{"id":321043,"date":"2026-06-24T06:32:21","date_gmt":"2026-06-24T06:32:21","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/zamok-debloat-security-smtp-backups-image-optimization\/"},"modified":"2026-06-24T06:31:59","modified_gmt":"2026-06-24T06:31:59","slug":"zamok","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/zamok\/","author":18529643,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"7.0","requires_php":"8.4","requires_plugins":null,"header_name":"Zamok - Security and Site Tools","header_author":"Naiche","header_description":"One lean plugin to debloat, harden, optimize, and back up WordPress \u2014 feature debloat, security (2FA, IP banning, brute-force protection, hardening), SMTP email with a delivery log, encrypted backups, image optimization to WebP, database search-replace & cleanup, and a smarter link search.","assets_banners_color":"1a2f40","last_updated":"2026-06-24 06:31:59","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/zamok\/","header_author_uri":"https:\/\/profiles.wordpress.org\/naiches\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":26,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"naiches","date":"2026-06-24 06:31:59"}},"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3584081,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3584081,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3584081,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3584081,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3584081,"resolution":"1","location":"assets","locale":"","width":1280,"height":800},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3584081,"resolution":"2","location":"assets","locale":"","width":1280,"height":800},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3584081,"resolution":"3","location":"assets","locale":"","width":1280,"height":800},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3584081,"resolution":"4","location":"assets","locale":"","width":1280,"height":800},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3584081,"resolution":"5","location":"assets","locale":"","width":1280,"height":800},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3584081,"resolution":"6","location":"assets","locale":"","width":1280,"height":800}},"screenshots":{"1":"The Zamok modules page \u2014 toggle cards grouped by category.","2":"The Email module: SMTP settings and the email log.","3":"IP Banning: active bans and the ban log.","4":"Two-Factor Authentication: per-role enforcement and the user setup wizard.","5":"Database Tools: serialization-safe Search & Replace and Database Cleanup.","6":"Backups: build a package, schedule, and push off-site over SFTP."}},"plugin_section":[],"plugin_tags":[151,263747,247,600,6696],"plugin_category":[41,54,59],"plugin_contributors":[195720],"plugin_business_model":[],"class_list":["post-321043","plugin","type-plugin","status-publish","hentry","plugin_tags-backup","plugin_tags-debloat","plugin_tags-performance","plugin_tags-security","plugin_tags-smtp","plugin_category-communication","plugin_category-security-and-spam-protection","plugin_category-utilities-and-tools","plugin_contributors-naiches","plugin_committers-naiches"],"banners":{"banner":"https:\/\/ps.w.org\/zamok\/assets\/banner-772x250.jpg?rev=3584081","banner_2x":"https:\/\/ps.w.org\/zamok\/assets\/banner-1544x500.jpg?rev=3584081","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/zamok\/assets\/icon-128x128.png?rev=3584081","icon_2x":"https:\/\/ps.w.org\/zamok\/assets\/icon-256x256.png?rev=3584081","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-1.png?rev=3584081","caption":"The Zamok modules page \u2014 toggle cards grouped by category."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-2.png?rev=3584081","caption":"The Email module: SMTP settings and the email log."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-3.png?rev=3584081","caption":"IP Banning: active bans and the ban log."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-4.png?rev=3584081","caption":"Two-Factor Authentication: per-role enforcement and the user setup wizard."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-5.png?rev=3584081","caption":"Database Tools: serialization-safe Search & Replace and Database Cleanup."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-6.png?rev=3584081","caption":"Backups: build a package, schedule, and push off-site over SFTP."}],"raw_content":"\n

Zamok replaces a stack of single-purpose plugins \u2014 for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups \u2014 with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off.<\/p>\n\n

About the name:<\/strong> Zamok<\/em> (\u0417\u0430\u043c\u043e\u043a) is Ukrainian for both castle<\/em> and lock<\/em> \u2014 strength and security in one word. The name is a small tribute to the people of Ukraine. \ud83c\uddfa\ud83c\udde6<\/p>\n\n

Commitments<\/h4>\n\n
    \n
  • 100% free and open source.<\/strong> GPL-2.0-or-later, forever. No \"pro\" version, no paid tier, no upsell, no ads.<\/li>\n
  • No tracking or telemetry.<\/strong> No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server.<\/li>\n
  • Lean by design.<\/strong> Modules load only when enabled; nothing runs that you haven't turned on.<\/li>\n<\/ul>\n\n

    What it does<\/h4>\n\n

    Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories.<\/p>\n\n

    Core debloat<\/strong><\/p>\n\n

      \n
    • Dashboard Widgets \u2014 removes all dashboard widgets and the welcome panel.<\/li>\n
    • Comments \u2014 completely disables the comment system; existing comments preserved.<\/li>\n
    • File & Site Editors \u2014 disables the Theme\/Plugin File Editors and the Site Editor.<\/li>\n
    • Gravatars \u2014 disables Gravatar avatars to stop external requests to gravatar.com.<\/li>\n
    • Toolbar Cleanup \u2014 removes the WP logo menu, \"+ New\" menu, Help tab, and footer text.<\/li>\n
    • Disable REST API \u2014 blocks REST access for non-authenticated users.<\/li>\n
    • Disable Feeds \u2014 disables all RSS, Atom, and RDF feeds.<\/li>\n
    • Disable Embeds \u2014 disables oEmbed auto-discovery and the embed script.<\/li>\n
    • Disable Auto-Updates \u2014 turns off automatic core\/plugin\/theme updates.<\/li>\n
    • Disable Author Archives \u2014 returns 404 for author archives; prevents enumeration.<\/li>\n
    • Disable Archive Pages \u2014 returns 404 for category, tag, and date archives; filters them from the sitemap.<\/li>\n
    • Disable Smaller Components \u2014 removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate.<\/li>\n
    • Disable XML-RPC \u2014 disables XML-RPC, removes the X-Pingback header, blocks pingbacks.<\/li>\n
    • Heartbeat Control \u2014 disables Heartbeat on the frontend and slows it in admin.<\/li>\n
    • Disable AI Features (WP 7.0+) \u2014 unhooks the AI Client, Abilities API, and Connectors.<\/li>\n
    • Disable Application Passwords \u2014 closes the Application Passwords auth surface.<\/li>\n
    • Limit Post Revisions \u2014 caps stored revisions per post (default: last 10).<\/li>\n
    • Strip Comment Author IP (GDPR) \u2014 stops WordPress storing commenter IPs.<\/li>\n<\/ul>\n\n

      Enhancements<\/strong><\/p>\n\n

        \n
      • Email \u2014 SMTP delivery, a forced consistent From address, and a full email log with view\/resend\/auto-clean.<\/li>\n
      • Image Optimization \u2014 auto-resizes and converts new uploads to WebP using native WordPress image processing.<\/li>\n
      • Better Link Search \u2014 relevance ranking, clearer result labels, and a post-type filter in the link modal.<\/li>\n
      • Content Duplication \u2014 one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields).<\/li>\n
      • Media Replacement \u2014 replace a media file while keeping the same ID, date, and filename.<\/li>\n
      • SVG Upload \u2014 allows SVG uploads with automatic sanitization.<\/li>\n
      • Missed Schedule Fix \u2014 publishes scheduled posts that missed their time.<\/li>\n
      • Admin Notices Cleanup \u2014 hides plugin spam notices, keeps the important ones.<\/li>\n
      • Custom Login URL \u2014 changes the login URL from wp-login.php to a custom slug.<\/li>\n
      • Email-Only Login \u2014 restricts login to email addresses only.<\/li>\n
      • Site Identity on Login Page \u2014 replaces the WP logo\/link with your site icon and URL.<\/li>\n
      • User Info Columns \u2014 adds Last Login and Registration Date to the Users list.<\/li>\n
      • Disable Gutenberg \u2014 restores the Classic Editor; removes block styles.<\/li>\n<\/ul>\n\n

        Security<\/strong><\/p>\n\n

          \n
        • Two-Factor Authentication \u2014 TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-RPC, application passwords, WP-CLI, or cron.<\/li>\n
        • Brute Force Protection \u2014 locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week).<\/li>\n
        • IP Banning \u2014 blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans \u2014 entries expire and self-clean.<\/li>\n
        • System Hardening \u2014 server\/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor.<\/li>\n
        • Block User Enumeration \u2014 blocks ?author=N and gates the REST users endpoint.<\/li>\n
        • Admin Creation Alert \u2014 emails you the moment an administrator is created or a user is promoted to admin.<\/li>\n<\/ul>\n\n

          Tools<\/strong><\/p>\n\n

            \n
          • Database Tools \u2014 operator-run utilities under Zamok \u2192 Tools: a serialization-safe Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own \u2014 every action is a manual click.<\/li>\n<\/ul>\n\n

            Backups<\/strong><\/p>\n\n

              \n
            • Backups \u2014 full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer \u2014 just upload it, open in a browser, and follow the wizard.<\/li>\n<\/ul>\n\n

              Plugin-specific cleanup<\/strong><\/p>\n\n

                \n
              • Clean Up Yoast SEO \u2014 removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards.<\/li>\n
              • Clean Up WooCommerce \u2014 removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells.<\/li>\n<\/ul>\n\n

                Plugin-specific modules auto-disable when the target plugin is not active.<\/p>\n\n

                What it replaces<\/h4>\n\n

                Zamok can replace the following plugins \u2014 gaining all their features while cutting admin page load times by 40\u201350%, database queries by 65\u201380%, and memory usage by 35\u201350% (based on automated benchmarks across 5 WordPress configurations):<\/p>\n\n

                  \n
                • WP Mail SMTP \/ Post SMTP<\/strong> \u2192 Email module (SMTP, forced From, delivery log)<\/li>\n
                • Solid Security \/ Kadence Security \/ Wordfence<\/strong> \u2192 Brute Force, IP Banning, Two-Factor, Login URL, System Hardening, User Enumeration<\/li>\n
                • Two Factor Authentication<\/strong> \u2192 Two-Factor module (TOTP, email, backup codes)<\/li>\n
                • Smush \/ EWWW \/ ShortPixel<\/strong> \u2192 Image Optimization module (WebP conversion)<\/li>\n
                • Safe SVG \/ SVG Support<\/strong> \u2192 SVG Upload module (sanitized SVGs)<\/li>\n
                • Better Search Replace<\/strong> \u2192 Database Tools (serialization-safe search & replace)<\/li>\n
                • WP-Optimize<\/strong> \u2192 Database Tools (cleanup) + Heartbeat Control + Smaller Components<\/li>\n
                • Disable Comments<\/strong> \u2192 Comments module<\/li>\n
                • Duplicate Post \/ Yoast Duplicate Post<\/strong> \u2192 Content Duplication module<\/li>\n
                • Duplicate Taxonomy Terms (ACF)<\/strong> \u2192 Content Duplication module (term duplication with full ACF field support)<\/li>\n
                • Duplicator \/ UpdraftPlus \/ All-in-One WP Migration<\/strong> \u2192 Backups module (encrypted, scheduled, SFTP)<\/li>\n
                • WPS Hide Login<\/strong> \u2192 Custom Login URL module<\/li>\n
                • Enable Media Replace<\/strong> \u2192 Media Replacement module<\/li>\n<\/ul>\n\n\n
                    \n
                  1. Upload the zamok<\/code> folder to \/wp-content\/plugins\/<\/code>, or install the zip via Plugins \u2192 Add New \u2192 Upload Plugin.<\/li>\n
                  2. Activate the plugin through the Plugins menu in WordPress.<\/li>\n
                  3. Open the new Zamok<\/strong> menu in the admin sidebar.<\/li>\n
                  4. Toggle on the modules you want.<\/li>\n<\/ol>\n\n

                    Requires PHP 8.4 or higher and WordPress 7.0 or higher.<\/p>\n\n\n

                    \n

                    Is it really free?<\/h3><\/dt>\n

                    Yes. GPL-2.0-or-later, forever. There is no pro tier, no upsell, no feature locked behind a payment. We built this to replace plugins whose business model is upselling you \u2014 adding our own would defeat the point.<\/p><\/dd>\n

                    Does it collect any data or phone home?<\/h3><\/dt>\n

                    No. There is no usage tracking, analytics, telemetry, or licensing call-home. Everything runs on your own server. The only outbound connections are ones you configure and opt into: your SMTP server (Email module) and your SFTP server (Backups module). The backup worker makes a local loopback request to your site's own admin-ajax.php to advance background jobs, and the standalone restore installer optionally fetches fresh salts from wordpress.org (with a local fallback).<\/p><\/dd>\n

                    Will it lock me out if I enable Two-Factor Authentication?<\/h3><\/dt>\n

                    Two-Factor is opt-in and defaults off. Backup codes are mandatory at setup, an administrator can reset any user's 2FA from the user-edit screen, and the ZAMOK_2FA_DISABLE<\/code> constant in wp-config.php is an emergency escape hatch.<\/p><\/dd>\n

                    Can I store secrets outside the database?<\/h3><\/dt>\n

                    Yes. SMTP, SFTP, and the backup encryption key can be pinned in wp-config.php via ZAMOK_SMTP_PASSWORD<\/code>, ZAMOK_SFTP_PASSWORD<\/code> \/ ZAMOK_SFTP_KEY<\/code>, and ZAMOK_BACKUP_KEY<\/code>. Secrets stored in the database are encrypted with libsodium.<\/p><\/dd>\n

                    Does it work on Nginx?<\/h3><\/dt>\n

                    Every module works on any server. The System Hardening module writes .htaccess rules, which apply on Apache\/LiteSpeed; on Nginx those rules are inert and the documented Nginx snippets should be used instead.<\/p><\/dd>\n\n<\/dl>\n\n\n

                    1.0.0<\/h4>\n\n
                      \n
                    • Initial release \u2014 41 toggleable modules across Core Debloat, Enhancements, Security, Tools, and Backups.<\/li>\n
                    • GPL-2.0-or-later. No tracking, no telemetry, no paid tier.<\/li>\n<\/ul>","raw_excerpt":"Debloat, harden, optimize, and back up WordPress \u2014 one lean, free, open-source plugin. No tracking, no telemetry, no paid tier.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/321043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=321043"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/naiches"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=321043"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=321043"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=321043"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=321043"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=321043"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=321043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}