This is a secure WordPress site export plugin that creates complete site backups including files and database as downloadable ZIP archives. Designed for WordPress administrators who need reliable, secure site exports for migrations, backups, or development purposes.
- Name: EngineScript Site Exporter
- Version: 2.0.0
- WordPress Compatibility: 6.6+
- PHP Compatibility: 7.4+
- License: GPL-3.0-or-later
- Text Domain: enginescript-site-exporter
The plugin uses a bootstrap + include files architecture:
// enginescript-site-exporter.php — Bootstrap (constants, require_once, init)
// includes/helpers.php — Logging, IP detection, execution time, filesystem init
// includes/security.php — Path validation, traversal checks, extension validation
// includes/admin-page.php — Admin UI rendering, notices, asset enqueueing
// includes/export.php — Export workflow, validation, directory setup, DB export
// includes/archive.php — ZIP operations, file iteration, exclusion logic
// includes/cleanup.php — Deletion handler, scheduling, bulk cleanup
// includes/download.php — Secure download handler, headers, rate limitingThe plugin uses proper WordPress initialization patterns:
function sse_init_plugin() {
// Hook admin menu creation
add_action( 'admin_menu', 'sse_admin_menu' );
// Other initialization code
}
add_action( 'plugins_loaded', 'sse_init_plugin' );enginescript-site-exporter.php- Bootstrap: constants, require_once, plugin initincludes/helpers.php- Logging, IP detection, execution time, filesystem initincludes/security.php- Path validation, traversal checks, extension validationincludes/admin-page.php- Admin UI rendering, notices, asset enqueueingincludes/export.php- Export workflow, validation, directory setup, DB exportincludes/archive.php- ZIP operations, file iteration, exclusion logicincludes/cleanup.php- Deletion handler, scheduling, bulk cleanupincludes/download.php- Secure download handler, headers, rate limitingcss/admin.css- Admin page styles (enqueued on plugin page only)js/admin.js- Admin page scripts (enqueued on plugin page only)languages/- Translation files (.pot file included)CHANGELOG.md- Developer changelogREADME.md- Developer documentationreadme.txt- WordPress.org plugin directory readmeROADMAP.md- Prioritized improvement roadmap.github/workflows/- CI/CD automation
- Functions:
sse_snake_case(WordPress standard with plugin prefix) - Variables:
$snake_case - Constants:
SSE_UPPER_SNAKE_CASE - Text Domain: Always use
'enginescript-site-exporter'
- Always use
esc_html(),esc_attr(),esc_url()for output - Sanitize input with
sanitize_text_field(),wp_unslash(), etc. - Use
current_user_can( 'manage_options' )for capability checks - Implement proper nonce verification for all forms and actions
- Use WordPress Filesystem API for file operations
- Validate all file paths to prevent directory traversal
- Hooks: Proper use of actions and filters
- File Operations: WordPress Filesystem API only
- Database: WP-CLI integration for secure database exports
- Internationalization: All strings use
esc_html__()oresc_html_e() - Admin Interface: Proper admin page integration
- File Export: Complete WordPress installation including themes, plugins, uploads
- Database Export: Secure database dump using WP-CLI when available
- ZIP Creation: All files compressed into downloadable archive
- Automatic Cleanup: Export files auto-deleted after 5 minutes for security
- Path Traversal Protection: Comprehensive file path validation
- File Access Control: Strict file extension allowlist (ZIP, SQL only)
- Authentication: Admin capability checks for all operations
- Rate Limiting: Download throttling (1 request per minute per user)
- Nonce Verification: CSRF protection on all forms and actions
- Export Locking: Transient-based system prevents concurrent exports
- Memory Management: Stream-based file operations for large files
- User-Configurable Limits: File size filtering (100MB, 500MB, 1GB options)
- Resource Management: Proper execution time limits and cleanup
- Export Form: User-friendly interface with file size options
- File Management: Download and delete export files
- Status Feedback: Clear success/error messages
- Security Notices: User guidance on file security
- Directory Validation: All paths validated within WordPress upload directory
- Extension Allowlist: Only ZIP and SQL files allowed for download
- Path Resolution: Multiple validation layers prevent symlink attacks
- Real Path Validation: Prevents path manipulation vulnerabilities
- Large Site Support: Handles multi-GB WordPress installations
- Memory Efficiency: Files processed individually to avoid exhaustion
- Export Scalability: Optimized for various hosting environments
- Cleanup Efficiency: Automatic file removal prevents disk space issues
- Database Export: Efficient database dumps via WP-CLI
- Security Validation: WP-CLI executable verification
- Error Handling: Returns WP_Error when WP-CLI is unavailable (required dependency)
- Root Detection: Conditional --allow-root flag usage
- WP_Error Usage: Consistent error object returns throughout
- Comprehensive Logging: Structured logging with severity levels
- Security Logging: Detailed logs for security events
- User Feedback: Clear error messages without information disclosure
- PHPDoc Compliance: Complete documentation for all functions
- Security Comments: Detailed security justifications
- Code Examples: Clear usage examples in documentation
- Version Control: Comprehensive changelog maintenance
- PHPStan Level 5: Static analysis compliance
- PHPCS WordPress Standards: Full coding standards compliance
- PHPMD Compliance: Code quality and complexity management
- Security Analysis: Regular vulnerability assessments
- File Security Vulnerabilities (path traversal, unauthorized access)
- Export Process Security (file cleanup, access controls)
- Memory Management (large file handling, resource limits)
- WordPress Standard Violations (coding standards, API usage)
- Permission and Capability Issues (admin access, nonce verification)
- File Path Validation: Ensure all paths are properly validated
- Export File Access: Verify download security and cleanup
- Database Export Security: Check WP-CLI command construction
- Upload Directory Security: Validate file operations within allowed areas
- Temporary File Management: Ensure proper cleanup of export files
- Large File Handling: Memory-efficient file operations
- Export Process Optimization: Minimize resource usage
- Concurrent Export Prevention: Export locking mechanisms
- File Size Management: User-configurable limits and filtering
- Cleanup Efficiency: Automatic file removal processes
- Security-First Design: Multiple validation layers
- WordPress API Compliance: Proper use of WordPress functions
- User Experience: Clear interface and feedback
- Performance Optimization: Efficient resource management
- Documentation Quality: Comprehensive code documentation
- WordPress-Specific Solutions: Prefer WordPress APIs over generic PHP
- Security Enhancements: Additional validation and protection layers
- Performance Improvements: Memory and resource optimizations
- User Experience: Interface and workflow improvements
- Documentation Updates: Code and user documentation
Remember: This plugin prioritizes security, file operation safety, and WordPress ecosystem compatibility. All file operations must be thoroughly validated and secure.