{
    "name": "R2 Media Offload (Multi-Cloud)",
    "slug": "r2-offload",
    "version": "1.0.1",
    "requires": "6.0",
    "tested": "6.6",
    "requires_php": "8.0",
    "author": "<a href='https://rise2.studio'>RISE2 Studio</a>",
    "author_profile": "https://rise2.studio",
    "homepage": "https://rise2.studio",
    "last_updated": "2026-06-18",
    "download_url": "https://plugins.rise2.studio/r2-offload/r2-offload-1.0.1.zip",
    "sections": {
        "description": "<p>Offload the WordPress media library to a remote object store and serve it via CDN, with safe resumable migration for large libraries. Byte-preserving — no re-encoding; sidecar WebP/AVIF variants are offloaded too.</p><h4>Supported providers</h4><ul><li>Amazon S3</li><li>Cloudflare R2 (zero egress)</li><li>Backblaze B2</li><li>Wasabi (no egress fees)</li><li>DigitalOcean Spaces</li><li>Bunny.net Edge Storage + CDN</li><li>Google Cloud Storage</li></ul><p>S3-compatible providers and Bunny.net use the built-in WordPress HTTP transport with native AWS Signature V4 / Bunny auth — no SDK or <code>composer install</code> required. Google Cloud Storage uses the official SDK (bundled).</p><h4>Features</h4><ul><li>Provider-aware settings: bucket, keys, region, object prefix, CDN domain.</li><li>Offload on new upload (async via Action Scheduler or WP-Cron).</li><li>URL rewriting for attachments, image <code>src</code> and <code>srcset</code>.</li><li>Resumable bulk migration: scan, dry-run, queue, verify, prune, restore.</li><li>Providers &amp; Pricing page: per-provider setup guides, pros/cons and a live cost estimate (storage + egress + ops + hidden costs) based on your library size.</li><li>WP-CLI commands and a logs viewer.</li></ul>",
        "changelog": "<h4>1.0.1</h4><ul><li><strong>Security hardening.</strong> The file-log directory (<code>wp-content/plugins/r2-offload/logs/</code>) now ships an <code>.htaccess</code> deny rule + <code>index.php</code> on creation, so the offload log can\u2019t be fetched directly on hosts that don\u2019t already block plugin paths (it holds server paths / object keys / error detail \u2014 never credentials). The log also no longer records absolute server file paths (basename only). An adversarial SQL-injection / SSRF / secret-disclosure / CSRF / file-path audit (each finding independently verified) found no other issues \u2014 all DB access is prepared, outbound HTTP + the SigV4 signer are sound and admin-only, and credentials are never logged or echoed.</li></ul><h4>1.0.0</h4><ul><li>First release on the RISE2 self-hosted update server. Multi-cloud media offload (S3, Cloudflare R2, Backblaze B2, Wasabi, DigitalOcean Spaces, Bunny.net, Google Cloud Storage), CDN URL rewriting, and resumable bulk migration with verify/prune/restore. Added self-hosted update support: the plugin checks <code>plugins.rise2.studio</code> for updates, integrates with WordPress core (Dashboard &rarr; Updates) and adds a <strong>Check for updates</strong> link on the Plugins page; downloads are restricted to the trusted host and manual checks are nonce- and capability-gated.</li></ul>"
    }
}