Releases: EngineScript/enginescript-site-exporter
Releases · EngineScript/enginescript-site-exporter
Release v2.0.0
Critical Bug Fixes
- Scheduled Deletion Fix: Fixed critical bug where automatic export file cleanup via WordPress cron was completely broken. The referer validation in
sse_validate_basic_export_file()was blocking all cron-triggered deletions since scheduled tasks have no HTTP referer. Referer checks are now correctly applied only to user-facing download and deletion handlers. - Deletion Notice Fix: Fixed bug where success/failure notices after manually deleting an export file were lost due to
add_action('admin_notices')being registered beforewp_safe_redirect()+exit. Notices are now passed via query parameter and displayed on the redirected page.
Security & Escaping Fixes
- Double Escaping Prevention: Fixed 9 instances of double-escaped WP_Error messages where
esc_html__()was used in error construction but messages were escaped again withesc_html()at output time. Changed to__()in WP_Error constructors since escaping belongs at the output boundary. - Admin Menu Escaping: Removed redundant
esc_html__()insse_admin_menu()— WordPress core already escapes page and menu titles internally. - Submit Button Escaping: Removed redundant
esc_html__()insubmit_button()call — the function internally appliesesc_attr()to button text. - Database Export Error: Removed pre-escaping of WP-CLI error output in
sse_export_database()WP_Error to prevent double escaping when displayed viasse_show_error_notice(). - Symlink Compatibility: Removed overly strict
realpath()equality check insse_validate_download_file_access()that could block valid downloads on servers with symlinked upload directories. Directory containment validation already provides equivalent security.
Performance Improvements
- File Size Filter Caching: Cached the
sse_max_file_size_for_exportfilter result using a static variable insse_should_exclude_file()to avoid redundantget_transient(),get_current_user_id(), andapply_filters()calls for every file during export. - Error Log Autoload: Added
falseautoload parameter toupdate_option()insse_store_log_in_database()to prevent debug logs from being loaded into memory on every WordPress page request.
Code Quality
- Dead Code Removal: Removed unused
sse_get_scheduled_deletions()debugging function that was never called from any code path. - Shell Safety: Added
function_exists('shell_exec')check insse_get_safe_wp_cli_path()before attempting PATH lookup, preventing PHP warnings whenshell_execis disabled. - POT File Cleanup: Removed 6 stale translation entries referencing functions that no longer exist. Added missing translatable strings for file size options, error messages, and WP-CLI status messages.
- GEMINI.md: Updated version reference from 1.8.4 to 1.9.1.
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.9.2
Critical Bug Fixes
- Scheduled Deletion Fix: Fixed critical bug where automatic export file cleanup via WordPress cron was completely broken. The referer validation in
sse_validate_basic_export_file()was blocking all cron-triggered deletions since scheduled tasks have no HTTP referer. Referer checks are now correctly applied only to user-facing download and deletion handlers. - Deletion Notice Fix: Fixed bug where success/failure notices after manually deleting an export file were lost due to
add_action('admin_notices')being registered beforewp_safe_redirect()+exit. Notices are now passed via query parameter and displayed on the redirected page.
Security & Escaping Fixes
- Double Escaping Prevention: Fixed 9 instances of double-escaped WP_Error messages where
esc_html__()was used in error construction but messages were escaped again withesc_html()at output time. Changed to__()in WP_Error constructors since escaping belongs at the output boundary. - Admin Menu Escaping: Removed redundant
esc_html__()insse_admin_menu()— WordPress core already escapes page and menu titles internally. - Submit Button Escaping: Removed redundant
esc_html__()insubmit_button()call — the function internally appliesesc_attr()to button text. - Database Export Error: Removed pre-escaping of WP-CLI error output in
sse_export_database()WP_Error to prevent double escaping when displayed viasse_show_error_notice(). - Symlink Compatibility: Removed overly strict
realpath()equality check insse_validate_download_file_access()that could block valid downloads on servers with symlinked upload directories. Directory containment validation already provides equivalent security.
Performance Improvements
- File Size Filter Caching: Cached the
sse_max_file_size_for_exportfilter result using a static variable insse_should_exclude_file()to avoid redundantget_transient(),get_current_user_id(), andapply_filters()calls for every file during export. - Error Log Autoload: Added
falseautoload parameter toupdate_option()insse_store_log_in_database()to prevent debug logs from being loaded into memory on every WordPress page request.
Code Quality
- Dead Code Removal: Removed unused
sse_get_scheduled_deletions()debugging function that was never called from any code path. - Shell Safety: Added
function_exists('shell_exec')check insse_get_safe_wp_cli_path()before attempting PATH lookup, preventing PHP warnings whenshell_execis disabled. - POT File Cleanup: Removed 6 stale translation entries referencing functions that no longer exist. Added missing translatable strings for file size options, error messages, and WP-CLI status messages.
- GEMINI.md: Updated version reference from 1.8.4 to 1.9.1.
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.9.1
Scheduled Deletion System Enhancements
- Enhanced Debugging: Added comprehensive debugging system with
error_log()output for WordPress cron troubleshooting when standard debug logging is disabled - Dual Cleanup System: Implemented redundant scheduled deletion with both individual file cleanup (5 minutes) and bulk directory cleanup (10 minutes) as safety net
- Bulk Cleanup Handler: Added
sse_bulk_cleanup_exports_handler()to scan and clean all export files older than 5 minutes from the entire export directory - Improved Scheduling: Enhanced
sse_schedule_export_cleanup()with detailed logging, DISABLE_WP_CRON detection, and WordPress cron array status monitoring - Test Framework: Added
sse_test_cron_scheduling()function to verify WordPress cron functionality before attempting real scheduling - Cron Diagnostics: Implemented
sse_get_scheduled_deletions()for debugging scheduled events and cron system status - Verification System: Added post-scheduling verification to confirm events are properly added to WordPress cron schedule
Code Quality Improvements
- WordPress VIP Compliance: Replaced direct PHP filesystem function
is_writable()with WordPress Filesystem API (WP_Filesystem) for VIP coding standards compliance - Filesystem API Integration: Added proper WordPress filesystem initialization with error handling in export preparation function
- Code Style: Fixed variable alignment inconsistencies in
sse_test_cron_scheduling()function to maintain consistent spacing standards
Bug Fixes
- Scheduled Deletion: Resolved issue where export files were not being automatically deleted due to WordPress cron scheduling failures
- Fallback System: Removed unnecessary fallback methods as requested, streamlining the system to use only WordPress cron
- Error Logging: Improved error visibility by adding direct
error_log()output for cron debugging when WordPress debug settings are disabled - Export Directory Consistency: Centralized export directory naming via
SSE_EXPORT_DIR_NAMEconstant to eliminate mismatched cleanup paths and ensure all subsystems reference the same location - Filesystem Validation: Added explicit directory creation and writability checks with helpful error messaging when the exports folder can't be prepared
- CI Database Service: Replaced the GitHub Actions MySQL 5.7 test container with MariaDB 10.6 to avoid Docker Hub authentication failures while maintaining WordPress compatibility coverage
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.9.0
Performance Enhancements
- Export Locking: Implemented a lock using transients (
sse_export_lock) to prevent concurrent export processes and reduce server load. - User-Configurable File Size Limits: Added a user-friendly dropdown in the export form to exclude files larger than selected sizes (100MB, 500MB, 1GB, or no limit).
Code Quality Improvements
- Centralized Configuration: Created
SSE_ALLOWED_EXTENSIONSconstant to eliminate code duplication for file extension validation. - Unified Validation: Consolidated file extension validation logic into a single reusable function.
User Experience Improvements
- Enhanced Export Form: Added intuitive file size limit selection directly in the export interface, eliminating the need for developers to write custom filter code.
Security Hardening
- WP-CLI Verification: Added executable/existence verification for PATH-discovered WP-CLI binary
- Error Output Sanitization: Sanitized WP-CLI failure output (path masking, line limiting) to prevent filesystem disclosure
- Graceful Scheduled Deletion: Treats missing file during scheduled cleanup as info (likely already removed) instead of error
- Conditional Root Flag: Added conditional inclusion of
--allow-rootonly when actually running as root - Strict Download Validation: Hardened download file data validation (type checks, required keys, numeric size enforcement)
- Secure File Data Handling: Added stronger sanitization and non-positive size rejection before serving downloads
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.8.4
Code Quality Improvements
- WordPress Coding Standards: Comprehensive PHPCS compliance fixes across all functions
- Fixed function documentation block spacing and alignment
- Standardized parameter formatting with proper spacing (e.g.,
function( $param )) - Corrected Yoda conditions for all boolean comparisons (e.g.,
false === $variable) - Aligned array formatting with consistent spacing (e.g.,
'key' => 'value') - Fixed multi-line function call formatting and indentation
- Resolved all remaining WordPress coding standards violations
- Code Consistency: Enhanced code readability and maintainability through standardized formatting
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.8.3
WordPress Plugin Directory Compliance
- Text Domain Fix: Updated text domain from 'Simple-WP-Site-Exporter' to 'simple-wp-site-exporter' (lowercase) to comply with WordPress.org plugin directory requirements
- Load Textdomain Removal: Removed discouraged
load_plugin_textdomain()function call as WordPress automatically handles translations for plugins hosted on WordPress.org since version 4.6 - Plugin Header Update: Fixed "Text Domain" header to use only lowercase letters, numbers, and hyphens as required by WordPress standards
Security Fix
- Critical Security Fix: Resolved a fatal error caused by a missing
sse_get_safe_wp_cli_path()function. This function is essential for securely locating the WP-CLI executable, and its absence prevented the database export process from running. The new function ensures that the plugin can reliably find WP-CLI in common locations, allowing the export to proceed as intended.
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.8.2
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.8.1
Documentation Workflow Updates
- Version Control: Removed
changelog.txtfile to streamline documentation; maintaining onlyreadme.txt(WordPress.org) andCHANGELOG.md(for developers).
Code Standards Compliance
- Indentation: Fixed tab indentation violations in
sse_handle_secure_download()andsse_handle_export_deletion()functions to use spaces as required by WordPress coding standards.
1.8.1 - June 26, 2025
WordPress Standards Compliance Enhancement
- WordPress Baseline: Updated minimum WordPress version requirement from 6.0 to 6.5+ for better compatibility
- Internationalization: Added complete i18n support with
load_plugin_textdomain()and.potfile generation - Language Files: Created
languages/simple-wp-site-exporter.potwith all translatable strings - Documentation Consistency: Updated README.md, readme.txt, and phpcs.xml to reflect WordPress 6.5+ baseline
- Workflow Updates: Modified compatibility testing to use WordPress 6.5+ as minimum test version
- Standards Alignment: Ensured all code, workflows, and documentation strictly follow WordPress coding standards
Critical Security Fix
- SECURITY: Resolved Server-Side Request Forgery (SSRF) vulnerability in
sse_resolve_parent_directory()function - Filesystem Security: Removed
is_dir()andis_readable()filesystem checks on user-controlled input - Attack Prevention: Eliminated potential filesystem structure probing and information disclosure
- Path Validation: Refactored to use safe string-based path validation while maintaining security
- Codacy Compliance: Addressed "File name based on user input risks server-side request forgery" detection
- Defense in Depth: Maintained multiple layers of path validation without filesystem probing
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.8.0
WordPress Standards Compliance Enhancement
- WordPress Baseline: Updated minimum WordPress version requirement from 6.0 to 6.5+ for better compatibility
- Internationalization: Added complete i18n support with
load_plugin_textdomain()and.potfile generation - Language Files: Created
languages/simple-wp-site-exporter.potwith all translatable strings - Version Control: Added
changelog.txtfile as specified in copilot instructions for complete version documentation - Documentation Consistency: Updated README.md, readme.txt, and phpcs.xml to reflect WordPress 6.5+ baseline
- Workflow Updates: Modified compatibility testing to use WordPress 6.5+ as minimum test version
- Standards Alignment: Ensured all code, workflows, and documentation strictly follow WordPress coding standards
Critical Security Fix
- SECURITY: Resolved Server-Side Request Forgery (SSRF) vulnerability in
sse_resolve_parent_directory()function - Filesystem Security: Removed
is_dir()andis_readable()filesystem checks on user-controlled input - Attack Prevention: Eliminated potential filesystem structure probing and information disclosure
- Path Validation: Refactored to use safe string-based path validation while maintaining security
- Codacy Compliance: Addressed "File name based on user input risks server-side request forgery" detection
- Defense in Depth: Maintained multiple layers of path validation without filesystem probing
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin
Release v1.7.0
Critical Security Fix
- SECURITY: Resolved Server-Side Request Forgery (SSRF) vulnerability in
sse_resolve_parent_directory()function - Filesystem Security: Removed
is_dir()andis_readable()filesystem checks on user-controlled input - Attack Prevention: Eliminated potential filesystem structure probing and information disclosure
- Path Validation: Refactored to use safe string-based path validation while maintaining security
- Codacy Compliance: Addressed "File name based on user input risks server-side request forgery" detection
- Defense in Depth: Maintained multiple layers of path validation without filesystem probing
Installation
- Download the zip file
- Upload to your WordPress site through the Plugins > Add New > Upload menu
- Activate the plugin