Take control of WordPress with smart performance tweaks, security enhancements, and usability improvements.
RefiTune is an all-in-one toolkit that helps optimize, secure, and refine WordPress websites without touching code. Every feature can be enabled or disabled independently through a clean and intuitive admin interface.
WordPress sites often accumulate unnecessary features, legacy functionality, and third-party plugins over time. This can lead to slower loading times, increased maintenance overhead, and a larger attack surface.
RefiTune was built to solve these problems through a single, lightweight toolkit that gives site owners and developers precise control over how WordPress behaves.
Instead of installing separate plugins for:
- XML-RPC disabling
- Login protection
- Maintenance mode
- SMTP configuration
- Admin bar control
- SVG uploads
- Comment disabling
- Redirect management
- Performance tweaks
RefiTune brings everything together in one centralized dashboard.
Every feature is completely optional.
Enable only the modules you need and leave the rest inactive. No unnecessary code runs when a feature is disabled.
Many modules are designed specifically to reduce WordPress overhead by:
- Removing unnecessary frontend and backend assets
- Limiting database growth
- Optimizing background processes
- Reducing external requests
RefiTune includes practical security improvements that can be enabled with a single click, helping protect sites against common attack vectors without requiring advanced server knowledge.
Whether you're managing:
- A personal blog
- A business website
- A WooCommerce store
- A client portfolio
- Multiple WordPress installations
RefiTune helps keep your sites lean, secure, and easier to maintain.
RefiTune follows the WordPress philosophy of flexibility and transparency. Features are organized into independent modules, making it easy to understand exactly what is active on a site.
No hidden optimizations. No mysterious settings. Just clear controls for the features you choose to use.
- Header Cleanup - Remove unnecessary
wp_headoutput. - Feed Management - Control RSS and Atom feeds.
- Disable Emoji - Remove WordPress emoji scripts and styles.
- Disable jQuery Migrate - Eliminate legacy jQuery compatibility layer.
- Disable oEmbed - Stop automatic embedding of YouTube, Vimeo, Twitter/X, and other external URLs.
- Remove Asset Version Query Strings - Strip
?ver=from frontend CSS and JS URLs. - Post Revisions Limit - Reduce database bloat.
- Auto-save Interval - Customize WordPress autosave frequency.
- Trash Auto-Delete - Automatically remove old trash items.
- Heartbeat API Control - Configure or disable Heartbeat API.
- Disable XML-RPC - Completely disable XML-RPC access.
- Disable Trackback/Pingback - Prevent spam and abuse.
- Disable File Editor - Hide built-in theme and plugin editors.
- Automatic Updates Control - Tri-state control for plugin, theme, translation, and core updates; custom update check intervals. Respects
AUTOMATIC_UPDATER_DISABLEDandWP_AUTO_UPDATE_COREinwp-config.phpwhen defined. - Login Error Messages - Use generic login errors.
- Restrict Admin Access - Control access to
wp-admin. - REST API Restrictions - Protect sensitive REST endpoints.
- Login Limit - Limit failed login attempts and reduce brute-force attacks.
- Verified Upload - Block disguised uploads (double extensions, MIME mismatches, script markers).
- Hide Admin Bar - Hide the toolbar for selected user roles.
- Block Visibility (Mobile) - Show or hide Gutenberg blocks by device type (WordPress 7.0+ has native support).
- Login Page Customization - Customize logo, colors, and branding.
- Email Notifications - Disable or fine-tune WordPress system emails.
- Email Sending - Configure SMTP or disable email delivery entirely.
- Disable Comments - Disable comments globally with WooCommerce review support.
- External Links in New Window - Automatically open external links in new tabs.
- Enable Page Excerpt - Add excerpt support to pages.
- Clean Upload Filenames - Sanitize filenames on upload (accents, spaces, special characters).
- SVG Upload - Upload SVG files with security filtering.
- AVIF Upload - Enable AVIF image uploads.
- Role Redirects - Redirect users after login or logout based on role.
- Maintenance Mode - Put the site into maintenance mode.
- Dynamic Year Shortcodes - Display the current year via
[refi-year]or duration via[refi-year from="2006"].
Overview of all available modules and their status.
Configure each feature individually.
Detailed documentation and usage instructions.
| Requirement | Version |
|---|---|
| WordPress | 5.9+ |
| Tested up to | 7.0 |
| PHP | 7.4+ |
- Go to Plugins → Add New.
- Upload the plugin ZIP file.
- Activate the plugin.
- Upload the plugin folder to:
/wp-content/plugins/refitune/
- Activate the plugin from the WordPress admin panel.
- Navigate to:
Tools → RefiTune - Site Refiner Toolkit
- Enable the modules you want to use.
Currently available languages:
- English (default)
- Hungarian (Magyar)
The plugin is translation-ready. Language files live in /languages/. Compile .po to .mo for WordPress to load translations.
Text domain: refitune
No. Most modules are designed to improve performance by removing unnecessary WordPress functionality and reducing resource usage.
Only if your theme and plugins are compatible with modern jQuery versions. Test thoroughly before enabling this option on production sites.
Some third-party services, mobile applications, and legacy integrations may stop working.
Yes. Failed attempts are tracked for both usernames and email addresses.
No. Administrators always retain access.
Yes. The plugin returns an HTTP 503 status code while maintenance mode is active.
Yes, for background updates. AUTOMATIC_UPDATER_DISABLED disables all automatic background updates site-wide. WP_AUTO_UPDATE_CORE overrides RefiTune core update settings. Update check frequency is still controlled by RefiTune cron scheduling. An admin notice appears when conflicting constants are detected.
It forces automatic updates for every plugin or theme and overrides per-item toggles on the Updates screen. Use with care on production sites.
- Automatic Updates Control
- Verified Upload
- Clean Upload Filenames
- Disable oEmbed
- Remove Asset Version Query Strings
- Plugin Check compatibility
- Media Library and SVG sanitization function conflict
- Improved redirect validation
- Enhanced SVG sanitization
- Strengthened REST API restrictions
- Improved SMTP credential handling
- Modular settings sanitization
- Initial public release
- WordPress 7.0 compatibility verification
- PHP 8.5 compatibility verification
Adds new modules (automatic updates, verified upload, clean filenames, oEmbed disable). Fixes Media Library conflict with SVG sanitization. Existing sites keep plugin auto-update preferences via legacy setting key migration.
Recommended security update including redirect hardening, SVG sanitization improvements, REST API restrictions, and SMTP credential handling improvements.
Initial release.
- Plugin page: rotistudio.com/plugins/refitune
- Author plugins: rotistudio.com
- GitHub: github.com/rotisoft/refitune
- Hungarian documentation: rotistudio.hu
- Author website: rottenbacher.hu
Licensed under the GNU General Public License v2.0 or later.