Title: Zamok – Security and Site Tools Author: Naiche Published: June 24, 2026 Last modified: June 24, 2026 --- Search plugins ![](https://ps.w.org/zamok/assets/banner-772x250.jpg?rev=3584081) ![](https://ps.w.org/zamok/assets/icon-256x256.png?rev=3584081) # Zamok – Security and Site Tools By [Naiche](https://profiles.wordpress.org/naiches/) [Download](https://downloads.wordpress.org/plugin/zamok.1.0.0.zip) * [Details](https://wordpress.org/plugins/zamok/#description) * [Reviews](https://wordpress.org/plugins/zamok/#reviews) * [Installation](https://wordpress.org/plugins/zamok/#installation) * [Development](https://wordpress.org/plugins/zamok/#developers) [Support](https://wordpress.org/support/plugin/zamok/) ## Description Zamok replaces a stack of single-purpose plugins — for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups — with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off. **About the name:** _Zamok_ (Замок) is Ukrainian for both _castle_ and _lock_ — strength and security in one word. The name is a small tribute to the people of Ukraine. 🇺🇦 #### Commitments * **100% free and open source.** GPL-2.0-or-later, forever. No “pro” version, no paid tier, no upsell, no ads. * **No tracking or telemetry.** No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server. * **Lean by design.** Modules load only when enabled; nothing runs that you haven’t turned on. #### What it does Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories. **Core debloat** * Dashboard Widgets — removes all dashboard widgets and the welcome panel. * Comments — completely disables the comment system; existing comments preserved. * File & Site Editors — disables the Theme/Plugin File Editors and the Site Editor. * Gravatars — disables Gravatar avatars to stop external requests to gravatar.com. * Toolbar Cleanup — removes the WP logo menu, “+ New” menu, Help tab, and footer text. * Disable REST API — blocks REST access for non-authenticated users. * Disable Feeds — disables all RSS, Atom, and RDF feeds. * Disable Embeds — disables oEmbed auto-discovery and the embed script. * Disable Auto-Updates — turns off automatic core/plugin/theme updates. * Disable Author Archives — returns 404 for author archives; prevents enumeration. * Disable Archive Pages — returns 404 for category, tag, and date archives; filters them from the sitemap. * Disable Smaller Components — removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate. * Disable XML-RPC — disables XML-RPC, removes the X-Pingback header, blocks pingbacks. * Heartbeat Control — disables Heartbeat on the frontend and slows it in admin. * Disable AI Features (WP 7.0+) — unhooks the AI Client, Abilities API, and Connectors. * Disable Application Passwords — closes the Application Passwords auth surface. * Limit Post Revisions — caps stored revisions per post (default: last 10). * Strip Comment Author IP (GDPR) — stops WordPress storing commenter IPs. **Enhancements** * Email — SMTP delivery, a forced consistent From address, and a full email log with view/resend/auto-clean. * Image Optimization — auto-resizes and converts new uploads to WebP using native WordPress image processing. * Better Link Search — relevance ranking, clearer result labels, and a post-type filter in the link modal. * Content Duplication — one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields). * Media Replacement — replace a media file while keeping the same ID, date, and filename. * SVG Upload — allows SVG uploads with automatic sanitization. * Missed Schedule Fix — publishes scheduled posts that missed their time. * Admin Notices Cleanup — hides plugin spam notices, keeps the important ones. * Custom Login URL — changes the login URL from wp-login.php to a custom slug. * Email-Only Login — restricts login to email addresses only. * Site Identity on Login Page — replaces the WP logo/link with your site icon and URL. * User Info Columns — adds Last Login and Registration Date to the Users list. * Disable Gutenberg — restores the Classic Editor; removes block styles. **Security** * Two-Factor Authentication — TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML- RPC, application passwords, WP-CLI, or cron. * Brute Force Protection — locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week). * IP Banning — blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans — entries expire and self-clean. * System Hardening — server/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor. * Block User Enumeration — blocks ?author=N and gates the REST users endpoint. * Admin Creation Alert — emails you the moment an administrator is created or a user is promoted to admin. **Tools** * Database Tools — operator-run utilities under Zamok Tools: a serialization-safe Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own — every action is a manual click. **Backups** * Backups — full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer — just upload it, open in a browser, and follow the wizard. **Plugin-specific cleanup** * Clean Up Yoast SEO — removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards. * Clean Up WooCommerce — removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells. Plugin-specific modules auto-disable when the target plugin is not active. #### What it replaces Zamok can replace the following plugins — gaining all their features while cutting admin page load times by 40–50%, database queries by 65–80%, and memory usage by 35–50% (based on automated benchmarks across 5 WordPress configurations): * **WP Mail SMTP / Post SMTP** Email module (SMTP, forced From, delivery log) * **Solid Security / Kadence Security / Wordfence** Brute Force, IP Banning, Two- Factor, Login URL, System Hardening, User Enumeration * **Two Factor Authentication** Two-Factor module (TOTP, email, backup codes) * **Smush / EWWW / ShortPixel** Image Optimization module (WebP conversion) * **Safe SVG / SVG Support** SVG Upload module (sanitized SVGs) * **Better Search Replace** Database Tools (serialization-safe search & replace) * **WP-Optimize** Database Tools (cleanup) + Heartbeat Control + Smaller Components * **Disable Comments** Comments module * **Duplicate Post / Yoast Duplicate Post** Content Duplication module * **Duplicate Taxonomy Terms (ACF)** Content Duplication module (term duplication with full ACF field support) * **Duplicator / UpdraftPlus / All-in-One WP Migration** Backups module (encrypted, scheduled, SFTP) * **WPS Hide Login** Custom Login URL module * **Enable Media Replace** Media Replacement module ## Screenshots [⌊The Zamok modules page — toggle cards grouped by category.⌉⌊The Zamok modules page — toggle cards grouped by category.⌉[ The Zamok modules page — toggle cards grouped by category. [⌊The Email module: SMTP settings and the email log.⌉⌊The Email module: SMTP settings and the email log.⌉[ The Email module: SMTP settings and the email log. [⌊IP Banning: active bans and the ban log.⌉⌊IP Banning: active bans and the ban log.⌉[ IP Banning: active bans and the ban log. [⌊Two-Factor Authentication: per-role enforcement and the user setup wizard.⌉⌊Two- Factor Authentication: per-role enforcement and the user setup wizard.⌉[ Two-Factor Authentication: per-role enforcement and the user setup wizard. [⌊Database Tools: serialization-safe Search & Replace and Database Cleanup.⌉⌊Database Tools: serialization-safe Search & Replace and Database Cleanup.⌉[ Database Tools: serialization-safe Search & Replace and Database Cleanup. [⌊Backups: build a package, schedule, and push off-site over SFTP.⌉⌊Backups: build a package, schedule, and push off-site over SFTP.⌉[ Backups: build a package, schedule, and push off-site over SFTP. ## Installation 1. Upload the `zamok` folder to `/wp-content/plugins/`, or install the zip via Plugins Add New Upload Plugin. 2. Activate the plugin through the Plugins menu in WordPress. 3. Open the new **Zamok** menu in the admin sidebar. 4. Toggle on the modules you want. Requires PHP 8.4 or higher and WordPress 7.0 or higher. ## FAQ ### Is it really free? Yes. GPL-2.0-or-later, forever. There is no pro tier, no upsell, no feature locked behind a payment. We built this to replace plugins whose business model is upselling you — adding our own would defeat the point. ### Does it collect any data or phone home? No. There is no usage tracking, analytics, telemetry, or licensing call-home. Everything runs on your own server. The only outbound connections are ones you configure and opt into: your SMTP server (Email module) and your SFTP server (Backups module). The backup worker makes a local loopback request to your site’s own admin-ajax.php to advance background jobs, and the standalone restore installer optionally fetches fresh salts from wordpress.org (with a local fallback). ### Will it lock me out if I enable Two-Factor Authentication? Two-Factor is opt-in and defaults off. Backup codes are mandatory at setup, an administrator can reset any user’s 2FA from the user-edit screen, and the `ZAMOK_2FA_DISABLE` constant in wp-config.php is an emergency escape hatch. ### Can I store secrets outside the database? Yes. SMTP, SFTP, and the backup encryption key can be pinned in wp-config.php via` ZAMOK_SMTP_PASSWORD`, `ZAMOK_SFTP_PASSWORD` / `ZAMOK_SFTP_KEY`, and `ZAMOK_BACKUP_KEY`. Secrets stored in the database are encrypted with libsodium. ### Does it work on Nginx? Every module works on any server. The System Hardening module writes .htaccess rules, which apply on Apache/LiteSpeed; on Nginx those rules are inert and the documented Nginx snippets should be used instead. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Zamok – Security and Site Tools” is open source software. The following people have contributed to this plugin. Contributors * [ Naiche ](https://profiles.wordpress.org/naiches/) [Translate “Zamok – Security and Site Tools” into your language.](https://translate.wordpress.org/projects/wp-plugins/zamok) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/zamok/), check out the [SVN repository](https://plugins.svn.wordpress.org/zamok/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/zamok/) by [RSS](https://plugins.trac.wordpress.org/log/zamok/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.0 * Initial release — 41 toggleable modules across Core Debloat, Enhancements, Security, Tools, and Backups. * GPL-2.0-or-later. No tracking, no telemetry, no paid tier. ## Meta * Version **1.0.0** * Last updated **1 day ago** * Active installations **Fewer than 10** * WordPress version ** 7.0 or higher ** * Tested up to **7.0** * PHP version ** 8.4 or higher ** * Tags * [backup](https://wordpress.org/plugins/tags/backup/)[debloat](https://wordpress.org/plugins/tags/debloat/) [performance](https://wordpress.org/plugins/tags/performance/)[security](https://wordpress.org/plugins/tags/security/) [smtp](https://wordpress.org/plugins/tags/smtp/) * [Advanced View](https://wordpress.org/plugins/zamok/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/zamok/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/zamok/reviews/) ## Contributors * [ Naiche ](https://profiles.wordpress.org/naiches/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/zamok/)