Zamok – Security and Site Tools

Zamok replaces a stack of single-purpose plugins — for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups — with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off.

About the name: Zamok (Замок) is Ukrainian for both castle and lock — strength and security in one word. The name is a small tribute to the people of Ukraine. 🇺🇦

Commitments

• 100% free and open source. GPL-2.0-or-later, forever. No ”pro” version, no paid tier, no upsell, no ads.
• No tracking or telemetry. No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server.
• Lean by design. Modules load only when enabled; nothing runs that you haven’t turned on.

What it does

Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories.

Core debloat

• Dashboard Widgets — removes all dashboard widgets and the welcome panel.
• Comments — completely disables the comment system; existing comments preserved.
• File & Site Editors — disables the Theme/Plugin File Editors and the Site Editor.
• Gravatars — disables Gravatar avatars to stop external requests to gravatar.com.
• Toolbar Cleanup — removes the WP logo menu, ”+ New” menu, Help tab, and footer text.
• Disable REST API — blocks REST access for non-authenticated users.
• Disable Feeds — disables all RSS, Atom, and RDF feeds.
• Disable Embeds — disables oEmbed auto-discovery and the embed script.
• Disable Auto-Updates — turns off automatic core/plugin/theme updates.
• Disable Author Archives — returns 404 for author archives; prevents enumeration.
• Disable Archive Pages — returns 404 for category, tag, and date archives; filters them from the sitemap.
• Disable Smaller Components — removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate.
• Disable XML-RPC — disables XML-RPC, removes the X-Pingback header, blocks pingbacks.
• Heartbeat Control — disables Heartbeat on the frontend and slows it in admin.
• Disable AI Features (WP 7.0+) — unhooks the AI Client, Abilities API, and Connectors.
• Disable Application Passwords — closes the Application Passwords auth surface.
• Limit Post Revisions — caps stored revisions per post (default: last 10).
• Strip Comment Author IP (GDPR) — stops WordPress storing commenter IPs.

Enhancements

• Email — SMTP delivery, a forced consistent From address, and a full email log with view/resend/auto-clean.
• Image Optimization — auto-resizes and converts new uploads to WebP using native WordPress image processing.
• Better Link Search — relevance ranking, clearer result labels, and a post-type filter in the link modal.
• Content Duplication — one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields).
• Media Replacement — replace a media file while keeping the same ID, date, and filename.
• SVG Upload — allows SVG uploads with automatic sanitization.
• Missed Schedule Fix — publishes scheduled posts that missed their time.
• Admin Notices Cleanup — hides plugin spam notices, keeps the important ones.
• Custom Login URL — changes the login URL from wp-login.php to a custom slug.
• Email-Only Login — restricts login to email addresses only.
• Site Identity on Login Page — replaces the WP logo/link with your site icon and URL.
• User Info Columns — adds Last Login and Registration Date to the Users list.
• Disable Gutenberg — restores the Classic Editor; removes block styles.

Security

• Two-Factor Authentication — TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-RPC, application passwords, WP-CLI, or cron.
• Brute Force Protection — locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week).
• IP Banning — blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans — entries expire and self-clean.
• System Hardening — server/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor.
• Block User Enumeration — blocks ?author=N and gates the REST users endpoint.
• Admin Creation Alert — emails you the moment an administrator is created or a user is promoted to admin.

Tools

• Database Tools — operator-run utilities under Zamok → Tools: a serialization-safe Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own — every action is a manual click.

Backups

• Backups — full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer — just upload it, open in a browser, and follow the wizard.

Plugin-specific cleanup

• Clean Up Yoast SEO — removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards.
• Clean Up WooCommerce — removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells.

Plugin-specific modules auto-disable when the target plugin is not active.

What it replaces

Zamok can replace the following plugins — gaining all their features while cutting admin page load times by 40–50%, database queries by 65–80%, and memory usage by 35–50% (based on automated benchmarks across 5 WordPress configurations):

• WP Mail SMTP / Post SMTP → Email module (SMTP, forced From, delivery log)
• Solid Security / Kadence Security / Wordfence → Brute Force, IP Banning, Two-Factor, Login URL, System Hardening, User Enumeration
• Two Factor Authentication → Two-Factor module (TOTP, email, backup codes)
• Smush / EWWW / ShortPixel → Image Optimization module (WebP conversion)
• Safe SVG / SVG Support → SVG Upload module (sanitized SVGs)
• Better Search Replace → Database Tools (serialization-safe search & replace)
• WP-Optimize → Database Tools (cleanup) + Heartbeat Control + Smaller Components
• Disable Comments → Comments module
• Duplicate Post / Yoast Duplicate Post → Content Duplication module
• Duplicate Taxonomy Terms (ACF) → Content Duplication module (term duplication with full ACF field support)
• Duplicator / UpdraftPlus / All-in-One WP Migration → Backups module (encrypted, scheduled, SFTP)
• WPS Hide Login → Custom Login URL module
• Enable Media Replace → Media Replacement module