Documentation Version 1.0.0

SafeCore PRO
Documentation

Complete guide to install, configure, and master SafeCore PRO.

Updated March 13, 2026
View Pricing
On this page
Getting Started How It Works Snapshots Settings Recovery & Rollback History Notifications Troubleshooting Changelog

Getting Started

What is SafeCore PRO?

SafeCore PRO is a WordPress plugin that protects your site from catastrophic updates. Before every plugin or theme update, SafeCore automatically creates a full snapshot (ZIP archive of the directory + WordPress options export). If the update causes a crash or fatal error, SafeCore detects the problem and performs an automatic rollback — with no action required from you.

Requirements

  • WordPress 5.6 or higher
  • PHP 7.4 or higher
  • PHP ZipArchive extension enabled
  • Write access to wp-content/plugins/safecore/data/
  • cURL enabled (for Slack notifications) Optional

Installation

  1. 1Download the safecore.zip file from your client dashboard.
  2. 2In your WordPress back-office, go to Plugins → Add Plugin.
  3. 3Click Upload Plugin, select the ZIP file, and install.
  4. 4Activate the plugin. SafeCore also automatically installs itself as a MU-Plugin to guarantee priority loading.

Tip

SafeCore deploys itself as an MU-plugin (wp-content/mu-plugins/safecore-boot.php) to ensure it loads before all other plugins — even when WordPress is partially broken.

License Activation

  1. 1Once activated, go to SafeCore → Settings in the admin menu.
  2. 2Paste your license key (available in your client dashboard) into the License Key field.
  3. 3Click Activate. SafeCore contacts the license server and confirms activation.

Note

Your license is tied to your domain. To migrate SafeCore to another site, deactivate the license from Settings first.

How It Works

The Update Pipeline

When you click "Update" on a plugin or theme, SafeCore intercepts the action before WordPress executes the native update. Here are the 4 steps:

Step 1

Snapshot — SafeCore compresses the plugin/theme folder into a ZIP file and exports the relevant WordPress options.

Step 2

Update — WordPress performs the update normally via its native system.

Step 3

Health Check — SafeCore requests a health URL (your homepage by default) and verifies the site responds correctly (HTTP 200).

Step 4

Rollback or Success — If the health check fails, SafeCore automatically restores the snapshot. Otherwise, the update is validated.

JavaScript Interception

SafeCore injects a JavaScript script on the admin plugins and themes pages. This script captures all clicks on update buttons. When a click is detected, SafeCore displays its Sentinel modal, prevents WordPress from executing the update directly, and launches its own AJAX pipeline.

Native Bulk Updates

For bulk updates triggered from the WordPress dashboard (bypassing the SafeCore modal), the plugin hooks into the native upgrader_pre_install and upgrader_process_complete hooks to create snapshots and perform verifications.

Snapshots

What is in a Snapshot

A SafeCore snapshot contains two elements:

  • ZIP Archive of the full plugin or theme directory being updated.
  • JSON export of the WordPress options (wp_options) related to the plugin.

Snapshots are stored in plugins/safecore/data/, protected by an .htaccess file that blocks all direct HTTP access.

Limit & Rotation

SafeCore keeps a maximum of 5 snapshots. Beyond that, the oldest is automatically deleted to free up space. Snapshot size depends on the plugin or theme being saved.

Downloading a Snapshot

From the History tab in the SafeCore dashboard, each snapshot entry shows a download button. The ZIP file is served via a secure AJAX handler (nonce + admin capability check).

Manual Snapshot

You can create a manual snapshot at any time from the History tab, without triggering an update.

Settings

Access settings from SafeCore → Settings in the WordPress menu.

Recovery Mode

Defines the automatic action SafeCore takes when an update causes a crash.

  • Rollback — SafeCore automatically restores the previous version of the plugin or theme from the snapshot. This is the recommended mode.
  • Isolation — SafeCore disables the failing component by temporarily renaming it, without touching the database. Last-resort mechanism when no snapshot is available.

Health Check URL

URL that SafeCore requests after each update to verify the site is working. Default: the site's homepage. You can define a custom URL (e.g., a dedicated test page returning HTTP 200).

Email Notifications

When a crash is detected, SafeCore sends an alert email to the WordPress admin address. The email contains: the plugin/theme name, the error message, and the recovery action taken (rollback or isolation).

Slack Webhook

Paste your Slack Incoming Webhook URL to receive instant alerts. SafeCore sends a Slack Block Kit formatted JSON payload including the site, plugin, error, and recovery status.

White-label

Agency Plan

Available on the Agency plan. Allows you to customize the name and icon of the SafeCore menu in the WordPress admin — useful for agencies reselling the service to their clients.

Recovery & Rollback

Automatic Rollback

When an update causes a failed health check (non-200 HTTP, timeout, or PHP fatal error), SafeCore immediately triggers snapshot restoration. The failing update is overwritten by the saved archive. The operation is near-instant.

Manual Rollback

From the History tab, each snapshot has a Restore button. This button performs the same rollback process as the automatic one, but triggered manually at any time.

Plugin Isolation

When SafeCore detects a failing plugin but cannot perform a clean rollback (e.g., the plugin is new, not yet in a snapshot), it can isolate the plugin by temporarily renaming it to deactivate it without touching the database — a last-resort mechanism that works even when WordPress won't boot.

Standalone Recovery Script

SafeCore deploys an autonomous PHP script at wp-content/safecore/recovery-{hash}.php. This script works without WordPress — it can restore a snapshot even if your site is completely broken and showing a white screen. The exact URL is shown in your SafeCore dashboard.

wp-content/safecore/recovery-{hash}.php

Warning

Keep the recovery script URL in a safe place. It is your last line of defense in case of total crash.

Fatal Error Handler

SafeCore installs a custom PHP fatal error handler (wp-content/fatal-error-handler.php) that intercepts fatal errors before WordPress processes them. This allows SafeCore to trigger a rollback even if PHP crashes before WordPress finishes loading.

wp-content/fatal-error-handler.php

History & Audit Log

The History tab in the SafeCore dashboard shows a complete log of all operations performed.

Log Entry Contents

  • Plugin / Theme — Name and slug of the updated element.
  • Action — Operation type: snapshot, update, rollback, isolation.
  • StatusSuccess, Rolled back, or Isolated.
  • Date & Time — Precise timestamp of the operation.
  • Size — Snapshot size in MB.

Storage

The history is stored as JSON in plugins/safecore/data/history.json. It is not written to the database to avoid conflicts with restoration operations.

plugins/safecore/data/history.json

Notifications

Email Alerts

An email is automatically sent to the WordPress administrator when a crash is detected. The content includes:

  • Site name and URL
  • Name and version of the failing plugin/theme
  • Error message or HTTP response code
  • Action taken (automatic rollback, isolation)
  • Timestamp

Slack / Webhook

SafeCore sends a Slack Block Kit formatted JSON payload to the configured webhook URL. Designed for Slack. Any service accepting HTTP POST JSON will receive the notification via the text field, but rich formatting (blocks, fields) is native to Slack only.

Example Slack payload:

{
  "site": "https://yoursite.com",
  "plugin": "woocommerce/woocommerce.php",
  "version_new": "8.4.0",
  "version_old": "8.3.0",
  "status": "rollback",
  "error": "HTTP 500 — Fatal error in class-wc-cart.php",
  "timestamp": "2026-03-13T14:22:05Z"
}

Troubleshooting

500 Error During Update

Check your server's PHP error log. The most common causes are: ZipArchive extension not installed, insufficient write permissions on plugins/safecore/data/, or PHP timeout too short. Increase max_execution_time to at least 120 seconds.

Snapshot Not Being Created

Make sure the plugins/safecore/data/ folder is writable by the PHP process (permissions 755 or 775). If the folder doesn't exist, SafeCore will attempt to create it automatically.

SafeCore Not Intercepting Clicks

Verify the MU-Plugin is present at wp-content/mu-plugins/safecore-boot.php. If the file is missing, deactivate and reactivate SafeCore to redeploy it. Also check that no other plugin is blocking SafeCore's JavaScript.

Resetting SafeCore State

If SafeCore is stuck in a recovery state or shows inconsistent data, you can reset by deleting plugins/safecore/data/state.json. Note: this clears the current state but not the history or snapshots.

Contacting Support

If the problem persists, open a ticket from the Support tab in your SafeCore dashboard. Include your PHP log content and the state.json file for a fast diagnosis.

Changelog

Version 1.0.0 — Initial Release New

March 13, 2026

  • Snapshot engine: ZIP compression + wp_options export
  • Sentinel modal with real-time AJAX pipeline
  • Post-update health check with automatic rollback
  • Plugin isolation mode (last-resort mechanism)
  • Standalone recovery script (works without WordPress)
  • PHP fatal error handler dropin
  • Email and Slack notifications
  • JSON history log with snapshot download
  • Multi-language support: English, French, Arabic
  • White-label branding for agencies (Agency plan)
  • Native WordPress bulk update protection
Back to top