Cleans up export files older than three days old.


The export files are stored in wp-content/uploads, and are therefore publicly accessible. A CSPRN is appended to the filename to mitigate the risk of an unauthorized person downloading the file, but it is still possible. Deleting the file after the data subject has had a chance to delete it adds an additional layer of protection.


File: wp-includes/functions.php

function wp_privacy_delete_old_export_files() {
	require_once( ABSPATH . 'wp-admin/includes/file.php' );

	$exports_dir  = wp_privacy_exports_dir();
	$export_files = list_files( $exports_dir, 100, array( 'index.html' ) );

	 * Filters the lifetime, in seconds, of a personal data export file.
	 * By default, the lifetime is 3 days. Once the file reaches that age, it will automatically
	 * be deleted by a cron job.
	 * @since WP-4.9.6
	 * @param int $expiration The expiration age of the export, in seconds.
	$expiration = apply_filters( 'wp_privacy_export_expiration', 3 * DAY_IN_SECONDS );

	foreach ( (array) $export_files as $export_file ) {
		$file_age_in_seconds = time() - filemtime( $export_file );

		if ( $expiration < $file_age_in_seconds ) {
			unlink( $export_file );


Version Description
WP-4.9.6 Introduced.