tporret

tporret API Data Importer · v1.2.5

External APIs.
WordPress content.
Zero drama.

tporret API Data Importer is an API-first ETL pipeline for WordPress: authenticated REST ingestion, staged queue processing, Twig-based transforms, featured image sideloading, and an operations dashboard built for real production workloads.

Get the Plugin → See what it does
EAPI · catalog-sync · running
01
Extractapi.vendor.com/v2/products
02
Filter & Stagedata.items[] · 847 records staged
03
Twig Transformmapping.twig · rendering batch 4/9
04
Upsert → product CPTqueue · 376 remaining
Title Template
{{ record.brand }}{{ record.name|title }} {% if record.sku %}[{{ record.sku }}]{% endif %}
Requirements
WP 6.3+
PHP 8.1+
Auth 4 modes
React Workspace UI
WP-Cron Scheduling
GPLv2
ETL
Full pipeline
4
Auth modes
9
Live metrics
5
Security layers
Import jobs
Data Flow

Six-stage ETL pipeline.

Every import follows a clean, staged, idempotent flow that separates extraction, filtering, staging, transformation, loading, and finalization for safer long-running jobs.

Extract
Fetch API payload · validate JSON · resolve array_path
Filter
AND-logic rules applied before staging
Stage
Written to wp_custom_import_temp · decoupled from load
Transform
Twig renders content + title · unique key resolved
Load
Upsert by external key + import ID · selected post type
Finalize
Staging cleared · orphan handling · run logged
Core Features

Built for imports that actually ship.

API-first auth, staged ETL, Twig mapping, featured image assignment, multisite awareness, and reporting built for teams that need more than a file importer.

{ }

Twig Templating Engine

Full Twig logic for mapping and title templates, with loops, conditionals, nested object access, and strict validation instead of ad hoc inline PHP.

React Import Job Workspace

Tabbed workflow for Source/Auth, Data Rules, Mapping, and Automation with sticky save actions, dry-run preview, and connection testing.

Operations Dashboard

Nine live metrics across environment health, security, and performance with charts, status indicators, and audit activity feed.

API-First Auth

Dedicated UI for none, bearer, api_key_custom, and basic_auth. Authenticated REST endpoints are first-class, not bolt-on edge cases.

JSON Traversal + Staging

Resolve nested array paths, filter before load, stage into queue-backed temp tables, and keep extraction isolated from transformation and load.

Flexible Recurrence

Off, hourly, twice daily, daily, or custom minute-based schedules per job with manual runs and trigger context tracking.

Dry-Run & API Preview

Test endpoints, preview sample payloads, and dry-run Twig output directly from the workspace before any production write happens.

Per-Import Controls

Target post type, default post settings, custom meta mappings, and optional read-only locking are scoped per import job.

Featured Image Sideloading

Map an image URL path, sideload to the Media Library, deduplicate by source URL, and optionally assign the imported asset as the post thumbnail.

Competitive Edge

Where it pulls ahead of WPAI for API-heavy work.

An honest strategic view: this plugin is strongest when the job is authenticated API ingestion, secure transformation, and long-running ETL rather than simple file imports.

API-first

Dedicated authentication workflow

For API-driven imports, WPAI often depends on extra PHP customization around request handling. Here, bearer tokens, custom API-key headers, basic auth, and unauthenticated endpoints are already part of the import UI.

Security

Sandboxed transforms and auditability

Instead of encouraging arbitrary inline PHP, this plugin uses a constrained Twig environment, template validation limits, SHA256-based template audit logging, SSRF allowlists, and encrypted credential storage with masked REST responses.

Architecture

Real staged ETL, not one long request

Extraction, filtering, staging, transformation, and load are separated on purpose. That queue-backed pipeline reduces the blast radius of slow endpoints and makes recurring imports safer under real-world load.

DX

Cleaner mapping experience

Users can write inline Twig conditionals and loops, set title templates, configure featured image source paths, and choose target post behavior from one workspace instead of bouncing between UI fields and helper PHP snippets.

React Import Job Workspace

Configure imports.
Tab by tab.

The tabbed workspace keeps complex jobs understandable: connect first, shape the data, define templates, then control automation and load behavior.

  • Source & Auth tab — endpoint URL, 4 auth methods, saved credential indicators, test button
  • Data Rules tab — array path, filters, unique ID path
  • Mapping tab — Twig templates, title template, featured image source path, edit lock
  • Automation tab — recurrence schedule, target post type, default post behavior
  • Sticky footer — save, run now, sync existing content actions
  • Optional templates — save the connection now, add mappings later
Source & Auth
Data Rules
Mapping
Automation
Endpoint URL
https://api.vendor.com/v2/products
Auth Method
⚿ bearer
Bearer Token
••••••••••••••••••
Import Name
Catalog Sync — Products
Connection Test
200 OK · 847 records found
none

No Auth

Public endpoints

bearer

Bearer Token

Authorization header

api_key

Custom Header

Any key name

basic

Basic Auth

Username + password

Operations Dashboard

Nine metrics.
Three pillars. One screen.

A Tableau-style React command center with live KPIs, sparklines, charts, and audit activity for environment health, security posture, and API performance.

All Systems OperationalLast refreshed: 00:42 ago · force-refresh ↺
⬡ Environment Health
Cron HeartbeatActive
Queue Depth12 rows
Daily Success Rate98.5%
⚿ Security & Compliance
SSRF HardeningEnabled
Audit Integrity (7d)14 entries
Protocol Enforcement100% HTTPS
100%
HTTPS compliance
0 HTTP endpoints
⚡ Connectivity & Performance
API Latency (avg)142ms
Active Connections6 endpoints
Hourly Throughput1,240 rows
tporret updated mapping template · catalog-sync · SHA256 a3f8… cron batch complete · 200 records · 0 errors tporret SSRF allowlist updated · api.vendor.com added tporret manual run triggered · events-feed cron daily-sync complete · 1,240 rows · 98.5% success tporret updated mapping template · catalog-sync · SHA256 a3f8… cron batch complete · 200 records · 0 errors tporret SSRF allowlist updated · api.vendor.com added tporret manual run triggered · events-feed cron daily-sync complete · 1,240 rows · 98.5% success
Twig Templating Engine

Map anything.
Express everything.

When drag-and-drop mapping hits its ceiling, Twig takes over with real template logic and safer constraints.

  • Context aliases: record, item, data all work
  • Custom filters: format_us_currency · format_date_mdy
  • Strict mode: undefined variables surface clearly instead of failing silently
  • Guardrails: template size, expression count, and nesting depth limits
  • Dry-run preview from inside the Mapping tab
mapping.twig
title-template.twig
loop-example.twig
1{% for item in data.products %}
2
3  {{ item.title|title }}
4  {{ item.price|format_us_currency }}
5  {{ item.launch_date|format_date_mdy }}
6
7  {% if item.price is numeric %}
8    “on_sale”: true
9  {% endif %}
10
11  {% for tag in item.tags %}
12    {{ tag.name|lower }}{% if not loop.last %}, {% endif %}
13  {% endfor %}
14
15{% endfor %}
5-Layer Security Hardening

Production-hardened
from day one.

SSRF controls, template constraints, audit trails, credential protection, and per-import access rules are built into the product instead of being left to custom snippets.

SSRF Prevention

Network Allowlisting

Hostname and CIDR allowlists with DNS resolution. Private and loopback targets are blocked by default, with HTTPS enforced unless you deliberately loosen it.

Template Security

Twig Validator

Blocked tags, syntax checks, size limits, expression limits, and nesting depth limits keep transforms powerful without turning imports into arbitrary code execution.

Audit Logging

Template Change Trail

Template edits are logged with before/after SHA256 hashes, actor identity, and timestamps so teams can review exactly what changed and when.

Credential Protection

Encrypted at Rest

Auth tokens and passwords are encrypted at rest, masked in REST responses, and preserved safely on update without re-exposing secrets to operators.

Data Integrity

Sanitized Load Pipeline

Rendered content and custom meta pass through sanitization before persistence, helping keep transformed output safe as it moves into WordPress storage.

Edit Lock Control

Per-Import Read-Only Mode

Imported posts can be locked against edit, delete, and quick-edit based on import configuration instead of relying on one global post type rule.

EAPI → Audit Log · catalog-sync
TimestampEventActor
14:32:08Mapping template updated · SHA256 a3f8c1… → b92d4e…tporret
14:28:41Batch complete · 200 records · 0 errorscron
14:20:00Import job started · trigger: run_nowtporret
13:55:12Endpoint validated · HTTPS · allowlist matchtporret

Stop hacking.
Start importing.

API-first, open source, and built for repeatable ETL in WordPress without license locks or template-PHP workarounds.

View on GitHub
tporret API Data Importer · v1.2.5 · WordPress 6.3+ · PHP 8.1+ · Tested to 6.9 · Multisite-aware