Get Pro

Features

Every feature in OvKit

39 WordPress admin tools in one plugin. 20 free, 19 Pro. Each feature has a risk label so you know exactly what is safe for your site. No guessing, no breaking things silently.

Performance — 8 features

WordPress loads scripts, styles, and meta tags that most sites never use. These features remove the dead weight. Together they typically save 6–12 HTTP requests and 80–200KB per page load.

Remove emoji scripts (Free)

WordPress loads ~10KB of emoji detection JavaScript on every page, even if you never use emojis. This script was added in 2015 for browsers like IE 10 that could not render emojis natively. Every modern browser handles emojis without help. Removing it saves one HTTP request and 10KB on every page load. Safe on all sites.

Disable oEmbed scripts (Free)

WordPress loads JavaScript to support automatic embedding of YouTube, Twitter, and other media via oEmbed. If you embed media manually or do not use embeds at all, this script is unnecessary overhead. Disabling it saves one HTTP request per page.

Clean wp_head output (Free)

WordPress adds several meta tags to your page source that serve no purpose for most sites: RSD (Really Simple Discovery) links for blog editors from 2005, WLW (Windows Live Writer) manifest links, shortlink tags, and adjacent post relation links. OvKit removes all of them in one toggle. Saves 4–6 unnecessary tags from every page.

Remove query strings from static resources (Free)

WordPress appends version query strings like ?ver=6.5 to CSS and JavaScript URLs. Many CDNs and caching proxies refuse to cache URLs with query strings. Removing them improves cache hit rates and speeds up repeat visits.

Disable self-pingbacks (Free)

When you link to your own posts, WordPress sends itself a pingback — generating a database write and a notification for no reason. Disabling self-pingbacks reduces unnecessary database load and keeps your comment moderation clean.

Limit post revisions (Free)

WordPress stores every save as a revision, indefinitely. A post edited 50 times has 50 revisions in the database. OvKit lets you set a sensible limit (5, 10, or 15 revisions). Older revisions are not deleted — the limit only applies going forward. Reduces database bloat over time.

Control WordPress Heartbeat API (Free)

The Heartbeat API sends AJAX requests every 15–60 seconds to keep sessions alive and enable real-time features like autosave. On the post editor this is essential. On the dashboard and front-end it is unnecessary load. OvKit lets you disable Heartbeat on pages where it is not needed, or reduce its frequency to save server resources.

Defer JavaScript loading (Pro)

Adds defer attribute to non-critical JavaScript files so they load without blocking page rendering. Improves Time to Interactive and reduces Total Blocking Time — two key Core Web Vitals metrics. OvKit automatically excludes scripts that break when deferred (like jQuery on older themes).

Security — 10 features

WordPress has well-known attack vectors that most sites leave open by default. These features close them without breaking functionality. No firewall, no WAF, no complex rules — just sensible defaults that should have been built in.

Hide login error hints (Free)

By default, WordPress login tells attackers whether the username or password was wrong: “Unknown username” vs “Incorrect password.” This confirms valid usernames for brute force attacks. OvKit replaces both messages with a generic error. Safe on every site, no exceptions.

Disable XML-RPC (Free)

XML-RPC is a legacy remote access protocol from before the REST API existed. It allows brute force amplification attacks (testing hundreds of passwords in a single request) and DDoS pingback abuse. If you do not use the WordPress mobile app, Jetpack, or third-party posting tools that rely on XML-RPC, disabling it closes a major attack surface.

Block author enumeration (Free)

Visiting /?author=1 on most WordPress sites reveals the admin username by redirecting to /author/admin-name/. Automated scanners use this to build username lists for brute force attacks. OvKit blocks this endpoint entirely. Safe on all sites.

Remove WordPress version number (Free)

WordPress exposes its version in a meta tag, RSS feeds, and script query strings. Automated scanners use this to target sites running outdated versions with known vulnerabilities. Removing it adds obscurity at zero cost. It does not make you secure alone, but it removes a signal that attackers use to prioritise targets.

Disable application passwords (Free)

WordPress 5.6 added application passwords for REST API authentication. They are powerful but most sites never use them. Each unused authentication method is attack surface. If you do not connect external apps to WordPress via REST API, disable them.

Disable file editor (Free)

WordPress includes a built-in code editor at Appearance and Plugins that lets anyone with admin access modify PHP files directly from the browser. If an attacker gains admin access, this editor gives them immediate code execution. Disabling it is standard security practice. Use FTP or your host file manager instead.

Restrict REST API to authenticated users (Free)

The WordPress REST API exposes user data, post content, and site structure to unauthenticated requests by default. This is necessary for headless setups and some plugins (like WooCommerce and Contact Form 7) but unnecessary on most standard sites. OvKit restricts REST API access to logged-in users only. Check the compatibility note if you use forms or e-commerce.

Add security headers (Pro)

Adds HTTP security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. These prevent MIME-type sniffing, clickjacking, referrer leaking, and unnecessary browser API access. Standard hardening that enterprise sites require but most WordPress sites lack.

Disable directory browsing (Pro)

If directory indexes are enabled on your server, anyone can browse your uploads folder, plugin directories, and theme files. OvKit adds the necessary rules to prevent directory listing. Most good hosts disable this already, but many do not.

Force logout on idle sessions (Pro)

WordPress sessions can stay active for days. On shared computers, public networks, or client sites, this is a security risk. OvKit lets you set an idle timeout (30 minutes, 1 hour, 4 hours) after which inactive users are automatically logged out.

Cleanup — 12 features

The WordPress admin panel accumulates clutter: nag screens, unused widgets, unnecessary menus, spam comments. These features clean it all up so your admin (and your clients admin) looks professional.

Remove dashboard widgets (Free)

The WordPress dashboard shows widgets for Quick Draft, WordPress Events, At a Glance, and Activity — plus whatever plugins add. Most of these go unread. OvKit removes them so the dashboard is clean and fast-loading. You choose which to keep.

Disable admin email verification nag (Free)

Every six months WordPress asks the admin to verify their email address with a modal that blocks access to the dashboard. It is well-intentioned but disruptive on client sites. OvKit removes it.

Clean admin bar (Free)

Removes unnecessary items from the WordPress admin bar: WordPress logo menu, comments link (if unused), and other default items that add visual noise without value.

Remove Welcome panel (Free)

The Welcome to WordPress panel appears on the dashboard until manually dismissed. On client sites, it looks unprofessional. OvKit removes it permanently.

Disable comments site-wide (Free)

Many business sites, portfolios, and landing pages do not need comments. Instead of disabling them per-post, OvKit disables comments across the entire site in one toggle: removes the menu item, closes existing comment forms, hides comment counts, and removes the Recent Comments widget.

Remove shortlink tags (Free)

WordPress generates ?p=123 shortlinks in your page source. These are redundant if you use pretty permalinks (which you should). Removing them cleans up your HTML head.

Disable RSS feeds (Free)

If nobody reads your RSS feed, it still generates on every request. For brochure sites, portfolios, and landing pages, RSS is unnecessary. OvKit can disable it and redirect feed URLs to the homepage.

Remove RSD and WLW links (Free)

RSD (Really Simple Discovery) and WLW (Windows Live Writer) manifest links are legacy meta tags for desktop blog editors that no longer exist. Every WordPress site outputs them, no WordPress site needs them.

Remove adjacent post links (Free)

WordPress adds rel="prev" and rel="next" link tags in the head for single posts. These were once used by browsers for prefetching but are now ignored. Removing them cleans up page source.

Clean plugin action links (Pro)

Many plugins add promotional links (“Go Pro!”, “Rate us!”) to the plugin list page. OvKit strips these non-essential action links so the Plugins page stays clean and professional — especially important on client sites.

Simplify image filenames on upload (Pro)

Renames uploaded files to clean, URL-friendly slugs: removes accents, special characters, and unnecessary words. A file named “Héröbild (copy) FINAL_v2.jpeg” becomes “herobild-copy-final-v2.jpeg”. Improves image SEO and prevents URL encoding issues.

Auto-trash spam comments (Pro)

Automatically moves spam comments to trash after a configurable number of days (7, 14, or 30). Prevents spam from accumulating in your database. Works alongside Akismet or any other spam filter.

Admin UI — 9 features

Make the WordPress admin look like yours. Branding, layout, role-based visibility — the tools agencies need to deliver a polished backend without building custom admin themes.

Custom admin footer text (Pro)

Replace the default “Thank you for creating with WordPress” footer with your agency name, client name, or support contact. Small detail, big professional impression.

Custom login page styling (Pro)

Replace the WordPress logo on the login page with your own. Change background colour, form styling, and button colours. No separate login page plugin needed — OvKit handles it with a simple settings panel.

Role-based admin menu visibility (Pro)

Hide admin menu items based on user role. Show editors only what they need. Hide the Tools menu from authors. Remove the Settings page for shop managers. Simplifies the admin experience for non-technical users without changing their WordPress capabilities.

Role-based admin notice filtering (Pro)

WordPress admin is full of notices: update reminders, plugin promotions, security alerts. Most are irrelevant to most roles. OvKit lets you filter which notices each role sees. Admins see everything. Editors see only what matters to them.

Admin colour scheme override (Pro)

Force a specific admin colour scheme for all users. Prevents clients from accidentally switching to a different scheme and thinking something broke. Useful for brand consistency across client sites.

Reorder admin menu items (Pro)

Drag and drop admin menu items into a custom order. Put the most-used items at the top. Group related items together. The order applies to all users of the same role.

Rename admin menu labels (Pro)

Rename any admin menu item. Change “Posts” to “Articles” or “Blog.” Change “WooCommerce” to “Shop.” Change “Appearance” to “Design.” Makes the admin speak your clients language, not WordPress jargon.

Add custom CSS to admin (Pro)

Inject custom CSS into the WordPress admin. Hide specific elements, adjust spacing, change fonts, or apply brand colours to admin components. Full control without editing theme files.

White-label admin branding (Agency)

Replace all OvKit branding in the admin with your own: your logo in the dashboard, your name in the plugin list, your colours in the settings panel. Clients never see “OvKit” — they see your brand. Available exclusively on the Agency plan.

Pro-only management tools

Activity log with rollback

Every change you make in OvKit is logged with a timestamp, the user who made it, and the before/after state. If something breaks or a client flips the wrong switch, open the Activity Log and revert in one click. No database edits, no FTP, no downtime.

Smart admin notices centre

Collects all WordPress admin notices into a dedicated panel instead of scattering them across the top of every page. Filter by type (error, warning, info, success), dismiss permanently, and control which roles see which notices.

Site-type presets

One-click configurations optimised for common site types: Blog, WooCommerce Store, Agency Client Site, Membership Site, Portfolio. Each preset enables 15–20 compatible features tested for that specific setup. Customize after applying.

Export and import settings

Export your entire OvKit configuration as a JSON file. Import on any other site. Perfect for agencies deploying the same baseline across 10, 20, or 50 client sites. Configure once, deploy everywhere.

Scheduled scans

OvKit runs a weekly automated compatibility scan and updates risk labels based on any changes to your plugins, theme, or WordPress version. Get notified if a previously safe feature becomes risky after an update.

20 features are free forever — no account, no limits. See pricing for Pro plans starting at €29/year. All plans include a 14-day money-back guarantee.