EngineScript
diff --git a/‎CHANGELOG.md‎
Lines changed: 19 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 4 deletions b/‎README.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎enginescript-site-exporter.php‎
Lines changed: 13 additions & 0 deletions b/‎enginescript-site-exporter.php‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎includes/admin-page.php‎
Lines changed: 37 additions & 20 deletions b/‎includes/admin-page.php‎
Lines changed: 37 additions & 20 deletions
diff --git a/‎includes/archive.php‎
Lines changed: 26 additions & 1 deletion b/‎includes/archive.php‎
Lines changed: 26 additions & 1 deletion
@@ -1,5 +1,24 @@
 # Changelog for EngineScript Site Exporter
 
+## 2.1.1 - Unreleased
+
+### Security
+
+- **Multisite Export Authorization**: Full-site export access now uses a shared permission helper. On multisite, exporter page access, export creation, secure download, and manual delete require a super admin or `manage_network_options`; single-site installs continue to require `manage_options`.
+- **Per-Export Private Storage**: Each export is now staged in a random private child directory under the configured private temp export base. The exporter rejects symlinked or unsafe pre-existing directories and enforces `0700` directory permissions.
+- **Private File Modes**: Sensitive export artifacts now use a private umask during export and explicit `0600` chmod verification after database dumps, compressed database payloads, file archives, manifests, final ZIPs, and protection files are created.
+- **WP-CLI Trust Boundary**: WP-CLI discovery now prefers trusted system paths (`/usr/local/bin/wp`, `/usr/bin/wp`). Alternate executables must be explicitly configured with `SSE_WP_CLI_PATH` or the `sse_wp_cli_path` filter and must pass ownership and writable-mode checks.
+- **Export Action Binding**: Generated download and delete actions include the private export directory identifier in their request data and nonce action so requests are tied to the generated export location.
+
+### Architecture
+
+- **Private Export Cleanup**: Bulk cleanup now scans generated private export directories, scheduled/manual deletion can clean up empty private export directories, and failed exports remove their private staging directory.
+- **Private Storage Helpers**: Added shared helpers for multisite-aware capability checks, private export directory naming, generated directory validation, and private filesystem mode enforcement.
+
+### Documentation
+
+- **Security Requirements**: Updated README.md and readme.txt to describe trusted WP-CLI configuration, multisite authorization expectations, random private export directories, and private filesystem permissions.
+
 ## 2.1.0 - May 14, 2026
 
 ### Security
 
@@ -71,16 +71,17 @@ The downloaded ZIP is named `<site>_enginescript_site_export_<timestamp>.zip`.
 - WordPress 6.8 or higher
 - PHP 8.2 or higher
 - Write access to a private WordPress temporary directory. If your host's temp directory is inside the WordPress web root, configure `WP_TEMP_DIR` to a non-public writable path.
-- WP-CLI installed at `/usr/local/bin/wp`, `/usr/bin/wp`, or as `wp-cli.phar` in the WordPress root for database exports
+- WP-CLI installed at `/usr/local/bin/wp` or `/usr/bin/wp` for database exports. To use another trusted executable, define `SSE_WP_CLI_PATH` or filter `sse_wp_cli_path`; local paths must pass ownership and permission checks.
 
 ## Security Features
 
 EngineScript Site Exporter is built with security as a priority:
 
-- **Export Authentication**: Only authorized administrators can create and download exports
+- **Export Authentication**: Only authorized administrators can create and download exports; multisite exports require a network-capable administrator
 - **Secure Downloads**: All downloads are validated with WordPress nonces
 - **Request Validation**: WordPress nonce validation for all admin actions
 - **Path Traversal Protection**: Comprehensive file path validation
+- **Private Export Storage**: Exports are staged in random private directories with `0700` directories and `0600` files
 - **Automatic Deletion**: Exports are automatically cleaned up after 5 minutes
 - **Security Headers**: Implements proper headers for download operations
 - **Secure File Handling**: Uses WordPress Filesystem API for file operations
@@ -96,15 +97,15 @@ The plugin is designed to work with most WordPress sites, but very large sites (
 Exports are staged in WordPress' temporary directory under:
 `<temp-dir>/enginescript-site-exporter-exports/`
 
-For security, the plugin refuses to export if that directory resolves inside the WordPress web root. Configure `WP_TEMP_DIR` to a private writable path if your host's default temporary directory is public.
+Each export is written inside a random private child directory. For security, the plugin refuses to export if the export directory resolves inside the WordPress web root. Configure `WP_TEMP_DIR` to a private writable path if your host's default temporary directory is public.
 
 ### Why do export files disappear after 5 minutes?
 
 For security and disk space considerations, all exports are automatically deleted after 5 minutes. This ensures sensitive site data isn't left stored indefinitely.
 
 ### Can I create multiple exports?
 
-Yes, you can create as many exports as needed. Each will have a unique filename based on the timestamp of creation.
+Yes, you can create as many exports as needed. Each export is staged in its own random private directory.
 
 ### Does this include my themes and plugins?
 
 
@@ -35,6 +35,19 @@
 	define( 'SSE_EXPORT_DIR_NAME', 'enginescript-site-exporter-exports' );
 }
 
+// Define private export directory naming and filesystem modes.
+if ( ! defined( 'SSE_EXPORT_PRIVATE_DIR_PREFIX' ) ) {
+	define( 'SSE_EXPORT_PRIVATE_DIR_PREFIX', 'export-' );
+}
+
+if ( ! defined( 'SSE_PRIVATE_DIR_MODE' ) ) {
+	define( 'SSE_PRIVATE_DIR_MODE', 0700 );
+}
+
+if ( ! defined( 'SSE_PRIVATE_FILE_MODE' ) ) {
+	define( 'SSE_PRIVATE_FILE_MODE', 0600 );
+}
+
 // Define the filter name for maximum file size override.
 if ( ! defined( 'SSE_FILTER_MAX_FILE_SIZE' ) ) {
 	define( 'SSE_FILTER_MAX_FILE_SIZE', 'sse_max_file_size_for_export' );
 
@@ -19,7 +19,7 @@ function sse_admin_menu(): void {
 	add_management_page(
 		__( 'EngineScript Site Exporter', 'enginescript-site-exporter' ), // Page title (escaped by WordPress core).
 		__( 'Site Exporter', 'enginescript-site-exporter' ),               // Menu title (escaped by WordPress core).
-		'manage_options', // Capability required.
+		sse_get_exporter_menu_capability(), // Capability required.
 		'enginescript-site-exporter',
 		'sse_exporter_page_html'
 	);
@@ -123,39 +123,56 @@ function sse_render_exporter_notices(): void {
  * @return void
  */
 function sse_render_export_success_notice( array $zip_result ): void {
+	$export_dir_name       = basename( dirname( $zip_result['filepath'] ) );
+	$has_private_dir_param = sse_is_export_private_directory_name( $export_dir_name );
+	$download_args         = [
+		'action' => 'sse_secure_download',
+		'file'   => $zip_result['filename'],
+	];
+	$download_nonce_action = 'sse_secure_download_' . $zip_result['filename'];
+
+	if ( $has_private_dir_param ) {
+		$download_args['export_dir'] = $export_dir_name;
+		$download_nonce_action      .= '_' . $export_dir_name;
+	}
+
 	$download_url = wp_nonce_url(
 		add_query_arg(
-			[
-				'action' => 'sse_secure_download',
-				'file'   => $zip_result['filename'],
-			],
+			$download_args,
 			admin_url( 'admin-post.php' )
 		),
-		'sse_secure_download_' . $zip_result['filename']
+		$download_nonce_action
 	);
 
 	$display_zip_path = wp_normalize_path( $zip_result['filepath'] );
 	$delete_confirm   = __( 'Are you sure you want to delete this export file?', 'enginescript-site-exporter' );
+	$delete_nonce     = 'sse_delete_export_' . $zip_result['filename'];
+	if ( $has_private_dir_param ) {
+		$delete_nonce .= '_' . $export_dir_name;
+	}
 	?>
 	<div class="notice notice-success is-dismissible">
 		<div class="sse-notice-actions">
 			<span><?php esc_html_e( 'Site export successfully created!', 'enginescript-site-exporter' ); ?></span>
 			<a href="<?php echo esc_url( $download_url ); ?>" class="button sse-action-button">
 				<?php esc_html_e( 'Download Export File', 'enginescript-site-exporter' ); ?>
 			</a>
-			<form
-				method="post"
-				action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>"
-				class="sse-inline-form sse-confirm-delete"
-				data-sse-confirm-message="<?php echo esc_attr( $delete_confirm ); ?>"
-			>
-				<input type="hidden" name="action" value="sse_delete_export">
-				<input type="hidden" name="file" value="<?php echo esc_attr( $zip_result['filename'] ); ?>">
-				<?php wp_nonce_field( 'sse_delete_export_' . $zip_result['filename'] ); ?>
-				<button type="submit" class="button button-secondary sse-action-button">
-					<?php esc_html_e( 'Delete Export File', 'enginescript-site-exporter' ); ?>
-				</button>
-			</form>
+				<form
+					method="post"
+					action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>"
+					class="sse-inline-form sse-confirm-delete"
+					data-sse-confirm-message="<?php echo esc_attr( $delete_confirm ); ?>"
+				>
+					<input type="hidden" name="action" value="sse_delete_export">
+					<input type="hidden" name="file" value="<?php echo esc_attr( $zip_result['filename'] ); ?>">
+					<?php if ( $has_private_dir_param ) : ?>
+						<input type="hidden" name="export_dir" value="<?php echo esc_attr( $export_dir_name ); ?>">
+					<?php endif; ?>
+					<?php wp_nonce_field( $delete_nonce ); ?>
+					<button type="submit" class="button button-secondary sse-action-button">
+						<?php esc_html_e( 'Delete Export File', 'enginescript-site-exporter' ); ?>
+					</button>
+				</form>
 		</div>
 		<p><small>
 			<?php
@@ -177,7 +194,7 @@ class="sse-inline-form sse-confirm-delete"
  * @return void
  */
 function sse_exporter_page_html(): void {
-	if ( ! current_user_can( 'manage_options' ) ) {
+	if ( ! sse_current_user_can_export_site() ) {
 		sse_wp_die( __( 'You do not have permission to view this page.', 'enginescript-site-exporter' ), 403 );
 	}
 
 
@@ -241,6 +241,11 @@ function sse_create_compressed_database_file( string $source_path, string $targe
 		return new WP_Error( 'db_compress_verify_failed', __( 'Compressed database file was not created successfully.', 'enginescript-site-exporter' ) );
 	}
 
+	if ( ! sse_chmod_private_file( $target_path ) ) {
+		sse_cleanup_files( [ $target_path ] );
+		return new WP_Error( 'db_compress_permissions_failed', __( 'Could not secure compressed database file permissions.', 'enginescript-site-exporter' ) );
+	}
+
 	return true;
 }
 
@@ -262,6 +267,12 @@ function sse_create_wordpress_files_archive( string $files_archive_path, string
 
 	try {
 		$tar_archive = new PharData( $tar_path );
+		if ( ! sse_chmod_private_file( $tar_path ) ) {
+			unset( $tar_archive );
+			sse_cleanup_files( [ $tar_path, $files_archive_path ] );
+			return new WP_Error( 'files_archive_permissions_failed', __( 'Could not secure files archive permissions.', 'enginescript-site-exporter' ) );
+		}
+
 		$file_result = sse_add_wordpress_files_to_tar( $tar_archive, $export_dir );
 		unset( $tar_archive );
 
@@ -290,6 +301,11 @@ function sse_create_wordpress_files_archive( string $files_archive_path, string
 		return new WP_Error( 'files_archive_verify_failed', __( 'WordPress files archive was not created successfully.', 'enginescript-site-exporter' ) );
 	}
 
+	if ( ! sse_chmod_private_file( $files_archive_path ) ) {
+		sse_cleanup_files( [ $files_archive_path ] );
+		return new WP_Error( 'files_archive_permissions_failed', __( 'Could not secure files archive permissions.', 'enginescript-site-exporter' ) );
+	}
+
 	return true;
 }
 
@@ -321,10 +337,14 @@ function sse_write_engine_script_manifest( array $bundle_paths, string $site_ide
 	}
 
 	global $wp_filesystem;
-	if ( ! $wp_filesystem->put_contents( $bundle_paths['manifest_path'], $manifest_content, FS_CHMOD_FILE ) ) {
+	if ( ! $wp_filesystem->put_contents( $bundle_paths['manifest_path'], $manifest_content, SSE_PRIVATE_FILE_MODE ) ) {
 		return new WP_Error( 'manifest_write_failed', __( 'Could not write EngineScript export manifest.', 'enginescript-site-exporter' ) );
 	}
 
+	if ( ! sse_chmod_private_file( $bundle_paths['manifest_path'] ) ) {
+		return new WP_Error( 'manifest_permissions_failed', __( 'Could not secure EngineScript export manifest permissions.', 'enginescript-site-exporter' ) );
+	}
+
 	return true;
 }
 
@@ -379,6 +399,11 @@ function sse_create_combined_engine_script_zip( array $bundle_paths ) {
 		return new WP_Error( 'zip_finalize_failed', __( 'Failed to finalize or save the ZIP archive after processing files.', 'enginescript-site-exporter' ) );
 	}
 
+	if ( ! sse_chmod_private_file( $bundle_paths['combined_zip_path'] ) ) {
+		sse_cleanup_files( [ $bundle_paths['combined_zip_path'] ] );
+		return new WP_Error( 'zip_permissions_failed', __( 'Could not secure ZIP archive permissions.', 'enginescript-site-exporter' ) );
+	}
+
 	return true;
 }