=== InstaMigrate === Contributors: instawp Tags: migration, transfer, backup, clone, database Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.7.3 License: MIT License URI: https://opensource.org/licenses/MIT Secure REST API endpoints for WordPress site migration — database export/import, file transfer, and search-replace. == Description == InstaMigrate provides authenticated REST API endpoints that enable full WordPress site migrations between servers. It handles database export/import with binary-safe hex encoding, file archiving and transfer, and serialization-aware search-replace for domain changes. **Features:** * Database export with binary-safe hex encoding (preserves serialized PHP data) * Database import with streaming line-by-line parsing (handles large dumps) * File upload, download, archiving (tar.gz/zip), and extraction * Serialization-aware search-replace for domain migrations * Dual authentication: API key header or WordPress Application Passwords * WP-CLI detection (informational, reported in status endpoint) * Admin UI showing API key and endpoint documentation **Important:** This plugin grants full database and filesystem access via its REST API. Deactivate and delete it immediately after your migration is complete. == Installation == 1. Upload the `insta-migrate` folder to `/wp-content/plugins/` 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Go to Tools > InstaMigrate to find your API key 4. Use the API key in the `X-Insta-Key` header for all REST API requests 5. **Remove the plugin after migration is complete** == Frequently Asked Questions == = Where do I find my API key? = Go to Tools > InstaMigrate in your WordPress admin. The API key is displayed there and can be regenerated if needed. = Is this plugin safe to leave active? = No. This plugin exposes powerful migration endpoints. Always deactivate and delete it after your migration is complete. = Does it handle serialized data during search-replace? = Yes. The search-replace engine correctly unserializes PHP data, performs replacements recursively, then re-serializes with updated byte counts. = What authentication methods are supported? = Two methods: (1) `X-Insta-Key` header with the plugin API key, or (2) WordPress Application Passwords via HTTP Basic Auth (requires admin privileges). == Changelog == = 1.7.3 = * New: Bridge auto-discover. Plugin polls the tracker every 5 minutes (and on every visit to the InstaMigrate admin page) to see if a bridge migration has been assigned to this site, and starts itself automatically. Removes the need for site owners to copy/paste tracker URL, migration ID, and shared secret. Discover URL is pinned (HTTPS, cert verification on); 60-second outbound rate limit with a manual "Check now" button to bypass. = 1.7.2 = * New: `push_file` bridge action. Source plugin can now multipart-POST a local file directly to a remote URL — typically the destination plugin's `/files/upload` or `/db/import` endpoint. Enables source-bridge inversion for sites where the source is firewalled (Imunify360 IP bans, custom WAFs) but the destination is reachable normally. The source plugin polls outbound, dest receives via its existing endpoints, no tracker upload sink required. = 1.7.1 = * Fix: Bridge self-trigger curl timeout raised from 500ms to 5s. On slow PHP-FPM hosts the original 500ms budget could abort before TCP connect + TLS handshake completed, breaking the bridge tick chain. WP-Cron is the safety net but can't fire on dead/CF-blocked sites. = 1.7.0 = * New: Bridge Mode. Plugin can run as an outbound-polling agent for sites where inbound REST is filtered (Cloudflare JS challenge, WAF blocking `/wp-json/`). The plugin POSTs to the tracker for the next command, dispatches it via the existing internal handlers, posts the result back, and self-triggers the next tick using `CURLOPT_RESOLVE` to the origin IP for CF bypass. WP-Cron `bridge_safety_tick` resumes the chain on the next admin pageview if a tick dies mid-flight. * Admin UI: "Bridge Mode" card in Settings → InstaMigrate with Start / Stop / status fields. = 1.6.0 = * Performance: DB export now uses multi-row INSERT statements (10-50x faster imports) * Performance: DB import streams gzip directly (no decompress-to-disk step) * Performance: DB import uses transaction batching for legacy single-row dumps * Performance: Added MySQL tuning flags (autocommit=0, unique_checks=0) during import/export * Backward compatible: v1 single-row dumps still import correctly with auto-batched transactions = 1.5.0 = * Internal version alignment (header and constant now both report 1.5.0) * No functional changes from 1.4.0 = 1.4.0 = * Security: Permission callbacks now require `manage_network` (super admin) on multisite, instead of `manage_options` which subsite admins may have * Security: File concat (`/files/concat`) output restricted to plugin temp directory only * Security: File search-replace (`/files/search-replace`) restricted to uploads directory only * Security: File upload (`/files/upload`) destination restricted to uploads directory only * Security: File search-replace now uses WP_Filesystem for reads and writes instead of direct PHP file functions * Change: Temp directory moved from `wp-content/insta-migrate-tmp/` to `wp-content/uploads/insta-migrate-tmp/` per wp.org guidelines = 1.3.0 = * Removed all exec()/shell_exec() calls per wp.org plugin guidelines * Removed `/wp-cli` REST endpoint (required exec) * Archive creation and extraction now use PharData/ZipArchive exclusively * Binary detection (has_wp_cli) now uses hardcoded path checks only = 1.2.0 = * New: `/db/fix-prefix` endpoint — fixes usermeta meta_key and options option_name values after a migration where the table prefix changed. Prevents users losing roles/capabilities when the sed prefix-rewrite missed single-quoted values. = 1.1.0 = * New: `/files/concat` endpoint — concatenate chunked file uploads on the server (for large archives exceeding PHP upload limit) * New: `/files/search-replace` endpoint — search-replace strings within static files on disk (CSS/JS/JSON), used for Elementor CSS domain replacement after DB search-replace * Fix: Numeric columns (INT, BIGINT, DECIMAL, etc.) now exported as plain numbers, not hex-encoded. Prevents MySQL from misinterpreting hex literals as integers. = 1.0.0 = * Initial release * Database export/import with hex encoding * File upload, download, archive, extract * Serialization-aware search-replace * Dual authentication (API key + Application Passwords) * WP-CLI detection in status endpoint * Admin UI with API key management