=== Yedekalma — Cloud Backup & Restore ===
Contributors: kamkactemha, yedekalma
Tags: backup, restore, cloud backup, kvkk, encryption
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.10.2
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Local one-click WordPress backup & restore (files + database). Optionally connect the free Yedekalma cloud service for off-site, multi-cloud storage.

== Description ==

**Yedekalma** creates one-click backups of your WordPress site — files and database — and restores them again from your WordPress admin. It works **fully standalone with no account**: backups are stored locally in your uploads directory and can be downloaded or restored at any time, directly from the dashboard.

Optionally, you can connect the **Yedekalma cloud service** (an external service, see the *External services* section) to push backups off-site to your own cloud storage (Google Drive, Amazon S3, your own FTP/SFTP, and more), mirror to multiple providers, schedule automatic backups, and run weekly restore drills. The cloud service is optional — every built-in feature of this plugin works without it.

### 📦 What Does This Plugin Do? (no account needed)

Straight from your WordPress admin, with **no account and no external service**:

* Create **full backups** (files + database), **files only**, or **database only**.
* Backups are stored locally under `wp-content/uploads/yedekalma-backups/`.
* **One-click restore** (full, files-only, or database-only) from the admin.
* **Download** any backup as a ZIP.
* List your recent backups (status, size, checksum).

### ☁️ Optional: Yedekalma Cloud Service

If you want off-site protection, you can optionally connect the **Yedekalma cloud service** (external service — see *External services*). This is **not required** and the plugin is fully functional without it. It adds:

* Push backups directly to your own cloud (Google Drive, Amazon S3, Backblaze B2, Wasabi, OneDrive, Dropbox, Yandex Disk, your own FTP/SFTP, …).
* Multi-cloud mirroring (same backup to several providers).
* Scheduled automatic backups + weekly restore drills.
* Client-side AES-256 (BYOK) encryption with your own passphrase.

The cloud service has a free tier (no credit card; 1 GB / 1 month) and usage-based billing afterwards. You can also try it **without registering** — see the in-plugin option.

### 🔒 Security

* The optional cloud API token is stored on your site encrypted with **AES-256-CBC** (based on your AUTH_KEY).
* All requests to the optional cloud service use HTTPS with a Bearer token.
* When the cloud service is used, backup files are streamed directly to your own cloud storage and are not retained on the Yedekalma servers (only metadata).

== External services ==

This plugin can optionally connect to the Yedekalma cloud service (an external SaaS) to perform off-site backup and restore operations, package backups for delivery to your own cloud storage, check subscription state, and monitor backup quota. This connection only happens if you choose to use the cloud service (by entering an API token or using the in-plugin "try without registering" option); the plugin's local backup/restore features work without any external connection.

* **Service URL:** https://yedekalma.com
* **Terms of Service:** https://yedekalma.com/legal
* **Privacy Policy:** https://yedekalma.com/legal#privacy
* **Data Transmission:** When connected, the plugin sends requests to the Yedekalma API containing your Site URL, active plugin features, backup metadata (such as file lists, sizes, and checksums), and your API token (or anonymous install id) to perform secure backup and restore tasks.

== Installation ==

1. Go to your WordPress admin panel: **Plugins → Add New**.
2. Search for "Yedekalma — Cloud Backup & Restore".
3. Click **Install Now** and then **Activate**.
4. A new **Yedekalma** tab will appear in the left sidebar menu.
5. **That's it — you can start backing up right away, with no account.** Choose "Start without an account" to take and restore local backups.

**Optional — connect the Yedekalma cloud service for off-site storage:**

6. Create a free account on [yedekalma.com](https://yedekalma.com) (optional).
7. In your Yedekalma panel, go to **Profile → API Tokens** and create a token (scope: `plugin:wordpress`).
8. In WordPress, go to **Yedekalma → Settings**, paste the token, and click "Connect Site".

== Frequently Asked Questions ==

= Is this plugin free? =

Yes — the plugin is completely free and fully functional on its own. You can create, download and restore local backups without any account or external service. The **optional** Yedekalma cloud service (for off-site/multi-cloud storage and scheduling) has its own free tier (1 GB / 1 month, no credit card) with usage-based billing afterwards, but you are not required to use it.

= Do I need an account? =

No. Local backup, download and restore work without an account or any external connection. An account is only needed if you choose to use the optional Yedekalma cloud service for off-site storage.

= Where are my backups stored? =

By default, local backups are stored on your own site under `wp-content/uploads/yedekalma-backups/`. If you connect the optional cloud service, backups are packaged on your own server and uploaded directly to your chosen storage (Google Drive, S3, your own FTP/SFTP, etc.) — never stored on the Yedekalma servers; only backup metadata (date, size, status) is kept in our data center located in Turkey (turkticaret.net infrastructure); data is not transferred abroad (KVKK compliant).

= Are my keys and tokens secure? =

Yes. The optional cloud API token you enter in WordPress is encrypted locally using AES-256-CBC with your site's unique AUTH_KEY. With BYOK, backups are encrypted with AES-256 on your own server before upload, and your encryption passphrase is stored **only on your own site** (encrypted with your AUTH_KEY) — it is never sent to or stored on the Yedekalma servers, so nobody but you can open the archives.

= How does restore work? =

Restore runs directly inside your WordPress admin. Open **Yedekalma → Backups**, click **Restore** on a backup, choose full / files-only / database-only, and confirm — the plugin downloads (or reads the local file) and applies it on your own server. This works for local backups with no account. If you use the optional cloud service, the same in-admin restore applies backups pulled from your own cloud storage.

= What happens to my backups if I uninstall the plugin? =

Local backups stored under `wp-content/uploads/yedekalma-backups/` stay on your site unless you delete them. If you used the optional cloud service, those backups remain in your own connected cloud storage. Deleting the plugin does not delete your backup files or any optional cloud account.

= Is Multisite (WP Multi-site) supported? =

Full support is not available in V1 — it requires a separate plugin instance per site. This is on our V2 roadmap.

= Which backup types are supported? =

* **Full Backup**: WordPress files (themes, plugins, uploads) + database.
* **Files Only**: Site files.
* **Database Only**: MySQL dump.

= Is it KVKK/GDPR compliant? =

Yes. When you use the optional cloud service, explicit consent is obtained during registration for data transfers (KVKK Article 9).

== Screenshots ==

1. Get started without an account — local backup call-to-action
2. Dashboard — manual backup + status
3. Settings — optional cloud connection
4. Backups list with one-click restore
5. Backup in progress — real-time progress bar

== Changelog ==

= 1.10.2 — 2026-07-15 =
* NEW: Cleaned settings page to focus on custom language preferences and system info.
* NEW: Made Settings (Ayarlar) page visible in the WordPress left sidebar menu.

= 1.10.1 — 2026-07-15 =
* NEW: Internationalization added with translations for English, German, Russian, Arabic, and Turkish.
* NEW: Added new SVG brand logo and official asset icons.
* FIX: Resolved permission issue with hidden settings page access.

= 1.10.0 — 2026-07-13 =
* SECURITY: The chunked-backup progress state is stored in a transient with a plugin-specific key prefix (yedekalma_chk_) so it can never collide with another plugin's transients.
* SECURITY: The backup encryption passphrase is now encrypted (with the site's AUTH_KEY) before it is written into that transient — it is never persisted in plaintext.
* PERFORMANCE: Bulky per-file backup state arrays (file list, manifest, reference file list) are kept in private system temp files instead of the transient, keeping the option/transient store small.

= 1.9.0 — 2026-07-08 =
* NEW: Multi-channel source size measurement for the cloud "Kontrol Et" (check) flow.

= 1.8.19 — 2026-07-04 =
* COMPLIANCE: PHP `memory_limit`/`set_time_limit` are now raised only inside the specific backup/restore endpoints that need them (via a helper), never as a global default on init.
* COMPLIANCE: Replaced all raw cURL calls with the WordPress HTTP API (`wp_remote_*`); large streaming uploads use the `http_api_curl` hook as recommended.
* COMPLIANCE: Restore-time `wp-config.php` update now uses the WordPress Filesystem API (`WP_Filesystem`) with strict value sanitization; no `.bak` copy is left in the site.
* COMPLIANCE: Renamed the internal notify-card guard constant to use the full `YEDEKALMA_` prefix.

= 1.8.18 — 2026-07-03 =
* FEATURE: Keyset pagination for database dumping to optimize performance on large sites.
* FEATURE: Native .sql.gz compression support for streaming database backups.
* FEATURE: Chunked execution flow for database and file backups.

= 1.8.16 — 2026-07-02 =
* UX: Removed the "Bulut Hesabına Bağlan" (Connect to Cloud Account) link from the admin submenu. The connect page stays accessible from the in-page CTA; only the sidebar menu item is hidden (via remove_submenu_page) to keep the menu clean.

= 1.8.15 — 2026-07-01 =
* COMPLIANCE (Guideline 5): No built-in feature is locked behind an account any more. When no Yedekalma account is connected, the plugin now runs fully in local mode by default — one-click backup (files + database), local/FTP/SFTP targets, download and restore all work with no account. The optional cloud connection only changes where backups are delivered.
* PRIVACY (Guideline 6 / no phone-home): Removed automatic anonymous registration and anonymous heartbeat. The plugin now makes NO external connection unless you deliberately connect the optional Yedekalma cloud service (enter an API token). This matches the "External services" section exactly.
* SECURITY: Hardened the local backup directory (wp-content/uploads/yedekalma-backups) — Apache 2.2 & 2.4 deny rules + index.php/index.html + directory-listing off, and backup archive filenames now include an unguessable random token so the file cannot be reached by direct URL (important on Nginx where .htaccess is ignored). Raw SQL dumps are written only to the private system temp dir and removed after archiving.

= 1.8.14 — 2026-06-30 =
* FIX: Recent/local backup list showed the wrong date & time. Timestamps are stored in the site's local timezone, but the list rendered them through get_date_from_gmt(), which re-applied the UTC offset. Now displayed with mysql2date() (no double conversion) on both the dashboard and the backups list.

= 1.8.13 — 2026-06-30 =
* FIX: Local backup could fail at finalization with "archive could not be opened" when the file list resolved to zero entries (e.g. database-only, or an empty temporary archive). libzip does not write an empty archive to disk, so re-opening it failed. The intermediate and finalize steps now open the archive with the CREATE flag, making the chunked backup resilient.

= 1.8.12 — 2026-06-30 =
* UX: Local backup now runs in time-sliced chunks, so the progress bar advances smoothly file-by-file (it no longer appears stuck at 50% on large sites). Added a "Show details" log panel that shows, in real time, which file is currently being added (n/total).

= 1.8.11 — 2026-06-30 =
* PRIVACY: True client-side BYOK. The backup encryption passphrase is now entered and stored only on your own site (Yedekalma → Connect Cloud → Backup Encryption), encrypted with your AUTH_KEY. It is never sent to or stored on the Yedekalma servers — the key stays entirely with you. Backup/restore/verify read the passphrase locally.

= 1.8.10 — 2026-06-30 =
* FIX: Local backup produced an empty archive ("Yedek arşivi boş üretildi") on sites with many files. ZipArchive keeps a file handle open per added file until close(), so large sites hit the OS open-files limit and close() failed silently. The builder now adds files in batches (close/reopen every 400 files) and verifies close() succeeded. The local backups folder is also excluded from the archive (prevents bloat and self-inclusion).

= 1.8.9 — 2026-06-30 =
* FIX: Local backup could appear stuck at 50%. The archive build now runs without the default time/memory limits (and continues server-side even if the connection drops), a lock prevents duplicate concurrent builds, and the admin progress poller now handles request timeouts/errors (retries, and surfaces the real error instead of freezing).
* HARDENING: Additional output escaping (esc_attr/esc_html) on schedule selects and the notification field; wp_unslash on the restore mode input.

= 1.8.8 — 2026-06-30 =
* COMPLIANCE: Clarified that the plugin is fully functional standalone — local one-click backup, download and restore work with no account and no external service; the Yedekalma cloud service is clearly documented as optional (Guidelines 5 & 6). Updated readme/description and FAQ accordingly.
* FIX: Removed the diagnostic log file written under wp-content/uploads; diagnostic steps now go to PHP error_log() only when WP_DEBUG is on (no predictable, web-accessible log file).
* SECURITY: The temporary wp-config.php safety copy made during a config-restore is now written to the system temp directory (outside the web root) instead of next to wp-config.php, so database credentials are never left in a downloadable file.

= 1.8.7 — 2026-06-30 =
* NEW: Use the plugin without a Yedekalma account. On activation the site is registered anonymously (technical info only — domain & versions, no personal data) so it can back up and restore right away.
* NEW: "Where should backup notifications go?" email field with double opt-in verification and an optional product-updates consent. Entering an email turns the install into a lead; signing up on yedekalma.com later with the same address automatically links this site to your account (no duplicate accounts).
* PRIVACY: Marketing consent is stored separately from transactional notifications; commercial messaging is gated behind explicit opt-in.

= 1.8.6 — 2026-06-30 =
* SECURITY: Real client-side AES-256 backup encryption (BYOK). When a passphrase is set, the archive is encrypted with AES-256 (CBC + HMAC) on your own server before upload and can only be opened with your passphrase. Each encrypted backup is self-verified (decrypt + checksum) before upload, so an unrecoverable archive is never sent. Restore and integrity-check transparently decrypt.

= 1.8.5 — 2026-06-29 =
* INFRA: Panel servers migrated to Turkey (turkticaret infrastructure); data is not transferred abroad (KVKK). Removed unverified certification wording.

= 1.8.4 — 2026-06-29 =
* RELIABILITY: Added a read-only backup integrity verification endpoint (downloads + checks SHA-256, archive and completion marker; never restores), so backups taken via the plugin can be auto-verified.

= 1.8.3 — 2026-06-29 =
* RELIABILITY: Incremental backups now compare real file mtime (not just size), so files whose content changes without a size change are correctly captured.

= 1.8.2 — 2026-06-29 =
* SECURITY: SSRF protection on restore download URLs (https + public-IP only). DATA INTEGRITY: DB dumps now write and verify a completion marker on the plain .sql path too (partial dumps are refused on restore).

= 1.8.1 — 2026-06-29 =
* CLARITY: When the selected storage target is not configured (e.g. "My Own Storage / FTP-SFTP" chosen but no credentials entered), the backup now fails with a clear, actionable message instead of a cryptic "no direct upload" error.

= 1.8.0 — 2026-06-29 =
* CLARITY: Renamed the "Bandwidth" quota to "Backup Quota" (Yedekleme Kotası) with a one-line explanation, so customers understand the monthly quota measures the data our engine packages and sends to your cloud — not the central server's bandwidth.

= 1.7.9 — 2026-06-29 =
* RELIABILITY: Full & files-only backups can now complete on restricted hosts (exec disabled) via chunked, time-sliced processing. Restore transparently handles the gzipped SQL stored inside the chunked archive.

= 1.7.8 — 2026-06-29 =
* RELIABILITY: Chunked database restore now verifies a completion marker and aborts loudly on a truncated/corrupt archive instead of silently applying a partial restore (data-loss protection).

= 1.7.5 — 2026-06-29 =
* COMPLIANCE: Removed all trial-expired premium locking screens and replaced them with non-blocking warning notices, fully complying with WordPress.org Guideline 5 (Trial/Expired Software).

= 1.7.4 — 2026-06-29 =
* SECURITY: Enforced strict Zero-Server-Storage architecture. Restores and backups are now processed strictly client-side or streamed direct-to-cloud; no temporary backup files or SQL dumps are ever cached/stored on the central backup servers.
* COMPLIANCE: Removed the custom updater class to fully comply with official WordPress.org Plugin Guidelines (Section 3: "Plugins may not bypass the update system").
* COMPATIBILITY: Compatibility enhancements and optimization for PHP 8.x and latest WordPress versions.

= 1.5.6 — 2026-06-27 =
* FIX: Restore button is now a progressive-enhanced link — it opens the secure panel login even if admin JavaScript is unavailable, and shows an in-admin confirmation modal when JS is loaded.

= 1.5.5 — 2026-06-27 =
* RENAME: Plugin display name and slug updated to "Yedekalma — Cloud Backup & Restore" (slug: yedekalma), now that domain ownership is verified.
* DOCS: Clarified the Restore Drill description to match the actual weekly integrity verification.

= 1.5.4 — 2026-06-27 =
* UX: "Restore" button now opens an in-admin confirmation modal.

= 1.5.3 — 2026-06-27 =
* NEW: In-admin "Restore" button on dashboard.
* FIX: Escaped translation strings and resolved REST API route permission callbacks.
* RENAME: Renamed plugin display name and slug to avoid WP brand confusion.
* REMOVE: Removed custom updater to comply with WordPress.org guidelines.

= 1.5.2 — 2026-06-25 =
* RESTORE: Added new `/restore-wpconfig` endpoint to update DB details in `wp-config.php` during database restores to a different host.
* RESILIENCE: Bridge URLs migrated to `?rest_route=` format for compatibility with plain permalink sites.

= 1.5.1 — 2026-06-25 =
* INFO: Added notes to Backup Frequency page explaining synchronization with the optional cloud service.

= 1.4.0 — 2026-06-24 =
* SPEED: Added chunked file transfer support via `/zip-batch` (POST) to speed up backups.

= 1.3.0 — 2026-06-24 =
* Support for large sites: added manifest-based file transfer to avoid execution time limits.

= 1.2.1 — 2026-06-24 =
* Folder exclusions and shared hosting permission handling improvements in file bridge.

= 1.2.0 — 2026-06-24 =
* PLUG-AND-PLAY: FTP/SFTP or MySQL credentials are no longer required to take backups.

= 1.1.4 — 2026-06-24 =
* Bandwidth usage indicator widgets added to admin bar and side dashboard panel.

= 1.1.3 — 2026-06-18 =
* New billing model: 1 GB free bandwidth for new accounts.

= 1.0.0 — 2026-06-17 =
* Initial release.

== Upgrade Notice ==

= 1.8.8 =
Compliance and security improvements; clarifies that local backup & restore are fully functional with no account.

= 1.0.0 =
First stable version.
