=== InstaMigrate === Contributors: instawp Tags: migration, transfer, backup, clone, database Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.5.0 License: MIT License URI: https://opensource.org/licenses/MIT Secure REST API endpoints for WordPress site migration — database export/import, file transfer, and search-replace. == Description == InstaMigrate provides authenticated REST API endpoints that enable full WordPress site migrations between servers. It handles database export/import with binary-safe hex encoding, file archiving and transfer, and serialization-aware search-replace for domain changes. **Features:** * Database export with binary-safe hex encoding (preserves serialized PHP data) * Database import with streaming line-by-line parsing (handles large dumps) * File upload, download, archiving (tar.gz/zip), and extraction * Serialization-aware search-replace for domain migrations * Dual authentication: API key header or WordPress Application Passwords * WP-CLI detection (informational, reported in status endpoint) * Admin UI showing API key and endpoint documentation **Important:** This plugin grants full database and filesystem access via its REST API. Deactivate and delete it immediately after your migration is complete. == Installation == 1. Upload the `insta-migrate` folder to `/wp-content/plugins/` 2. Activate the plugin through the 'Plugins' menu in WordPress 3. Go to Tools > InstaMigrate to find your API key 4. Use the API key in the `X-Insta-Key` header for all REST API requests 5. **Remove the plugin after migration is complete** == Frequently Asked Questions == = Where do I find my API key? = Go to Tools > InstaMigrate in your WordPress admin. The API key is displayed there and can be regenerated if needed. = Is this plugin safe to leave active? = No. This plugin exposes powerful migration endpoints. Always deactivate and delete it after your migration is complete. = Does it handle serialized data during search-replace? = Yes. The search-replace engine correctly unserializes PHP data, performs replacements recursively, then re-serializes with updated byte counts. = What authentication methods are supported? = Two methods: (1) `X-Insta-Key` header with the plugin API key, or (2) WordPress Application Passwords via HTTP Basic Auth (requires admin privileges). == Changelog == = 1.5.0 = * Internal version alignment (header and constant now both report 1.5.0) * No functional changes from 1.4.0 = 1.4.0 = * Security: Permission callbacks now require `manage_network` (super admin) on multisite, instead of `manage_options` which subsite admins may have * Security: File concat (`/files/concat`) output restricted to plugin temp directory only * Security: File search-replace (`/files/search-replace`) restricted to uploads directory only * Security: File upload (`/files/upload`) destination restricted to uploads directory only * Security: File search-replace now uses WP_Filesystem for reads and writes instead of direct PHP file functions * Change: Temp directory moved from `wp-content/insta-migrate-tmp/` to `wp-content/uploads/insta-migrate-tmp/` per wp.org guidelines = 1.3.0 = * Removed all exec()/shell_exec() calls per wp.org plugin guidelines * Removed `/wp-cli` REST endpoint (required exec) * Archive creation and extraction now use PharData/ZipArchive exclusively * Binary detection (has_wp_cli) now uses hardcoded path checks only = 1.2.0 = * New: `/db/fix-prefix` endpoint — fixes usermeta meta_key and options option_name values after a migration where the table prefix changed. Prevents users losing roles/capabilities when the sed prefix-rewrite missed single-quoted values. = 1.1.0 = * New: `/files/concat` endpoint — concatenate chunked file uploads on the server (for large archives exceeding PHP upload limit) * New: `/files/search-replace` endpoint — search-replace strings within static files on disk (CSS/JS/JSON), used for Elementor CSS domain replacement after DB search-replace * Fix: Numeric columns (INT, BIGINT, DECIMAL, etc.) now exported as plain numbers, not hex-encoded. Prevents MySQL from misinterpreting hex literals as integers. = 1.0.0 = * Initial release * Database export/import with hex encoding * File upload, download, archive, extract * Serialization-aware search-replace * Dual authentication (API key + Application Passwords) * WP-CLI detection in status endpoint * Admin UI with API key management