp-content/plugins/smallpict directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress.
  3. Follow the opt-in wizard to connect your Freemius account.
  4. Configure your compression settings in Settings -> SmallPict.
  1. <strong>Dashboard</strong>: Monitor your usage and quota.

    Dashboard: Monitor your usage and quota.

Does this plugin require an account?

Yes, it requires a free SmallPict account (managed via Freemius) to securely access the cloud processing API.

What happens if I reach my quota?

Your images will stop being optimized until your quota resets next month or you upgrade your plan.

1.1.7

  • Enhancement: Added minimalist plugin banner and high-res icon for WordPress.org repository.

1.1.6

  • Fix: Corrected GitHub Actions deploy workflow — moved SLUG and BUILD_DIR to env vars (were incorrectly passed as with: inputs to 10up/action-wordpress-plugin-deploy).
  • Fix: Replaced deprecated buttonizer/freemius-deploy GitHub Action with a direct Freemius API Python script, eliminating the set-output deprecation warning.
  • Fix: Corrected Freemius API HMAC-SHA256 signing to match PHP SDK — uses RFC 2822 date, hex HMAC digest, and URL-safe base64 without padding.

1.1.5

  • Security: Server-side quota enforcement — monthly usage now tracked in DynamoDB and enforced before each job starts.
  • Security: File size limit per plan is now validated server-side before processing begins (prevents oversized uploads bypassing plan limits).
  • Security: Removed hardcoded JWT fallback secret — API now returns 500 if JWT_SECRET env var is missing.
  • Security: is_sandbox mode is now determined by a server-side environment variable (ALLOW_SANDBOX), not a client-supplied flag (prevents quota bypass).
  • Security: S3 object key is now validated to belong to the authenticated tenant (prevents path traversal attacks).
  • Security: Replaced file_get_contents() S3 upload with streaming cURL (CURLOPT_INFILE) to prevent PHP OOM errors on large files.
  • Security: Admin JS now receives a nonce via wp_localize_script for future AJAX request verification.
  • Performance: Upload polling now uses exponential backoff (2s5s, max 20 attempts) replacing a flat 60-second blocking loop.
  • Performance: Bulk imports via WP-CLI and REST API now skip synchronous blocking optimization to prevent timeouts.
  • Performance: Lambda /tmp directory is now fully cleaned after each job (input + output files) to prevent storage leaks across warm invocations.
  • Performance: Presigned S3 download URLs extended from 15 minutes to 1 hour to support longer async processing jobs.
  • Fix: get_usage API endpoint now returns real usage data from DynamoDB instead of a hardcoded placeholder.
  • Fix: image/gif added to allowed upload content types for animated image support on paid plans.
  • Fix: Free-tier engine now respects the user-configured quality setting instead of hardcoding 80.
  • Fix: JWT session token expiry reduced from 7 days to 24 hours for improved security posture.
  • Compliance: All output variables pass WordPress.Security.EscapeOutput PHPCS/WPCS sniffs (confirmed zero violations).
  • Compliance: cURL streaming usage justified with phpcs:disable blocks and documented rationale.

1.1.4

  • Fix: Addressed WordPress.org review feedback regarding strict late escaping for all output data.
  • Fix: Replaced raw json_encode with wp_json_encode to comply with WordPress Coding Standards.
  • Remove: Stripped Pro UI capabilities and Freemius gating from WordPress.org build.

1.1.3

  • Fix: Freemius library conflict check.
  • Fix: Escaping inline CSS outputs.
  • Update: Added c0redump to Contributors list.
  • Update: Detailed External Services endpoint in readme.

1.1.2

  • Fix: Replaced rename() function with WP_Filesystem::move() to comply with WordPress standards.
  • Fix: Added smallpict.pot template file to satisfy Domain Path requirement.

1.1.1

  • Security: Improved output escaping and sanitization across settings and admin pages.
  • Security: Added direct file access protection to all remaining PHP files.
  • Fix: Removed development logging functions for cleaner production operation.
  • Fix: Standardized timezone handling to use gmdate().
  • Fix: Replaced unlink with wp_delete_file for better filesystem compatibility.

1.1.0

  • New: Fully managed SaaS architecture (Serverless).
  • New: Freemius integration for plans, billing, and quota management.
  • New: Strict backend validation for plan capabilities.
  • New: Added “Hard Reset” trigger for debugging localhost states (?sp_reset_license=1).
  • Improvement: Enhanced file handling with fallback strategies for Docker/NAS.
  • Improvement: Adaptive SSL verification for better compatibility.
  • Fix: Comprehensive cleanup of data during uninstallation.
  • Fix: Resolved “headers already sent” issues during activation.
  • Fix: UI synchronization for “Keep Original” format restrictions.

1.0.0

  • Initial Release.
  • Serverless Image Optimization via AWS Lambda.
  • Freemius Integration for Licensing.
  • WebP Support.
Back to top