PatchOn Agent

PatchOn is a solution for safely updating the plugins, themes, and core of your WordPress site. Before applying an update to production, it reproduces your site's configuration in a staging environment, applies the update there, and runs a screenshot comparison (Visual Regression Test) to check for any problems. This plugin acts as the connector between your WordPress site and PatchOn. This plugin requires the PatchOn service (patchon.jp) and does not function on its own. No account is required to get started. Immediately after activation it performs no external communication, and a consent screen is shown in the admin area. Outbound communication with PatchOn begins only after the user explicitly clicks the "Agree and Start" button on that consent screen, which registers the site anonymously. A PatchOn account is needed only to view detailed inspection results in the dashboard or to upgrade to a paid plan. Main Features

• Pre-inspection that simulates updates in a staging environment, with results displayed in your dashboard
• Backup of site files and database before applying updates
• Production rollout of updates that have passed inspection

This plugin (the free distribution on WordPress.org) does not write to your site files (wp-content, mu-plugins, theme directories, etc.), even when it detects a problem. AI auto-repair, which writes patched code to mu-plugins or the active child theme, is provided by the separately distributed PatchOn Agent Pro extension plugin (available to PatchOn Standard / Business plan subscribers). Data Sent After the user has consented on the consent screen, when they run a "Pre-inspection" or "Apply update" operation, the plugin sends the following data to PatchOn and related external services. See the Privacy Policy for details.

• Site URL / WordPress version / PHP version / DB version
• List and versions of installed plugins, themes, and MU plugins
• Site files prior to update application (child theme / mu-plugins / wp-config.php, used for backup)
• Contents of WordPress debug.log (used to detect issues)
• Lightweight database dump (only at pre-inspection time; tables and columns containing personal information are excluded)

1.1.4

• Pre-update restore points now capture the database incrementally. Instead of re-uploading the entire database on every update, the restore point reuses the unchanged parts of the most recent pre-inspection snapshot and sends only the rows that changed, dramatically reducing the backup phase on large sites. A built-in self-verification step falls back to a full dump whenever anything looks inconsistent, so a restore point is never shipped in a partial state.
• Dramatically faster backup archiving before pre-inspections and updates. The previous implementation rewrote the entire archive for every file added, causing quadratic I/O; archives are now built in a single pass, reducing the backup phase from minutes to seconds on sites with thousands of plugin and theme files.
• Clearer guidance during the pre-update backup on the update screen. The screen now indicates whether a fast incremental backup (reusing the latest snapshot) or a full backup is in progress, and asks you to keep the tab open until it finishes. This replaces the previous message that incorrectly implied the resumable backup always continued after closing the tab.
• Fixed a bug where inspection target URLs with non-ASCII slugs (such as Japanese permalinks) were corrupted on save: percent-encoded characters were stripped during input sanitization, leaving only the ASCII portion of the path. URL input is now sanitized with esc_url_raw(), which preserves percent-encoding.
• Canceling a pre-inspection now also stops it on the backend (the staging worker), so you can re-run immediately instead of being blocked by an "a pre-inspection is already running" error. The cancel button is no longer shown during the production update step itself, where the update cannot be safely interrupted.
• Large pre-update backups now continue on the server even if you close the browser tab. Previously the resumable backup of a large database was driven by the open admin tab and paused when you navigated away; it now self-drives via background loopback requests, with a scheduled health-check that restarts a stalled run on sites that receive traffic.
• Fixed a bug where a plugin that was active before an update could be left deactivated after the update finished. Plugins that were active beforehand are now reactivated once their update completes.
• Updates that require a newer PHP or WordPress version than your live site actually runs are now detected on your site and excluded from the update run, instead of being applied and silently breaking the site. The pre-inspection also reports your site's PHP version and key limits so results better match your real environment.
• Updates that could not be inspected (for example, when no inspection result is available) are no longer applied to your production site. Only updates that were actually inspected and verified are included in the update run.
• Corrected the consent screen to accurately describe the data sent during a pre-inspection: it now states that your site's files and database are sent, replacing wording that implied parts containing personal information were excluded.

1.1.3

• Updates on every plan now create a restore point (site files and a full database dump) before applying changes, stored in PatchOn cloud storage with a plan-based retention period and downloadable from the update screen for self-service recovery. The consent screen and privacy policy have been updated to cover this storage.
• Fixed multiple bugs where a failed update could be misreported as successful, including copy failures during the upgrade, concurrent update runs leaving maintenance mode stuck, stale update caches, and a locale-dependent misclassification on Japanese sites.
• The Pro extension required for applying AI repairs can now be installed and activated with one click from the update screen, with clearer guidance when a license is missing or expired.

1.1.2

• Removed direct require_once of WordPress core loading files (wp-includes/functions.php, wp-admin/includes/theme.php, wp-admin/includes/misc.php) in response to plugin review feedback.
• Disabled autoload for frequently updated options (patchon_update_state, patchon_update_flash, patchon_site_uuid) to reduce per-request overhead.
• Escaped all remaining dynamic output (a ternary expression and update/log counts) with esc_html() to comply with the late-escaping convention.
• Updated "Tested up to" to WordPress 7.0.

1.1.1

• Replaced direct cURL calls in the backup upload path with the WordPress HTTP API (wp_remote_request()), using the official http_api_curl hook to enable streaming uploads of large backup archives without buffering in memory.

1.1.0

• Removed file write capabilities (no longer writes to wp-content, mu-plugins, or theme directories). Such writes were moved to the separately distributed PatchOn Agent Pro extension plugin.
• Added an explicit consent screen shown on first activation. The plugin now registers your site anonymously after consent, and no account is required to get started.
• Added CSRF nonce verification on the connection flow to prevent site hijack via crafted redirect URLs.
• Updated plan tiers (Free / Standard / Business) and removed the legacy Enterprise tier from the catalog.

1.0.0

• Initial release on the WordPress.org official directory.