TalkDock — Floating Chat Button

TalkDock is a lightweight WordPress plugin that displays a floating chat button on your site. When a visitor clicks the button, it opens a WhatsApp conversation using a standard wa.me link that you configure. The plugin is built around a single settings panel, has no third-party tracking, and ships with a .pot translation template. What this plugin does

• Outputs a floating circular chat button in your site footer.
• Links the button to a WhatsApp number using a wa.me URL that you provide.
• Lets you set gradient colors using the native WordPress color picker.
• Positions the button on the left or right, with adjustable pixel distance from the edges.
• Optionally prefills a starting message so visitors don't have to type one.
• Offers four animation styles: bounce, pulse, shake, or none.
• Includes visibility rules: show to all visitors, only to logged-in users, or only to logged-out visitors.
• Includes a "hide on mobile" toggle for screens narrower than 782px.
• Lets you set a custom accessibility label that screen readers announce.
• Provides the shortcode [talkdock_button] for placing inline buttons inside content.
• Shows a live preview inside the settings panel.
• Deletes its options on uninstall, unless you opt to preserve data.

Note on WhatsApp This plugin is not affiliated with, endorsed by, or connected to WhatsApp LLC, Meta Platforms, Inc., or any of their subsidiaries. "WhatsApp" is a trademark of WhatsApp LLC and is used here only to describe the type of link the button opens (the public wa.me click-to-chat URL format published by WhatsApp). How it connects to WhatsApp TalkDock does not communicate with WhatsApp servers from your site. It simply renders an <a> link pointing to a wa.me URL that you enter in the settings. The conversation opens in the WhatsApp app or WhatsApp Web on the visitor's device, exactly as it would if you placed a regular wa.me link in your content. No data is sent to WhatsApp by the plugin itself, and no external API is called. Pro version A paid TalkDock Pro add-on is sold separately from this free plugin and is not hosted on WordPress.org. The free plugin is fully functional on its own — nothing in the feature list above requires Pro. The "Pro Features" tab inside the plugin describes what the paid add-on offers and links to it. You can ignore the Pro tab entirely; the free plugin will continue to work without it. Developers Hooks available for extensions:

• talkdock_loaded — fires after all components boot.
• talkdock_default_settings — filter to register additional default keys.
• talkdock_sanitize_settings — filter to sanitize additional keys.
• talkdock_should_render_widget — gate the frontend render.
• talkdock_widget_href — final-stage URL filter.
• talkdock_widget_css — modify the generated widget stylesheet. The legacy talkdock_inline_css filter is still called for backward compatibility, but CSS is written through the generated stylesheet path.
• talkdock_register_admin_submenu — register additional submenus under the parent slug.
• talkdock_admin_tab_content — inject content into additional tabs.

1.1.5

• Resolved the Plugin Check nonce-verification warning in settings checkbox payload handling.
• Reconfirmed AJAX no-refresh settings saving, persisted-value verification, and POST fallback.
• Maintained save status feedback and live-preview refresh after successful saves.

1.1.2

• Added the TalkDock Pro integration hooks while keeping all free features fully functional without the add-on.
• Hardened settings saves, feedback uploads, frontend asset enqueues, and generated CSS output for WordPress.org review.
• Refined the admin UI, responsive tab layout, and shadow-free design system.
• Preserved the existing privacy posture: no background telemetry and no visitor data sent by the free plugin.

1.0.9

• Fixed WordPress.org review blockers: all JavaScript is enqueued through WordPress, the text domain is consistently talkdock across plugin headers, gettext calls, and the POT template, external service disclosure is explicit, Report-a-Bug uploads are sanitized and validated at the boundary, and frontend design CSS is generated from validated values instead of printed as raw inline CSS.
• Removed the remote Google Fonts admin dependency and uses the system font stack instead.
• Cleaned admin/front-end markup output and tightened late escaping for dynamic values.
• Normalized Markas Studio public links under https://studio.markashosting.com/plugins/talkdock/, including docs, support, TalkDock Pro, Terms of Use, and Privacy Policy permalinks.
• Removed the optional author homepage header because the plugin-specific URL is intentionally used as the Plugin URI; this avoids duplicate URL validation errors during WordPress.org submission.

1.0.8

• FIX (Report-a-Bug delivery): the modal showed "Thanks — your report has been recorded" even when the cross-site bug-report receiver returned HTTP 413 (payload too large). Two underlying issues: (a) the dispatcher treated any non-WP_Error response from wp_remote_post as success, so a 413 / 429 / 500 from the receiver slipped through as ok = true; (b) the receiver's body cap was 1 MB while the plugin permits up to 3 × 5 MB images, so a typical multi-screenshot bug report exceeded the cap. The dispatcher now requires an actual 2xx status before reporting success; on non-2xx the modal shows an honest "Saved locally — receiver was unreachable" warning and leaves itself open so the user can resend. The receiver-side cap (in the Markas Studio dashboard's plugin-bug intake) has been raised to 12 MB to match the plugin's spec'd wire budget with comfortable headroom.
• FIX (response parsing — receiver entry_id): the cross-site receiver responds with { success: true, id: <post_id>, message: '...' } on a successful intake, where id is the reference number of the recorded report on the receiver side. The previous dispatcher discarded the body entirely on 2xx and returned only { ok, status } upstream, so the receiver's reference number was lost between layers. The dispatcher now decodes the response body, extracts the id field (accepting entry_id as a forward-compat alias), and propagates it as remote_entry_id through the dispatch result → local log row → AJAX response → modal history pill. The user-facing success message now includes the receiver-assigned reference ("Thanks — your report has been recorded (ref #847)."), and the Previous Reports panel renders sent rows as "Sent · #847" so the user has a number to cite in any follow-up. Pre-1.0.8 log entries that lack the field render as "Sent" with no reference, gracefully — no data migration required.
• NEW (Smart auto-resize): screenshots are now optimized client-side before submission. Images larger than the per-image target are scaled to a 1920px longest edge and re-encoded as JPEG with progressive quality steps (0.85 → 0.72 → 0.6) until they fit. A typical 5 MB retina screenshot lands at ~400–600 KB without visible quality loss, and the 413 budget becomes practically unreachable from the UI.
• NEW (Paste-from-clipboard): you can now paste a screenshot directly into the open modal with Cmd / Ctrl + V. Captured images run through the same auto-resize pipeline. A timestamped filename is synthesized so multiple pastes don't collide. Text pastes into the subject / message inputs are left untouched.
• NEW (Previous reports panel): an opt-in "Show previous reports" disclosure inside the modal lists the most recent submissions from this site with their delivery status (Sent / Local only / Not delivered). Reads from the existing bounded local log; no new options are created. Lazy-loaded on first expand.
• FIX (wp_options bloat): the local tlkd_feedback_log option no longer stores the base64-encoded attachment binary. With 50 entries × up to 15 MB raw attachments, the option row could theoretically reach ~750 MB and slow every admin page load. The log now stores per-attachment metadata only (name, MIME, byte count); the audit trail is preserved, the bloat hazard is gone.
• FIX (privacy / wire format): the dispatcher's outbound User-Agent no longer includes home_url(). The readme privacy section already promised the plugin never auto-attaches your site URL, but the previous header TalkDock/1.0.7; <home_url> shipped it on every dispatch. The receiver-side dashboard derives the source host from the Origin / Referer header (unchanged), so the User-Agent is now plain TalkDock/1.0.8.
• HARDENING (PHPCS hygiene): the $_FILES superglobal is read in three places inside process_attachments() (existence check, raw-array capture, per-file loop). The previous build used an inline phpcs:ignore that only covered one line and left the other two flagged. Replaced with a method-scoped phpcs:disable / phpcs:enable pair stacking both WordPress.Security.NonceVerification.Missing and WordPress.Security.ValidatedSanitizedInput.InputNotSanitized. Each suppression carries a one-line justification naming the mitigation. No behavioural change.
• HARDENING (link-rel sweep): every target="_blank" link in the plugin's admin views now uses rel="noopener noreferrer" (was rel="noopener"). noopener neutralizes reverse-tabnabbing; noreferrer additionally suppresses the Referer header so the destination site does not learn which wp-admin/admin.php?page=… page the click came from.
• No change to the AJAX action names, the nonce, the option keys, the validation rules, the JSON payload schema, the diagnostic block, or what is opt-in vs opt-out. The 5 MB per-image cap and 3-image cap are unchanged. The set of fields transmitted is unchanged — except that the outbound User-Agent header no longer contains home_url(), per the readme's privacy guarantee.

1.0.7

• Polished the Report-a-Bug modal. The submit button now shows an inline spinner during dispatch and a brief checkmark on success instead of swapping its text; the form is disabled while the request is in flight so the loading state is clearly bounded.
• Fixed a desktop layout regression where the modal could overflow the viewport once the "Sending…" status banner appeared, clipping the footer off the bottom of the screen. The dialog → wrapping form → body now form a proper flex column, so the body scrolls internally instead of pushing the dialog past its max-height cap. The status banner is also auto-scrolled into view when it appears. The dialog now also offsets for the WordPress admin bar (32px / 46px) so it never sits beneath it on desktop.
• Replaced the fragile backdrop-filter: blur(8px) scrim with a solid dim (rgba(15, 16, 20, 0.62)) that renders deterministically regardless of WP admin chrome stacking contexts. The previous blur approach caused "ghost" rendering where tabs and buttons bled through the backdrop. Removed the associated defensive isolation: isolate and z-index: 0 hacks that were only propping up the broken filter.
• Switched the admin CSS and JS enqueue from a static plugin-version cache key to a filemtime()-based version. Any byte-level change to admin/css/admin.css or admin/js/admin.js now forces an immediate browser refetch even when the plugin version has not been bumped (the recurring iteration-on-a-single-tag cache problem). The headline plugin version stays visible in ?ver=… because the new format is TLKD_VERSION.MTIME with a graceful fallback to plain TLKD_VERSION if the file cannot be stat'd.
• Refined the modal visuals toward a minimalist, system-style aesthetic: clean solid-dim backdrop, tighter typography, larger corner radius on desktop, and a primary-indigo Send action that matches the rest of the admin brand instead of the accent terracotta.
• Mobile rendering hardened: switched the full-screen breakpoint to 100dvh (fixes iOS Safari toolbar overlap), added safe-area-inset padding for notched devices, and reduced the body padding so all fields stay reachable on narrow screens.
• Accessibility: animations honor prefers-reduced-motion; the spinner is hidden from assistive tech; the live status region continues to announce send/success/error.
• No change to the AJAX endpoint, validation rules, payload shape, dispatcher behavior, or privacy posture.
• No change to the modal, the validation rules, the payload shape, or what is transmitted. The opt-out diagnostics block, the privacy notice, and the under-the-hood filters (talkdock_feedback_payload, talkdock_feedback_dispatch) all remain identical.

1.0.5

• Suppressed five false-positive Plugin Check warnings in TLKD_Feedback. Three WordPress.Security.NonceVerification.Missing warnings inside process_attachments() — the method accesses $_FILES['attachments'] to read uploaded screenshots; the request nonce is verified by the caller handle_ajax() via check_ajax_referer( 'tlkd_feedback', 'nonce' ) before process_attachments() is ever invoked. PHPCS cannot follow the call chain, so the suppression is confined to the body of process_attachments() via a targeted phpcs:disable/phpcs:enable pair with a one-line justification. Two WordPress.DB.DirectDatabaseQuery warnings inside get_mysql_version() — the method runs SELECT VERSION() as a one-shot server-version probe; there is no cache to invalidate and no plugin or user data being queried. Suppressed locally with a one-line justification. No behavioural change.

1.0.4

• Added an optional "Report a Bug" button on the settings page sidebar. Opens a modal that accepts a subject, message, optional reply-to email, and up to three image attachments.
• The feedback flow is transparent: nothing is transmitted until the administrator clicks Send. Diagnostic environment info is opt-out and the full payload is shown to the user before submission.
• Submissions are recorded locally in a bounded log (tlkd_feedback_log, 50 most recent entries, removed on uninstall unless data is preserved).
• New talkdock_feedback_payload and talkdock_feedback_dispatch filters let extensions modify the payload or replace the default dispatcher.
• Added a == Privacy == section to this readme describing exactly what the Report-a-Bug flow transmits.

1.0.3

• Renamed plugin to "TalkDock — Floating Chat Button" to comply with WordPress.org Plugin Check trademark rules (the previous name contained a restricted brand term in the Plugin Name field).
• Updated admin hero subtitle to match the new name.
• No functional changes. The plugin still creates a wa.me click-to-chat link, which is documented throughout the description, FAQ, and admin UI.

1.0.2

• Rebranded from the previous internal name to "TalkDock".
• Reworked description and admin copy to be factual rather than promotional.
• Removed the red upgrade link from the plugins list row — upgrade information now lives only inside the plugin settings page.
• Added an explicit non-affiliation notice regarding WhatsApp.
• Shortcode renamed to [talkdock_button].

1.0.0

• First release.
• Floating chat button with color, position, and animation controls.
• Prefilled message support.
• Visibility rules (login state, hide on mobile).
• Accessibility-first markup.
• Inline shortcode for placing buttons inside content.
• Auto-migration from the legacy custom_wa_* standalone snippet.