WCAG 2.1 Level AA Compliant

AI-Powered Alt Text for WordPress

Automatically generate accessible, SEO-friendly alt text for your images using OpenAI Vision API. Batch processing, human review workflow, and full page builder support.

Download Plugin Learn More
  • Secure API Key Storage
  • Human Review Workflow
  • 15+ Page Builders
Features

Everything You Need for Accessible Images

From AI generation to human review, WP AltoPilot provides a complete workflow for managing image accessibility at scale.

  • WCAG 2.1 Level AA

    AI-generated alt text follows accessibility guidelines with optimal 60-80 character descriptions that focus on meaning and function.

  • OpenAI Vision API

    Powered by GPT-4o-mini for cost-effective, high-quality image analysis. Uses base64 encoding for local/staging environments.

  • Batch Processing

    Process up to 10,000 images in background queues. Parallel processing for 3x faster results. Persists across browser sessions.

  • Human Review Workflow

    AI suggestions stored separately until you approve. Edit, regenerate, or dismiss. Bulk actions for efficient review.

  • 15+ Page Builders

    Full support for Elementor, Divi, WPBakery, Beaver Builder, Gutenberg, ACF, Oxygen, Brizy, Thrive, and more.

  • Quality Scoring

    Local WCAG-based quality scoring (0-100) for all alt text. Color-coded badges, detailed breakdowns, and dashboard stats.

  • Comprehensive Logging

    Custom logging system with user tracking, context filtering, CSV export, and automatic retention policies.

  • CDN Support

    Automatic URL resolution for Cloudflare, BunnyCDN, KeyCDN, CloudFront, Jetpack, and generic CDN subdomains.

Supported Page Builders & Plugins

  • Gutenberg
  • Elementor
  • WPBakery
  • Divi
  • Beaver Builder
  • Avada/Fusion
  • Oxygen
  • Brizy
  • Thrive
  • SeedProd
  • ACF
  • Kadence
  • Stackable
  • GenerateBlocks
  • CoBlocks

Download WP AltoPilot

Enter your email to receive the download link for the latest version.

We'll never share your email with anyone else.

Installation Steps

  1. Download the plugin zip file
  2. Go to Plugins > Add New > Upload
  3. Select the zip and install
  4. Activate & add your OpenAI key
Changelog

Version History

Track all updates, new features, and improvements to WP AltoPilot.

v2.7.3 Astra Theme Support
NEW FEATURE
  • Added Astra theme and Starter Templates image detection support
  • Scans Astra-specific meta keys: ast-*, astra-*, _astra_sites_*
  • Covers Astra Pro features: custom layouts, header/footer builder, advanced headers
  • Supports all Astra storage formats: JSON, serialized arrays, numeric IDs, URLs
Astra Meta Keys Detected
  • ast-dynamic-content, ast-featured-img, ast-advanced-headers-design
  • astra-site-meta-settings, astra-advanced-hook-header/footer/content
  • theme-transparent-header-meta, adv-header-id-meta, stick-header-meta
  • All ast-* and astra-* prefixed meta fields
v2.7.2 API Key Migration Fix
BUG FIX
  • Fixed API key not being detected after upgrading from versions prior to v2.2.0
  • Legacy encrypted API keys are now automatically detected and migrated to plain text
  • If auto-migration fails, users will see an admin notice to re-enter their API key
  • Improved API key format validation (supports sk- and sk-proj- prefixes)
Technical Details
  • get_api_key() now validates key format before returning
  • Encrypted keys from v1.1.0-v2.1.x are automatically decrypted and re-saved as plain text
  • Invalid or unrecoverable keys trigger migration notice for user action
v2.7.1 Security & Cleanup Improvements
SECURITY IMPROVEMENTS
  • Uninstall queries now use $wpdb->prepare() for WordPress coding standards compliance
  • Added backticks around table name in DROP TABLE query for safer SQL execution
DATA CLEANUP
  • Added _altopilot_page_instructions to uninstall cleanup (was previously orphaned)
  • All plugin data is now properly removed on uninstall
v2.7.0 Page Builder Compatibility Fixes
SECURITY FIX
  • Fixed unserialize vulnerability with allowed_classes security hardening
  • Prevents arbitrary object instantiation from malicious serialized data
BUG FIXES
  • Fixed silent JSON parsing failures - now logs warnings when page builder data is corrupted
  • Fixed Divi false positives - _et_pb_module_id, _et_pb_post_id no longer treated as image IDs
  • Fixed overly greedy regex patterns matching non-image IDs (max-image, image-width, image-count, etc.)
  • Fixed CDN URLs not resolving to attachment IDs
PAGE BUILDER ENHANCEMENTS
  • Elementor Pro: Added _elementor_page_settings, _elementor_controls_usage, _elementor_css meta keys
  • Oxygen Builder: Added ct_other_template, _ct_connection, oxy_settings meta keys
  • Beaver Builder: Added draft data scanning (_fl_builder_draft, _fl_builder_draft_settings)
  • Brizy: Added specific handling for brizy_post_assets (images array), brizy_project, brizy-post
  • Thrive Architect: Added tve_landing_page, tve_save_post, tve_globals, tve_custom_css meta keys
  • SeedProd: Added _seedprod_page, _seedprod_page_settings, _seedprod_page_css detection
  • WPBakery/Visual Composer: Added CSS background image extraction from _wpb_shortcodes_custom_css
GUTENBERG BLOCK ENHANCEMENTS
  • Added wp:group, wp:columns, wp:column background image detection
  • Added wp:post-featured-image block support
  • Added wp:video, wp:audio, wp:file blocks (cover/poster images)
  • Added Kadence Blocks support (kadence/image, kadence/advancedgallery with ids array)
  • Added Stackable blocks support (stk/image, stk/image-box with imageId)
  • Added GenerateBlocks support (generateblocks/image with mediaId)
  • Added Spectra/UAG blocks support (uagb/image, uagb/image-gallery)
  • Added CoBlocks support (coblocks/gallery-masonry, coblocks/gallery-carousel with ids array)
CDN & URL RESOLUTION
  • Added CDN URL fallback resolution for:
    - Cloudflare Polish/Resizing
    - BunnyCDN
    - KeyCDN
    - AWS CloudFront
    - StackPath/MaxCDN
    - Jetpack CDN (i0.wp.com, i1.wp.com, i2.wp.com)
    - Generic CDN subdomains (cdn.*, assets.*, static.*, media.*, images.*)
  • Added WebP/AVIF to original format conversion fallback (tries .jpg, .jpeg, .png, .gif)
  • Added filename-based database search as last resort
  • Added lazy-loading attribute detection (data-lazy-src, data-original, srcset)
  • Added CSS background-image URL extraction
ACF ENHANCEMENTS
  • Added ACF field suffix detection: _image, _photo, _logo, _icon, _thumbnail, _background, _banner, _avatar, _picture, _gallery, _images, _photos, _media
  • Added ACF flexible content pattern detection (field_xxx_0_image style keys)
  • Added ACF gallery field array handling (array of numeric IDs)
  • Improved nested repeater scanning with 30-level depth limit
TECHNICAL IMPROVEMENTS
  • New safe_json_decode() helper with warning logging on parse failures
  • New safe_unserialize() helper with allowed_classes:false security
  • New resolve_url_to_attachment_enhanced() with CDN fallback chain
  • All builder extraction methods now use safe parsing helpers
  • Better regex specificity to reduce false positives
v2.6.0 Comprehensive Update
SECURITY & BUG FIXES
  • CRITICAL: Fixed XSS vulnerability in Review page
  • CRITICAL: Added missing capability checks to batch operations (pause/resume/cancel/get_progress)
  • CRITICAL: Fixed race condition in batch lock logic
  • Fixed JavaScript error handling for network failures with retry mechanism
  • Fixed wrong sanitization function for textarea fields (now uses sanitize_textarea_field)
  • Fixed stats cache not being invalidated on dismiss/delete operations
  • Fixed unbounded recursion safety in image scanner
  • Added batch size validation (max 10000 images)
  • Added proper cleanup on plugin deactivation
  • Fixed duplicate CSS declarations
  • Fixed console.log removed from production code
  • Added timeout handling for all AJAX requests
NEW FEATURES
  • Added minimum 10 images batch option for smaller processing jobs
  • Added image filename search in Review Alt Text page
  • Added bulk "Generate Alt Text" action to Review page
  • Implemented parallel processing (3x faster batch processing)
  • Background queue persists across browser sessions and page reloads
  • Improved error messages with specific failure reasons
CHANGES
  • Model changed to gpt-4o-mini only (cost-efficient, fixed)
  • Removed model selection dropdown from settings
  • Default batch size changed from 100 to 50 images
v2.5.6 Universal Page Builder Detection Fix
Changes
  • Fixed images not being detected in Elementor and other page builders
  • Fixed processed images not appearing on Review Alt Text page
  • Fixed Generate button being enabled without API key on All Pages
  • Added stats cache invalidation after generating from All Pages
  • Added direct link to Review page after successful generation
  • New unified image scanner (scan_for_image_ids) for all page builders
  • Universal image key patterns covering all supported builders
  • Improved URL-to-attachment resolution with size suffix handling
  • Simplified builder-specific handlers using unified scanner
  • Better debug logging for image detection troubleshooting
  • Gutenberg, Elementor, WPBakery, Divi, Beaver Builder
  • Avada/Fusion, Oxygen, Brizy, Thrive, SeedProd
  • ACF fields, galleries, repeaters
v2.5.5 Dashboard Modernization
Changes
  • New row-based layout combining related sections side-by-side
  • Collapsible Quick Start Guide using
    element
  • Reduced spacing from 20px to 12-15px for compact design
  • More compact stat cards and quality scores
  • Quality Scores section only shown when data exists
  • Consistent 8px border-radius across all cards
  • Unified shadow depth and border styling
  • Shorter text labels for better space efficiency
  • Improved responsive breakpoints at 1024px and 782px
  • Recent Activity moves to Row 1 when no Quality data exists
v2.5.4 Dashboard Page Builder Info
Changes
  • New "Supported Page Builders" section on dashboard
  • Visual grid showing all 15 supported builders/plugins
  • Three categories: Page Builders, More Builders, Custom Fields
  • Green checkmarks for easy visual scanning
  • Info note linking to All Pages view
v2.5.3 Extended Page Builder Support
Changes
  • Avada/Fusion Builder (fusion_imageframe, fusion_gallery shortcodes)
  • Oxygen Builder (ct_builder_shortcodes, ct_builder_json for v3 and v4)
  • Brizy (JSON data with imageSrc, mediaId patterns)
  • Thrive Architect (tve_ and tcb_ meta keys)
  • SeedProd (img_id, background patterns)
  • Gutenberg blocks (wp:image, wp:gallery, wp:cover, wp:media-text)
  • Fusion Builder shortcodes [fusion_imageframe image_id="123"]
  • Oxygen shortcodes [ct_image] and JSON structures
  • Generic patterns: hero_image_id, slider_id, carousel_id, banner_id
  • Brizy imageSrc JSON patterns
  • extract_oxygen_images() - Handles both shortcode and JSON formats
  • extract_brizy_images() with search_brizy_recursive()
  • extract_beaver_builder_images() with search_beaver_recursive()
  • Enhanced meta scanning for Divi (_et_pb_*) and Thrive (tve_*, tcb_*)
v2.5.2 Universal Page Builder Support
Changes
  • Elementor (including nested widgets, galleries, background images)
  • WPBakery/Visual Composer (shortcodes, galleries)
  • Divi Builder
  • Beaver Builder
  • Gutenberg blocks
  • ACF (all field types: image, gallery, repeater, flexible content)
  • Any builder using standard WordPress patterns
  • Post content patterns (wp-image-{ID}, shortcodes, data attributes)
  • JSON structures in content (Elementor, Gutenberg)
  • Post meta scanning (serialized, JSON, numeric IDs, URLs)
  • Image URL resolution to attachment IDs
  • Recursive search through nested data structures
  • New extract_image_ids_from_content() for shortcode/attribute patterns
  • New extract_image_urls_from_content() for URL-to-ID resolution
  • New extract_elementor_images() with recursive widget search
  • Enhanced get_images_from_meta() scans ALL post meta
  • Validates all IDs are actual image attachments
v2.5.1 ACF Field Support
Changes
  • Added ACF field scanning for image detection
  • Supports ACF image fields (ID, URL, array formats)
  • Supports ACF gallery and repeater fields
  • Supports serialized and JSON meta values
  • "Used In" column now detects ACF field usage
  • All Pages image counts now include ACF images
v2.5.0 All Pages & Used In Feature
Changes
  • Added "All Pages" admin page listing all public post types (pages, posts, CPTs)
  • Custom instructions per page - append page-specific context to global settings
  • Generate alt text for all images on a specific page with one click
  • Added "Used In" column to Review Alt Text showing where images are used
  • On-demand fetch button for performance - loads usage data only when clicked
  • Click-through filtering - view only images used on a specific page
  • Updated thumbnail size to 100x100 pixels for better visibility
  • Lists all public post types with image counts
  • Shows count of images missing alt text per page
  • Custom instructions textarea saved per page
  • Instructions are appended to global settings when generating
  • Filter by post type (page, post, or custom post types)
  • Fetch button to load pages/posts where image is used
  • Detects images in post content (wp-image-{ID} pattern)
  • Detects featured images (_thumbnail_id meta)
  • Click page name to filter Review Alt Text by that page
  • New WP_AltoPilot_Pages_Table class extending WP_List_Table
  • AJAX handlers with license checks and nonce verification
  • Page instructions stored in _altopilot_page_instructions post meta
  • post_id query parameter for Review table filtering
  • On-demand loading prevents performance issues
v2.4.2 Revert Website Alt Health Feature
Changes
  • Removed "All Alt Text" overview page (parked for future release)
  • Removed "Website Alt Health" dashboard widget (parked for future release)
  • Reverted thumbnail size in Review Alt Text table back to 60x60 pixels
  • Simplified dashboard Quick Start Guide
v2.4.1 Security Enhancement
Changes
  • Added license checks to ALL AJAX handlers
  • Batch processing now requires authorized email domain
  • Review table actions require authorized email domain
  • API key validation requires authorized email domain
  • Unauthorized users are blocked at every endpoint
  • Enhanced security logging for unauthorized attempts
  • altopilot_start_batch
  • altopilot_process_chunk
  • altopilot_get_progress
  • altopilot_pause_batch
  • altopilot_resume_batch
  • altopilot_cancel_batch
  • altopilot_approve_image
  • altopilot_dismiss_image
  • altopilot_regenerate_image
  • altopilot_save_suggestion
  • altopilot_approve_all_pending
  • altopilot_bulk_action
  • altopilot_validate_api_key
v2.4.0 Quality Scoring System
Changes
  • Added quality scoring (0-100) for all alt text using local algorithms
  • Score calculation based on WCAG 2.1 Level AA, length, descriptiveness, SEO
  • New Quality column in Review Alt Text table with color-coded badges
  • Hover tooltips show detailed score breakdown by category
  • Dashboard statistics showing average score and quality distribution
  • Live score updates when editing or regenerating alt text
  • Automatic scoring on new image processing
  • Length (30pts): Optimal 60-80 characters
  • Descriptiveness (25pts): Word count and punctuation
  • WCAG Compliance (25pts): Avoids redundant phrases, meaningful content
  • SEO & Context (20pts): Capitalization and contextual words
  • 90-100: Excellent (Green)
  • 75-89: Good (Light green)
  • 60-74: Fair (Yellow)
  • 45-59: Poor (Orange)
  • 0-44: Critical (Red)
  • No API calls - completely local calculation
  • Stored in _ai_alt_quality_score post meta
  • Cached dashboard statistics (5 min)
  • Full cleanup on plugin uninstall
v2.3.0 Bulk Actions Feature
Changes
  • Added bulk approve - approve multiple images at once
  • Added bulk regenerate - regenerate alt text for multiple images
  • Added bulk dismiss - dismiss multiple suggestions at once
  • Added bulk delete - permanently remove AI data for dismissed/failed items (admin only)
  • Enhanced select-all functionality for checkboxes
  • Contextual bulk actions - delete only shown on dismissed/failed tabs
  • Confirmation prompts for all bulk actions
  • Processing indicators during bulk operations
  • Success/failure counts displayed after completion
  • Comprehensive error handling and user feedback
  • Audit logging for all bulk operations
  • CSRF protection and permission checks
v2.2.1 Email Licensing Re-enabled
Changes
  • Re-enabled email domain licensing (only @firstpage.com.au users can use the plugin)
  • Added safety checks to prevent crashes during license validation
  • License check is permissive in AJAX/cron contexts to avoid breaking site
  • Returns access if user context cannot be determined (defensive approach)
  • Maintains stability improvements from v2.2.0
v2.2.0 Simplified & Stable Release
Changes
  • Removed encryption for API key storage (stored securely in WordPress options)
  • Disabled email-based licensing restrictions (can be re-enabled later)
  • Simplified all authentication checks
  • Removed server-specific compatibility issues
  • No more 502 errors when saving settings
  • Complex encryption was causing fatal errors on certain server configurations
  • Cloudways/Vultr servers had issues with sodium/openssl functions
  • WordPress options table is already secure (better to keep it simple)
  • Licensing can be added back later when needed
  • Plugin now works reliably on all server types
  • Settings save without crashing
  • Much simpler, more maintainable code
v2.1.3 Stability & Reliability Update
Changes
  • Added validation for all API response structures
  • Fixed potential crashes from invalid JSON responses
  • Added file size limits (10MB) to prevent memory exhaustion
  • Validated batch queue data structure before processing
  • Added automatic table recreation if database insert fails
  • Protected file_get_contents with error suppression
  • Added memory cleanup after base64 encoding large files
  • Validated classification JSON parsing with fallback
  • Added type checking for all array accesses
  • Better error logging for debugging
  • Graceful degradation when features fail
  • More informative error messages
  • Reduced risk of fatal errors across all operations
v2.1.2 Critical Hotfix
Changes
  • Fixed fatal error in encryption/decryption methods causing 502 gateway errors
  • Added comprehensive try-catch blocks to prevent crashes
  • Added validation for encryption function results
  • Improved error logging for encryption failures
  • Added class existence checks before logging to prevent errors
  • Fixed base64_decode validation
If you experienced 502 errors, please update immediately
v2.1.1 Email-Based Licensing
Changes
  • Licensing now based on user email domain instead of site domain
  • Only users with @firstpage.com.au email can use the plugin
  • Works on any client domain if user has authorized email
  • Updated license error messages to reflect email requirement
  • Enhanced audit logging with email domain tracking
v2.1.0 Domain Licensing System
Changes
  • Added domain-based licensing system
  • Only authorized domains can use the plugin
  • Automatic license validation on plugin load
  • Professional license error page with contact information
  • Security audit logging for unauthorized access attempts
  • Hardcoded domain whitelist in class-license-manager.php
  • Plugin features disabled on unauthorized domains
  • Admin notices for license status
  • Easy domain management for authorized resellers
  • Add client domains to $authorized_domains array in class-license-manager.php
  • Supports domain with/without www prefix
  • Localhost and 127.0.0.1 included for development
v2.0.0 Production Ready Release
Changes
  • Fixed SQL injection vulnerabilities with prepared statements
  • Replaced weak encryption with libsodium/OpenSSL for API keys
  • Added CSRF protection to all sensitive actions
  • Implemented file path validation to prevent traversal attacks
  • Standardized capability checks across all endpoints
  • Added race condition protection with transient locking
  • Sanitized all external API error messages
  • Implemented rate limiting (100 API calls/hour)
  • Complete dashboard redesign with optimized layout and spacing
  • Improved space utilization - compact, professional interface
  • Added automatic API key migration detection with admin notices
  • Enhanced uninstall routine - complete data cleanup
  • Optimized database queries for better performance
  • Added comprehensive security audit logging
  • Improved error handling and user messaging
  • Proper uninstall cleanup for batch processing data
  • Migration-aware API key encryption system
  • Responsive grid layouts with better breakpoints
  • Streamlined activity feed with improved readability
  • WordPress coding standards compliance
v1.1.0 Security Hardening Release
Changes
  • CRITICAL: Fixed SQL injection vulnerabilities in class-logger.php with proper prepared statements
  • CRITICAL: Replaced weak XOR encryption with libsodium (PHP 7.2+) or OpenSSL fallback for API keys
  • CRITICAL: Added CSRF protection to CSV export functionality
  • CRITICAL: Implemented comprehensive file path validation to prevent path traversal attacks
  • HIGH: Standardized capability checks across all AJAX endpoints (manage_options for admin ops, edit_posts for review)
  • HIGH: Added transient-based locking to prevent race conditions in batch processing
  • HIGH: Sanitized all external API error messages before logging/display
  • MEDIUM: Implemented rate limiting (100 API calls per hour per user)
  • MEDIUM: Optimized dashboard statistics queries from O(n) to O(1) using direct SQL
  • MEDIUM: Added input validation with whitelists for all settings
  • Added comprehensive security audit logging for unauthorized access attempts
  • Moved all database queries from templates to class methods
  • Added proper error handling for encryption/decryption failures
  • Improved error messages with clear, actionable information
  • Added security context logging for all sensitive operations
  • API keys now encrypted with libsodium (preferred) or OpenSSL (fallback)
  • All AJAX handlers now include security audit logging
  • Batch processing uses lock mechanism to prevent concurrent execution
  • Direct SQL queries replace WP_Query for performance in statistics
  • All user inputs validated against whitelists
  • Enhancement: Dashboard layout improved with introduction and usage instructions.
  • Enhancement: Recent activity moved to sidebar for better layout.
  • Enhancement: Tags in review table are now shorter with max-width and ellipsis.
  • Enhancement: Alt text prompt updated to WCAG 2.1 Level AA standards (60-80 chars, focus on meaning/function).
  • Enhancement: Actions column in review table reorganized with flexbox for better UX.
  • Enhancement: User tracking added to all log entries.
  • Feature: CSV export functionality added to logs page.
  • Feature: User filter added to logs page.
  • Enhancement: Settings page completely redesigned for better UX and clarity.
  • Enhancement: Settings form sections now properly organized with improved descriptions.
  • Enhancement: Removed batch size setting (now configured per-batch on dashboard).
  • Enhancement: Tags reduced from 5-10 to 3-5 for better relevance.
  • Fix: AJAX handler initialization moved outside is_admin() check to prevent 400 errors.
  • Fix: Infinite dashboard refresh loop after batch processing completes.
  • Fix: Batch queue now properly cleared on completion to prevent reload loops.
  • Fix: "Approve" button logic to ensure alt text is saved correctly.
  • Fix: UI alignment for action buttons in Review Table.
  • Fix: Initialization error (400 Bad Request) for AJAX actions.
  • Added: Advanced Filtering and Bulk Approval features.
  • Initial release.
Feedback

Report a Bug or Request a Feature

Help us improve WP AltoPilot by sharing your feedback. We read every submission.

Bug Reports

Include steps to reproduce and your environment details.

Feature Requests

Describe the problem you're trying to solve.