tporret

v1.2.0 · Now with React Workspace + Reporting

External APIs.
WordPress content.
Zero drama.

A full ETL pipeline for WordPress — pull any JSON API, transform it with Twig, land structured content at scale, and monitor everything from a Tableau-style dashboard.

Get the Plugin → See what’s new
EAPI · catalog-sync · running
01
Extractapi.vendor.com/v2/products
02
Filter & Stagedata.items[] · 847 records staged
03
Twig Transformmapping.twig · rendering batch 4/9
04
Upsert → product CPTqueue · 376 remaining
Title Template
{{ record.brand }}{{ record.name|title }} {% if record.sku %}[{{ record.sku }}]{% endif %}
Requirements
WP 6.3+
PHP 8.1+
Twig via Composer
React @wordpress/element
WP-Cron Scheduling
GPLv2
ETL
Full pipeline
4
Auth modes
9
Live metrics
5
Security layers
Import jobs
Data Flow

Six-stage ETL pipeline.

Every import follows a clean, staged, idempotent pipeline — decoupled extraction from transformation from load.

Extract
Fetch API payload · validate JSON · resolve array_path
Filter
AND-logic rules applied before staging
Stage
Written to wp_custom_import_temp · decoupled from load
Transform
Twig renders content + title · unique key resolved
Load
Upsert by external key + import ID · selected post type
Finalize
Staging cleared · orphan handling · run logged
Core Features

Built for imports that actually ship.

No drag-and-drop toys. A real pipeline with filtering, templating, batching, and the security controls your clients expect.

{ }

Twig Templating Engine

Full Twig logic — loops, conditionals, filters, nested objects. Custom extensions: format_us_currency, format_date_mdy, numeric test.

React Import Job Workspace

New in v1.1 — tabbed workspace replaces the legacy form. Source/Auth · Data Rules · Mapping · Automation tabs with sticky save footer.

Tableau-Style Dashboard

Real-time operations command center with 9 KPI metrics across Health, Security, and Performance pillars. Recharts sparklines + donut charts.

Multi-Connection Job Manager

Unlimited independent API import jobs — each with its own endpoint, auth, filters, templates, schedule, and post type target.

JSON Array Traversal

Dot-path resolution for deeply nested payloads. Pre-stage AND-logic filtering strips noise before any records hit the database.

Flexible Recurrence Schedules

Off · hourly · twice daily · daily · or custom N-minute intervals per job. Trigger context tracked: manual, run_now, recurring.

Dry-Run & API Preview

Test endpoints, preview sample payloads, and dry-run Twig templates — all from inside the import workspace before going live.

Per-Import Edit Lock

Toggle read-only mode per job. When locked, imported posts block edit/delete/quick-edit in wp-admin via map_meta_cap.

Media Sideload Helper

Idempotent sideload foundation with source URL deduplication via _eapi_source_url. Optional featured image assignment built in.

React Import Job Workspace · New in v1.1

Configure imports.
Tab by tab.

The legacy single-form workflow is gone. The new tabbed React workspace lets you build complex jobs in stages — connect first, map later.

  • Source & Auth tab — endpoint URL, 4 auth methods, test button
  • Data Rules tab — array path, filters, unique ID path
  • Mapping tab — Twig templates, title template, dry-run, edit lock
  • Automation tab — recurrence schedule, target post type
  • Sticky footer — save, run now, sync existing content actions
  • Optional templates — save connection now, add Twig mappings later
Source & Auth
Data Rules
Mapping
Automation
Endpoint URL
https://api.vendor.com/v2/products
Auth Method
⚿ bearer
Bearer Token
••••••••••••••••••
Import Name
Catalog Sync — Products
Connection Test
200 OK · 847 records found
none

No Auth

Public endpoints

bearer

Bearer Token

Authorization header

api_key

Custom Header

Any key name

basic

Basic Auth

Username + password

Enterprise Reporting Dashboard · New in v1.1

Nine metrics.
Three pillars. One screen.

A Tableau-style React operations command center with live KPIs, sparklines, donut charts, and a rolling audit marquee.

All Systems OperationalLast refreshed: 00:42 ago · force-refresh ↺
⬡ Environment Health
Cron HeartbeatActive
Queue Depth12 rows
Daily Success Rate98.5%
⚿ Security & Compliance
SSRF HardeningEnabled
Audit Integrity (7d)14 entries
Protocol Enforcement100% HTTPS
100%
HTTPS compliance
0 HTTP endpoints
⚡ Connectivity & Performance
API Latency (avg)142ms
Active Connections6 endpoints
Hourly Throughput1,240 rows
tporret updated mapping template · catalog-sync · SHA256 a3f8… cron batch complete · 200 records · 0 errors tporret SSRF allowlist updated · api.vendor.com added tporret manual run triggered · events-feed cron daily-sync complete · 1,240 rows · 98.5% success tporret updated mapping template · catalog-sync · SHA256 a3f8… cron batch complete · 200 records · 0 errors tporret SSRF allowlist updated · api.vendor.com added tporret manual run triggered · events-feed cron daily-sync complete · 1,240 rows · 98.5% success
Twig Templating Engine

Map anything.
Express everything.

When drag-and-drop field mappers hit their ceiling, Twig takes over. Full template logic — including custom WordPress-aware filters.

  • Context aliases: record, item, data all work
  • Custom filters: format_us_currency · format_date_mdy
  • Strict mode: undefined variables caught, not silently blank
  • Size limits: 50KB mapping · 2KB title · 250 expressions · depth 12
  • Dry-run preview from inside the Mapping tab
mapping.twig
title-template.twig
loop-example.twig
1{% for item in data.products %}
2
3  {{ item.title|title }}
4  {{ item.price|format_us_currency }}
5  {{ item.launch_date|format_date_mdy }}
6
7  {% if item.price is numeric %}
8    “on_sale”: true
9  {% endif %}
10
11  {% for tag in item.tags %}
12    {{ tag.name|lower }}{% if not loop.last %}, {% endif %}
13  {% endfor %}
14
15{% endfor %}
5-Layer Security Hardening

Production-hardened
from day one.

Every attack surface addressed — SSRF, template injection, access control, audit trails, and data integrity. Ship to enterprise clients without apology.

SSRF Prevention

Network Allowlisting

Hostname + CIDR allowlists with DNS resolution. RFC1918 blocked by default. HTTPS enforced (filterable). Exact and wildcard subdomain patterns supported.

Template Security

Twig Sandbox Validator

Blocked: include, source, import, embed, extends, use, macro. 50KB mapping / 2KB title size limits. 250 expression + 12 nesting depth limits. All filterable via WordPress hooks.

Audit Logging

Template Change Trail

Every edit logged to wp_custom_import_logs with before/after SHA256 hashes, actor login, role, display name, and precise timestamps. Viewable per job in wp-admin.

Access Control

Capability System

Dedicated eai_manage_templates capability. Permission check: eai_manage_templates OR manage_options OR is_super_admin(). Multisite-aware.

Data Integrity

Input/Output Hardening

Sanitization before all DB persistence. Output escaping in admin views. Nonce checks on admin-post actions and REST endpoints. Queue-first architecture isolates workloads.

Edit Lock Control

Per-Import Read-Only Mode

lock_editing toggle per job. When enabled, imported posts block edit/delete/quick-edit via map_meta_cap for all post types — not just a single CPT.

EAPI → Audit Log · catalog-sync
TimestampEventActor
14:32:08Mapping template updated · SHA256 a3f8c1… → b92d4e…tporret
14:28:41Batch complete · 200 records · 0 errorscron
14:20:00Import job started · trigger: run_nowtporret
13:55:12Endpoint validated · HTTPS · allowlist matchtporret

Stop hacking.
Start importing.

Free, open source, and production-ready. No license keys. No import limits. No lock-in.

View on GitHub
GPLv2 · WordPress 6.3+ · PHP 8.1+ · Requires: composer require twig/twig · Tested to 6.9