{"id":322977,"date":"2026-06-08T15:56:50","date_gmt":"2026-06-08T15:56:50","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/reqlock\/"},"modified":"2026-06-08T15:56:26","modified_gmt":"2026-06-08T15:56:26","slug":"reqlock","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/reqlock\/","author":23512047,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"7.0","requires":"5.0","requires_php":"7.2","requires_plugins":null,"header_name":"ReqLock","header_author":"Rackset","header_description":"An outbound (egress) firewall for WordPress: control every external call the site makes \u2014 server-side (WP HTTP API: analytics, wordpress.org, OpenAI\/Gemini, etc.) and browser-side (external scripts, styles, fonts, iframes, analytics). Three uses in one switch \u2014 resilience (keep the site up when the internet is cut or restricted), performance (slow\/dead third-party calls fail instantly instead of stalling front-end and admin page loads), and privacy (strip trackers and phone-home requests).","assets_banners_color":"665fe1","last_updated":"2026-06-08 15:56:26","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/apps.rackset.com\/reqlock\/","header_author_uri":"https:\/\/rackset.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":37,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"rackset","date":"2026-06-08 15:56:26"}},"upgrade_notice":{"1.0.0":"<p>First public release of ReqLock.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3564939,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3564939,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3564939,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3564939,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3564939,"resolution":"1","location":"assets","locale":"","width":1200,"height":2021}},"screenshots":{"1":"The ReqLock settings page \u2014 master switch, per-category toggles, allow-list, and the detected-hosts panel."}},"plugin_section":[],"plugin_tags":[257300,1174,2323,247,396],"plugin_category":[54,59],"plugin_contributors":[266220],"plugin_business_model":[],"class_list":["post-322977","plugin","type-plugin","status-publish","hentry","plugin_tags-external-requests","plugin_tags-firewall","plugin_tags-offline","plugin_tags-performance","plugin_tags-privacy","plugin_category-security-and-spam-protection","plugin_category-utilities-and-tools","plugin_contributors-rackset","plugin_committers-rackset"],"banners":{"banner":"https:\/\/ps.w.org\/reqlock\/assets\/banner-772x250.png?rev=3564939","banner_2x":"https:\/\/ps.w.org\/reqlock\/assets\/banner-1544x500.png?rev=3564939","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/reqlock\/assets\/icon-128x128.png?rev=3564939","icon_2x":"https:\/\/ps.w.org\/reqlock\/assets\/icon-256x256.png?rev=3564939","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/reqlock\/assets\/screenshot-1.png?rev=3564939","caption":"The ReqLock settings page \u2014 master switch, per-category toggles, allow-list, and the detected-hosts panel."}],"raw_content":"<!--section=description-->\n<p><strong>ReqLock<\/strong> \u2014 also written <strong>RequestLock<\/strong> or <strong>Request Lock<\/strong> \u2014 is an outbound (egress)\nfirewall for WordPress. It controls every call your site makes <em>out<\/em> to the internet, on\nboth sides of the request: the <strong>server<\/strong> (PHP \/ WP HTTP API) and the <strong>browser<\/strong> (the HTML\nyour pages render). One master switch puts your site fully in control of its own outbound\ntraffic.<\/p>\n\n<p>Modern WordPress sites are noisy: update checks, license pings, analytics, tag managers,\nexternal fonts, embedded widgets, AI APIs, and assorted \"phone-home\" calls all reach out to\nservers you don't control. When those servers are slow, blocked, or down, your pages and your\ndashboard pay the price \u2014 and every one of them is a place your visitors' data leaks out.\nReqLock lets you shut that traffic off at will, instantly and reversibly, without editing\ntheme files or hunting down plugins.<\/p>\n\n<p><strong>One switch, four jobs:<\/strong><\/p>\n\n<ul>\n<li><strong>Resilience<\/strong> \u2014 keep the site working when the external internet is <strong>cut or restricted<\/strong>\n(outages, regional shutdowns, upstream failures). Pages serve from local assets and\nwp-admin stops hanging on dead requests.<\/li>\n<li><strong>Performance<\/strong> \u2014 slow or unreachable third-party calls <strong>fail instantly<\/strong> instead of\nstalling front-end and back-end page loads on long timeouts.<\/li>\n<li><strong>Privacy<\/strong> \u2014 strip analytics, trackers, external fonts, and phone-home requests so nothing\nabout your visitors leaves the server.<\/li>\n<li><strong>Development<\/strong> \u2014 turn any install into a self-contained, <strong>offline-capable<\/strong> environment:\nno external calls, no tracking from a staging copy, no waiting on remote APIs while you work.<\/li>\n<\/ul>\n\n<h4>Use cases<\/h4>\n\n<ul>\n<li><strong>Outage \/ shutdown resilience.<\/strong> When upstream connectivity is throttled or blocked, a\nnormal WordPress site stalls on every external call. Flip ReqLock on and the site keeps\nserving from local resources \u2014 admin included.<\/li>\n<li><strong>Speeding up a sluggish site.<\/strong> A single slow analytics or font host can add seconds to\nevery page load. ReqLock makes those calls fail fast instead of blocking the render.<\/li>\n<li><strong>Privacy \/ no-tracking deployments.<\/strong> Run a site that provably makes no third-party\nrequests \u2014 useful for privacy-first projects, internal tools, and compliance-sensitive setups.<\/li>\n<li><strong>Local &amp; staging development.<\/strong> Clone production to a laptop or staging box and ReqLock\nkeeps it from phoning home: no analytics fired from a test copy, no license pings, no\nWordPress.org update checks slowing down <code>wp-admin<\/code> while you build. The site behaves the\nsame with the network unplugged \u2014 ideal for offline coding, demos, and air-gapped boxes.<\/li>\n<li><strong>Auditing what a site talks to.<\/strong> The Detected-hosts panel logs every external host the\nsite reaches, so you can see exactly who your themes and plugins contact \u2014 then decide what\nto allow and what to cut.<\/li>\n<\/ul>\n\n<h4>What it blocks<\/h4>\n\n<p><strong>Server-side (PHP \/ WP HTTP API)<\/strong><\/p>\n\n<ul>\n<li>Outbound <code>wp_remote_*<\/code> requests to external hosts: WordPress.org update\/version checks,\nanalytics, AI APIs (OpenAI, Gemini), remote fonts, license\/phone-home pings, etc. They fail\ninstantly instead of timing out.<\/li>\n<\/ul>\n\n<p><strong>Browser-side (rendered HTML)<\/strong><\/p>\n\n<ul>\n<li>External <code>&lt;script src&gt;<\/code> and external <code>&lt;link rel=\"stylesheet\"&gt;<\/code> (e.g. Google Fonts)<\/li>\n<li>Resource hints: <code>preconnect<\/code> \/ <code>dns-prefetch<\/code> \/ <code>preload<\/code> \/ <code>prefetch<\/code><\/li>\n<li>External <code>&lt;iframe&gt;<\/code> (replaced with a clean local placeholder)<\/li>\n<li>Inline analytics snippets: Google Analytics \/ Tag Manager, Microsoft Clarity, Ahrefs,\nMeta Pixel, Hotjar, Yandex, TikTok, Pinterest, LinkedIn, Twitter\/X, Snap, Segment, Plausible<\/li>\n<li>Optional: external <code>&lt;img&gt;<\/code> (transparent placeholder)<\/li>\n<\/ul>\n\n<h4>Key behavior<\/h4>\n\n<ul>\n<li>Your own domain and all its subdomains are <strong>always allowed<\/strong>.<\/li>\n<li><strong>Allow-list<\/strong> for any other hosts that must stay reachable.<\/li>\n<li><strong>Detected-hosts panel<\/strong> logs every external host seen, so you can build the allow-list fast.<\/li>\n<li><strong>Per-category toggles<\/strong> \u2014 turn each blocking layer on\/off independently.<\/li>\n<li><strong>wp-config conflict control<\/strong> \u2014 detects a hard-coded <code>WP_HTTP_BLOCK_EXTERNAL<\/code> constant and\nlets you disarm it (comment it out) or re-arm it (restore it) in one click, so ReqLock is the\nsingle switch for external blocking. Edits are reversible, integrity-checked, and atomic.<\/li>\n<li><strong>Inert when OFF<\/strong> \u2014 with the master switch off, the plugin does nothing, so it is safe to\nkeep installed and flip on only when needed.<\/li>\n<li><strong>Works over full-page caches<\/strong> \u2014 the output filter runs as the outermost buffer, so it\ncovers cached page views too.<\/li>\n<\/ul>\n\n<h3>Credits<\/h3>\n\n<p>Developed and maintained by the Rackset DevOps Team \u2014 https:\/\/rackset.com<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>reqlock<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install the ZIP from <strong>Plugins \u2192 Add New \u2192 Upload Plugin<\/strong>.<\/li>\n<li>Activate <strong>ReqLock<\/strong> from the <strong>Plugins<\/strong> screen.<\/li>\n<li>Go to <strong>Settings \u2192 ReqLock<\/strong>.<\/li>\n<li>Turn the <strong>master switch ON<\/strong> when you want to block external requests (during an outage, to cut slow\/tracking calls, or to take a dev\/staging copy offline). It is <strong>OFF<\/strong> by default, so activation alone changes nothing.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20activating%20it%20break%20my%20site%3F\"><h3>Will activating it break my site?<\/h3><\/dt>\n<dd><p>No. With the master switch OFF the plugin is completely inert. Even when ON, your own domain and its subdomains are always allowed.<\/p><\/dd>\n<dt id=\"when%20should%20i%20turn%20the%20master%20switch%20on%3F\"><h3>When should I turn the master switch ON?<\/h3><\/dt>\n<dd><p>Any time you want to cut the site off from external services: during an internet outage\/restriction, to stop slow third-party calls from dragging down load times, to strip trackers for privacy, or to take a staging\/local copy fully offline while you develop.<\/p><\/dd>\n<dt id=\"can%20i%20use%20it%20to%20develop%20offline%3F\"><h3>Can I use it to develop offline?<\/h3><\/dt>\n<dd><p>Yes \u2014 that's a core use case. Turn the master switch ON and the install stops reaching out to WordPress.org, analytics, license servers, fonts, and other remote hosts. Your local or staging site then loads and behaves the same with the network unplugged, and never fires tracking or phone-home calls from a non-production copy.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20caching%20plugins%3F\"><h3>Does it work with caching plugins?<\/h3><\/dt>\n<dd><p>Yes. The output filter runs as the outermost output buffer, so it also filters cached page views (tested with full-page cache plugins).<\/p><\/dd>\n<dt id=\"does%20it%20affect%20wp-admin%3F\"><h3>Does it affect wp-admin?<\/h3><\/dt>\n<dd><p>Server-side request blocking applies everywhere (which makes the admin faster when the network is down). Browser-side HTML sanitizing runs on the front-end by default; you can optionally enable it for wp-admin too.<\/p><\/dd>\n<dt id=\"how%20do%20i%20keep%20one%20external%20service%20working%20while%20blocking%20the%20rest%3F\"><h3>How do I keep one external service working while blocking the rest?<\/h3><\/dt>\n<dd><p>Add its host to the Allow-list. The Detected-hosts panel lists everything ReqLock sees, so you can copy hosts from there.<\/p><\/dd>\n<dt id=\"what%20about%20custom%20php%20scripts%20that%20bypass%20wordpress%3F\"><h3>What about custom PHP scripts that bypass WordPress?<\/h3><\/dt>\n<dd><p>Standalone scripts that use raw <code>curl<\/code>\/<code>file_get_contents<\/code> outside WordPress are not interceptable by a plugin and must guard their own external calls.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial public release.<\/li>\n<li>Server-side blocking of outbound WP HTTP API requests to external hosts (with allow-list).<\/li>\n<li>Browser-side sanitization: external scripts, styles, resource hints, iframes, inline analytics, and (optional) images.<\/li>\n<li>wp-config conflict control: detect, disarm, and re-arm a hard-coded <code>WP_HTTP_BLOCK_EXTERNAL<\/code> constant.<\/li>\n<li>Output filter runs as the outermost buffer, so it covers full-page-cache hits.<\/li>\n<li>Per-category toggles, allow-list, detected-hosts log, and an admin-bar active-mode indicator.<\/li>\n<li>Translations: English, \u65e5\u672c\u8a9e (Japanese), \u7b80\u4f53\u4e2d\u6587 (Simplified Chinese), Espa\u00f1ol, Deutsch, Fran\u00e7ais, \u0641\u0627\u0631\u0633\u06cc (Persian).<\/li>\n<\/ul>","raw_excerpt":"Block external &amp; slow third-party requests in WordPress \u2014 for resilience, performance, privacy, and offline development. One master switch.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/322977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=322977"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rackset"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=322977"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=322977"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=322977"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=322977"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=322977"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=322977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}