Title: Zamok &#8211; Security and Site Tools
Author: Naiche
Published: <strong>chunyo 24, 2026</strong>
Last modified: chunyo 30, 2026

---

Search plugins

![](https://ps.w.org/zamok/assets/banner-772x250.jpg?rev=3584081)

![](https://ps.w.org/zamok/assets/icon-256x256.png?rev=3584081)

# Zamok – Security and Site Tools

 By [Naiche](https://profiles.wordpress.org/naiches/)

[Download](https://downloads.wordpress.org/plugin/zamok.1.0.2.zip)

 * [Details](https://arg.wordpress.org/plugins/zamok/#description)
 * [Reviews](https://arg.wordpress.org/plugins/zamok/#reviews)
 *  [Installation](https://arg.wordpress.org/plugins/zamok/#installation)
 * [Development](https://arg.wordpress.org/plugins/zamok/#developers)

 [Support](https://wordpress.org/support/plugin/zamok/)

## Description

Zamok replaces a stack of single-purpose plugins — for admin enhancements, security
hardening, SMTP email delivery, image optimization, database search-and-replace,
database cleanup, and full-site backups — with one maintainable, modular package.
Every feature is a toggle. Turn on what you need, leave the rest off.

**About the name:** _Zamok_ (Замок) is Ukrainian for both _castle_ and _lock_ — 
strength and security in one word. The name is a small tribute to the people of 
Ukraine. 🇺🇦

#### Commitments

 * **100% free and open source.** GPL-2.0-or-later, forever. No “pro” version, no
   paid tier, no upsell, no ads.
 * **No tracking or telemetry.** No usage statistics, no analytics, no phone-home,
   no self-updater. The only network connections it makes are ones you configure:
   your SMTP server and your off-site SFTP backup server.
 * **Lean by design.** Modules load only when enabled; nothing runs that you haven’t
   turned on.

#### What it does

Zamok is fully modular. Every feature is a self-contained module you switch on or
off from a single admin page, grouped into clear categories.

**Core debloat**

 * Dashboard Widgets — removes all dashboard widgets and the welcome panel.
 * Comments — completely disables the comment system; existing comments preserved.
 * File & Site Editors — disables the Theme/Plugin File Editors and the Site Editor.
 * Gravatars — disables Gravatar avatars to stop external requests to gravatar.com.
 * Toolbar Cleanup — removes the WP logo menu, “+ New” menu, Help tab, and footer
   text.
 * Disable REST API — blocks REST access for non-authenticated users.
 * Disable Feeds — disables all RSS, Atom, and RDF feeds.
 * Disable Embeds — disables oEmbed auto-discovery and the embed script.
 * Disable Auto-Updates — turns off automatic core/plugin/theme updates.
 * Disable Author Archives — returns 404 for author archives; prevents enumeration.
 * Disable Archive Pages — returns 404 for category, tag, and date archives; filters
   them from the sitemap.
 * Disable Smaller Components — removes version disclosure, legacy meta tags, emoji,
   frontend Dashicons, and jQuery Migrate.
 * Disable XML-RPC — disables XML-RPC, removes the X-Pingback header, blocks pingbacks.
 * Heartbeat Control — disables Heartbeat on the frontend and slows it in admin.
 * Disable AI Features (WP 7.0+) — unhooks the AI Client, Abilities API, and Connectors.
 * Disable Application Passwords — closes the Application Passwords auth surface.
 * Limit Post Revisions — caps stored revisions per post (default: last 10).
 * Strip Comment Author IP (GDPR) — stops WordPress storing commenter IPs.

**Enhancements**

 * Email — SMTP delivery, a forced consistent From address, and a full email log
   with view/resend/auto-clean.
 * Image Optimization — auto-resizes and converts new uploads to WebP using native
   WordPress image processing.
 * Better Link Search — relevance ranking, clearer result labels, and a post-type
   filter in the link modal.
 * Content Duplication — one-click duplicate for pages, posts, custom post types,
   and taxonomy terms. Copies all content, taxonomy assignments, custom fields, 
   and term meta (including ACF fields).
 * Media Replacement — replace a media file while keeping the same ID, date, and
   filename.
 * SVG Upload — allows SVG uploads with automatic sanitization.
 * Missed Schedule Fix — publishes scheduled posts that missed their time.
 * Admin Notices Cleanup — hides plugin spam notices, keeps the important ones.
 * Custom Login URL — changes the login URL from wp-login.php to a custom slug.
 * Email-Only Login — restricts login to email addresses only.
 * Site Identity on Login Page — replaces the WP logo/link with your site icon and
   URL.
 * User Info Columns — adds Last Login and Registration Date to the Users list.
 * Disable Gutenberg — restores the Classic Editor; removes block styles.

**Security**

 * Two-Factor Authentication — TOTP authenticator app, emailed code, or single-use
   backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-
   RPC, application passwords, WP-CLI, or cron.
 * Brute Force Protection — locks out IPs after repeated failed logins, with escalating
   duration (1 hour, 6 hours, 24 hours, 1 week).
 * IP Banning — blocks abusive IPs automatically (escalating, up to 7 days) plus
   manual bans, an allowlist, and a ban log. No permanent bans — entries expire 
   and self-clean.
 * System Hardening — server/filesystem hardening via .htaccess (protect system 
   files, disable directory browsing, block PHP execution in writable dirs) and 
   disables the dashboard file editor.
 * Block User Enumeration — blocks ?author=N and gates the REST users endpoint.
 * Admin Creation Alert — emails you the moment an administrator is created or a
   user is promoted to admin.

**Tools**

 * Database Tools — operator-run utilities under Zamok  Tools: a serialization-safe
   Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients,
   and orphaned meta. Nothing runs on its own — every action is a manual click.

**Backups**

 * Backups — full-site backup of files and database as a single encrypted package.
   Builds in resumable, timeout-safe steps so it works on shared hosting, with optional
   scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium;
   both the browser download and the SFTP upload deliver a plain, restore-anywhere
   zip. Each package includes a standalone restore installer — just upload it, open
   in a browser, and follow the wizard.

**Plugin-specific cleanup**

 * Clean Up Yoast SEO — removes promotional modals, upsell popups, menu bloat, the
   dashboard widget, admin bar menu, and premium upsell cards.
 * Clean Up WooCommerce — removes marketplace suggestions, setup wizards, inbox 
   notifications, payment install offers, and extension upsells.

Plugin-specific modules auto-disable when the target plugin is not active.

#### What it replaces

Zamok can replace the following plugins — gaining all their features while cutting
admin page load times by 40–50%, database queries by 65–80%, and memory usage by
35–50% (based on automated benchmarks across 5 WordPress configurations):

 * **WP Mail SMTP / Post SMTP**  Email module (SMTP, forced From, delivery log)
 * **Solid Security / Kadence Security / Wordfence**  Brute Force, IP Banning, Two-
   Factor, Login URL, System Hardening, User Enumeration
 * **Two Factor Authentication**  Two-Factor module (TOTP, email, backup codes)
 * **Smush / EWWW / ShortPixel**  Image Optimization module (WebP conversion)
 * **Safe SVG / SVG Support**  SVG Upload module (sanitized SVGs)
 * **Better Search Replace**  Database Tools (serialization-safe search & replace)
 * **WP-Optimize**  Database Tools (cleanup) + Heartbeat Control + Smaller Components
 * **Disable Comments**  Comments module
 * **Duplicate Post / Yoast Duplicate Post**  Content Duplication module
 * **Duplicate Taxonomy Terms (ACF)**  Content Duplication module (term duplication
   with full ACF field support)
 * **Duplicator / UpdraftPlus / All-in-One WP Migration**  Backups module (encrypted,
   scheduled, SFTP)
 * **WPS Hide Login**  Custom Login URL module
 * **Enable Media Replace**  Media Replacement module

## Screenshots

[⌊The Zamok modules page — toggle cards grouped by category.⌉⌊The Zamok modules 
page — toggle cards grouped by category.⌉[

The Zamok modules page — toggle cards grouped by category.

[⌊The Email module: SMTP settings and the email log.⌉⌊The Email module: SMTP settings
and the email log.⌉[

The Email module: SMTP settings and the email log.

[⌊IP Banning: active bans and the ban log.⌉⌊IP Banning: active bans and the ban 
log.⌉[

IP Banning: active bans and the ban log.

[⌊Two-Factor Authentication: per-role enforcement and the user setup wizard.⌉⌊Two-
Factor Authentication: per-role enforcement and the user setup wizard.⌉[

Two-Factor Authentication: per-role enforcement and the user setup wizard.

[⌊Database Tools: serialization-safe Search & Replace and Database Cleanup.⌉⌊Database
Tools: serialization-safe Search & Replace and Database Cleanup.⌉[

Database Tools: serialization-safe Search & Replace and Database Cleanup.

[⌊Backups: build a package, schedule, and push off-site over SFTP.⌉⌊Backups: build
a package, schedule, and push off-site over SFTP.⌉[

Backups: build a package, schedule, and push off-site over SFTP.

## Installation

 1. Upload the `zamok` folder to `/wp-content/plugins/`, or install the zip via Plugins
    Add New  Upload Plugin.
 2. Activate the plugin through the Plugins menu in WordPress.
 3. Open the new **Zamok** menu in the admin sidebar.
 4. Toggle on the modules you want.

Requires PHP 8.4 or higher and WordPress 7.0 or higher.

## FAQ

### Is it really free?

Yes. GPL-2.0-or-later, forever. There is no pro tier, no upsell, no feature locked
behind a payment. We built this to replace plugins whose business model is upselling
you — adding our own would defeat the point.

### Does it collect any data or phone home?

No. There is no usage tracking, analytics, telemetry, or licensing call-home. Everything
runs on your own server. The only outbound connections are ones you configure and
opt into: your SMTP server (Email module) and your SFTP server (Backups module).
The backup worker makes a local loopback request to your site’s own admin-ajax.php
to advance background jobs, and the standalone restore installer optionally fetches
fresh salts from wordpress.org (with a local fallback).

### Will it lock me out if I enable Two-Factor Authentication?

Two-Factor is opt-in and defaults off. Backup codes are mandatory at setup, an administrator
can reset any user’s 2FA from the user-edit screen, and the `ZAMOK_2FA_DISABLE` 
constant in wp-config.php is an emergency escape hatch.

### Can I store secrets outside the database?

Yes. SMTP, SFTP, and the backup encryption key can be pinned in wp-config.php via`
ZAMOK_SMTP_PASSWORD`, `ZAMOK_SFTP_PASSWORD` / `ZAMOK_SFTP_KEY`, and `ZAMOK_BACKUP_KEY`.
Secrets stored in the database are encrypted with libsodium.

### Does it work on Nginx?

Every module works on any server. The System Hardening module writes .htaccess rules,
which apply on Apache/LiteSpeed; on Nginx those rules are inert and the documented
Nginx snippets should be used instead.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Zamok – Security and Site Tools” is open source software. The following people 
have contributed to this plugin.

Contributors

 *   [ Naiche ](https://profiles.wordpress.org/naiches/)

[Translate “Zamok – Security and Site Tools” into your language.](https://translate.wordpress.org/projects/wp-plugins/zamok)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/zamok/), check out 
the [SVN repository](https://plugins.svn.wordpress.org/zamok/), or subscribe to 
the [development log](https://plugins.trac.wordpress.org/log/zamok/) by [RSS](https://plugins.trac.wordpress.org/log/zamok/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.2

 * New: Backup retention is now tiered (GFS) — keep the N most recent plus daily/
   weekly / monthly / yearly backups, applied to both local and off-site copies.
   The newest backup is always kept.
 * New: Backup storage modes — Local only, Mirror (local + off-site), or Off-site
   only (the local copy is removed after a verified upload, and downloads stream
   straight from your SFTP server). Off-site backups are stored as plain, directly-
   usable archives.
 * Change: replaces the previous keep-last-N retention. Defaults retain at least
   as much as before, so existing sites are not pruned more aggressively on update.

#### 1.0.1

 * New: Database Tools  Tables. Lists every database table with its size and the
   core feature or plugin it belongs to, and lets you delete leftover tables from
   inactive or removed plugins. Core and active-plugin tables are protected and 
   cannot be deleted. Deletion is confirmation-gated and irreversible — back up 
   first.

#### 1.0.0

 * Initial release — 41 toggleable modules across Core Debloat, Enhancements, Security,
   Tools, and Backups.
 * GPL-2.0-or-later. No tracking, no telemetry, no paid tier.

## Meta

 *  Version **1.0.2**
 *  Last updated **19 horas ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 7.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 8.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/zamok/)
 * Tags
 * [backup](https://arg.wordpress.org/plugins/tags/backup/)[debloat](https://arg.wordpress.org/plugins/tags/debloat/)
   [performance](https://arg.wordpress.org/plugins/tags/performance/)[security](https://arg.wordpress.org/plugins/tags/security/)
   [smtp](https://arg.wordpress.org/plugins/tags/smtp/)
 *  [Advanced View](https://arg.wordpress.org/plugins/zamok/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/zamok/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/zamok/reviews/)

## Contributors

 *   [ Naiche ](https://profiles.wordpress.org/naiches/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/zamok/)