This release makes backups far more reliable on tricky hosting setups. Duplicator now automatically detects when a server can’t connect to itself (a common cause of backups stuck at 5%) and switches to a browser-driven build, records exactly why in the activity log, and proactively detects HTTP basic-auth credentials before a build stalls. Backup settings were simplified — several hard-to-tune options now configure themselves — while the Encrypt Settings toggle stays available for servers where encryption causes trouble.Pro users get more dependable scheduled backups — failures no longer retry forever, are recorded with a clear reason, and trigger failure emails. The storage page now shows each provider’s connection status individually instead of blurring the whole page, and unlicensed providers appear as upgrade prompts rather than hiding available storage.Migrations are safer: Manual Archive Extraction no longer deletes files you placed yourself, cross-variant restores (Lite backup → Pro site) work correctly, post-migration cache purging covers many more plugins/themes/hosts, and cloud-import failures now guide you to a working alternative. The installer no longer shows hardcoded “Duplicator Pro” branding, the WordPress Customizer works on staging sites, and dozens of typos were corrected throughout.
BASE [LITE]
[NEW] Backups: Loopback connectivity failures are now recorded in the activity log with structured diagnostics (tested URL, HTTP status, WP error code, and a response-body excerpt) surfaced directly in the event detail view, so admins can troubleshoot stuck backups without digging through build logs.
[NEW] Base: Added proactive HTTP basic-auth detection on the Settings page — detected credentials are pre-filled with a notice (and a warning if saved credentials differ) instead of only surfacing after a build stalls at 5%; detection now also covers CGI/FastCGI servers
[NEW] Base: Added a branded plugin footer on all Duplicator admin pages, with variant-specific links.
[NEW] Recovery: Recovery Points can now be created and used from backups stored on Duplicator Cloud, extending one-click recovery to cloud-side storage.
[NEW] Storage: Renaming a local storage folder path now cleans up the old folder on disk when safe, detaches stale package references, and shows a confirmation dialog before any storage folder rename.
[NEW] Migration: Expanded automatic post-migration cache purging to cover more plugins, themes, and hosts, with targeted installer-cleanup notices for caching tools that must be cleared manually; the “Generate New Auth Keys/Salts” option is now available in all installer variants. (Installer)
[UPD] Base: Simplified the Settings screens by auto-detecting hard-to-tune options (max worker time, lock mode, max storage retries) so there’s less to misconfigure; the removed manual AJAX protocol / custom AJAX URL options are now resolved automatically by WordPress.
[UPD] Base: Restored the Encrypt Settings toggle so users can disable settings encryption when it causes data-saving problems; stored credentials and license data are safely re-encrypted or decrypted when the toggle changes.
[UPD] Base: Settings import/export, database table-prefix editing, and authentication-key regeneration are now available on all license tiers instead of being gated behind higher plans
[UPD] Backups: Backup activity-log details now capture environment context (PHP time/memory limits, lock mode, client-side kickoff) and the Duplicator version, making failures easier to diagnose.
[UPD] Backups: Improved the backup list flags column with per-icon tooltips, showed storages that already hold a backup as visible-but-disabled in the transfer dialog, and reduced unnecessary remote-storage checks on page load.
[UPD] Storage: The storage list now shows a dedicated Location column and a per-row connection-status icon (linked / disconnected with tooltip), replacing the generic page-level “some locations are invalid” warning; the Cloud Dashboard button is always available
[UPD] Migration: Cloud-import failures (e.g. OneDrive after Microsoft’s SharePoint change) now guide users to download the file locally and use the Upload File option.
[FIX] Backups: Backups now automatically detect when the server can’t make loopback requests to itself and switch to client-side (browser-driven) kickoff per backup, eliminating builds stuck at 5% on servers with firewall, DNS, or SSL restrictions; the manual setting was removed since detection is automatic.
[FIX] Backups: Fixed a false-positive loopback detection where the server’s own connectivity test triggered a recursive request cascade and timed out; loopback test requests now exit early before plugin init and the timeout was raised to 10 seconds.
[FIX] Backups: Fixed a race condition where multiple WP-Cron workers could run backups concurrently due to a silent fallback from file locking to SQL locking; lock-type detection now happens once at backup start.
[FIX] Backups: Fixed false scan errors on hosts with unlimited PHP execution time (max_execution_time = 0) and a false-positive open_basedir failure in the build requirements report
[FIX] Backups: Fixed JavaScript errors on the package-creation screen (“is not a function”) and a global admin-page error reading Handlebars from a stale vendor bundle.
[FIX] Backups: Fixed the root directory being written as a bogus entry inside ZIP and DupArchive backups due to a trailing-slash mismatch.
[FIX] Backups: Cancelling or timing out a remote transfer of an already-completed local backup no longer demotes it to cancelled; the local archive stays Complete and accessible.
[FIX] Backups: A backup whose remote transfer fails is now marked storage-failed only when no storage holds a usable copy — backups with at least one good copy stay Complete, visible, and downloadable.
[FIX] Backups: Scan and backup failures now show the failure reason (recommended quick fixes captured at failure time) and an Error Context block with the last log lines in the activity-log Details panel.
[FIX] Storage: Fixed silent backup-file corruption on resumed Duplicator Cloud multipart uploads by deriving part numbers deterministically from the byte offset.
[FIX] Storage: Fixed the Duplicator Cloud backups link pointing to a malformed URL when no website UUID is configured (now points to the manage-websites page), and fixed the storage type name shown in the activity log and OAuth success page.
[FIX] Storage: Fixed a regression where creating a new storage always triggered an unwanted folder-change confirmation dialog
[FIX] Storage: After saving or copying a storage, the page now redirects to the canonical edit URL so reload/bookmark keeps the correct context; hardened save/copy against fatal errors on missing storage.
[FIX] Storage: Renaming a local storage folder no longer deletes the most recent backup’s archive and installer files, and removed the spurious “Leave site?” browser prompt after confirming a path change.
[FIX] Base: Fixed PHP 8.5 and 32-bit integer compatibility in the bundled cryptographic libraries (plus SSH2 RFC 4254 and certificate-decoding fixes), preventing errors on newer PHP versions.
[FIX] Base: Patched bundled-dependency security vulnerabilities — handlebars (critical template injection) and phpseclib (AES-CBC padding oracle), plus transitive npm packages. (Installer)
[FIX] Base: Hardened admin surfaces — brand logo sanitized with wp_kses_post against stored XSS, capability check added to the scan-validator AJAX handler, and a nonce/CSRF check added to the PHP log-clear form.
[FIX] Base: Fixed a 500 error breaking settings export and trace-log downloads, encryption-setting bugs (hooks firing before save completes, Blowfish-availability guard, disabled checkbox when unavailable), and a fatal error / key-mismatch path when writing the encryption key on fresh installs and upgrades.
[FIX] Base: Fixed an infinite recursion that could hang the plugin when an encrypted entity couldn’t be decrypted (e.g. after a server migration rotates WordPress auth keys).
[FIX] Base: Uninstalling one Duplicator variant no longer wipes shared tables and options when another variant is still installed side-by-side. (Installer)
[FIX] Base: Fixed a WordPress-core button styling conflict that depended on stylesheet load order, and aligned the activity-log Filter/Reset button heights.
[FIX] Base: Corrected dozens of typos, grammar mistakes, and product-name misspellings in user-facing messages, tooltips, and settings across the plugin and installer. (Installer)
[UPD] Base: The installer no longer shows a hardcoded “Duplicator Pro” name — it now displays the product name embedded in the archive (falling back to “Duplicator”). (Installer
[FIX] Schedules: Fixed duplicate failure notices when a scheduled backup failed — a single schedule-aware notice now appears across admin pages with a direct link to the Schedules page
[FIX] Migration: Fixed Manual Archive Extraction wiping files the user had pre-extracted; the installer no longer runs its pre-extraction file-removal step when the Manual engine is selected. (Installer
[FIX] Migration: Fixed incorrect plugin activation when restoring Core or modern Lite (v2+) backups — exactly one Duplicator variant now ends up active via a variant-agnostic force-activate list frozen into the archive. (Installer)
[FIX] Migration: Fixed installer help text pointing to the wrong backups directory. (Installer)
PRO
[NEW] Storage: Added SCP-mode transfer support to the FTP/SSH storage layer.
[NEW] Migration: A Pro site can now correctly restore a backup created by the Lite version — the deployer injects the addon code the Pro installer needs, so cross-variant imports, restores, staging, and recovery run reliably. (Installer)
[NEW] Staging: Added installer-side staging-site detection during restore, warning users before overwriting or migrating onto a staging environment, with staging page and admin-bar UI refinements. (Installer)
[UPD] Storage: Instead of blurring the entire storage page when a cloud provider isn’t licensed, each unlicensed storage type (S3, Dropbox, Google Drive, OneDrive, FTP/SFTP) now appears individually as disabled with its own upgrade link, so available storages stay usable.
[FIX] Schedules: Fixed scheduled backups silently retrying forever when they failed before a package could be created (e.g. a missing template) — the schedule now advances, records the failure, and emails the user; also fixed storage-transfer failures not triggering notifications.
[FIX] Schedules: Fixed the schedule “Run Now” action hanging instead of redirecting to the packages page.
[FIX] Schedules: Schedule failures now record an error-severity activity-log entry (so the “Failed Backups Detected” notice links to a populated list), and fixed a fatal crash saving the log entry when a schedule referenced a deleted template.
[FIX] Schedules: Fixed a nonce-action collision in the schedule storage-links endpoint.
[FIX] Storage: Fixed a fatal error in OneDrive uploads where the response body was accessed with array syntax on a response object during failure logging.
[FIX] Storage: Fixed a PHP error rendering the SFTP storage global-options section (a reference to an upload chunk size the SFTP storage never provides).
[FIX] Staging: Fixed the WordPress Customizer preview on staging sites staying blank with links marked unpreviewable (WordPress core rejects URLs containing /wp-content/), while keeping core’s URL-safety checks for other URLs.
[FIX] Staging: Fixed staging sites never being auto-detected as complete (top bar stuck on “Creating…”), and restored consistent staging admin-notice spacing.
[FIX] Staging: Fixed a fatal parse error on PHP 7.4 caused by a mixed type hint in StagingPackage.
[FIX] Multisite: Fixed the package-setup Security tab on multisite showing “You can’t exclude all sites” instead of the security settings.
[FIX] Base: Fixed license-tier selection during cross-license imports so PRO and ELITE correctly outrank BUSINESS and GOLD. (Installer)
[FIX] Base: Fixed a fatal error during upgrade when migrating legacy trace-log options stored as strings (could crash installs upgrading from before 4.5.23-beta1).
