at first, I want to thank you for awesome plugin, I use it very often for pulling/pusing sites between local dev and production site.
I have little advice for new feature, which would help me a lot. If you are pushing site to production server, you have to be quite sure about security during whole process. I like, how you prefixing .php and .zip files with secret hash. If host don't print out directory structure, you are quite safe, if somebody visits the site during install.
But what concerns me, that during the install process, installer create database.sql and installer-data.sql files, which are quite easy to guess, and those contain the most sensitive data, the site has.
I kinda have those secured by .htaccess files. In all my .htacces I put rule, to disallow access to .sql, .psd etc. files. Which works well just to the point, where Duplicator create it's own clean .htaccess file.
I can think of several solutions:
1. Prefix database files same way as you do with .php and .zip.
2. Before the install, you could create custom .htaccess with rules to disallow access to those sensitive files, and delete them after install.
3. Don't overwrite user's .htaccess file, so we can secure that on our own. There was a discussion about this overwriting, and I get all your points, why you don't want leave user's .htaccess there. But it would be nice, to have this option, maybe in installer, for advanced users, who know whats goin on.
Thanks a lot for considering those points. I'm looking forward to next versions.