內容簡介
Lock My Site 是一款輕量級的外掛,透過安全的 REST API 讓使用者能夠遠端管理 WordPress 網站。非常適合代理商、自由工作者及管理多個 WordPress 網站的使用者。
【主要功能】
• 完整健康檢查:監控網站狀態、PHP 版本及記憶體使用情況
• 更新管理:遠端管理外掛、佈景主題及核心更新
• 外掛管理:啟用、停用及獲取詳細外掛資訊
• 佈景主題管理:切換佈景主題及管理佈景主題更新
• 資料庫優化:清理及優化資料庫表格
• 安全審核:基本安全檢查及建議
外掛標籤
開發者團隊
原文外掛簡介
Lock My Site is a lightweight plugin that enables remote management of your WordPress site through a secure REST API. Perfect for agencies, freelancers, and anyone managing multiple WordPress sites.
Features
Complete Health Check – Monitor site status, PHP version, memory usage, and more
Update Management – Manage plugins, themes, core, and translations updates remotely
Plugin Management – Activate, deactivate, and get detailed plugin information
Theme Management – Switch themes and manage theme updates
Database Optimization – Clean up and optimize database tables
Security Audit – Basic security checks and recommendations
Error Logs – Access PHP error logs remotely
User Management – List users and roles
Security
API Key authentication
Optional HMAC signature verification
Optional IP whitelist
Rate limiting protection
Automatic lockout after failed attempts
API key expiration (90 days)
Email alerts for suspicious activity
Activity logging
Available Endpoints
Status & Health
* GET /ping – Connection check
* GET /health – Complete site health status
Updates
* GET /updates – Available updates (plugins, themes, core, translations)
* POST /update/plugin – Update a specific plugin
* POST /update/theme – Update a specific theme
* POST /update/core – Update WordPress core
* POST /update/all-plugins – Update all plugins
* POST /update/all-themes – Update all themes
* POST /update/translations – Update all translations
Plugins
* GET /plugins – List all plugins
* GET /plugins/{plugin} – Get plugin details
* POST /plugins/activate – Activate a plugin
* POST /plugins/deactivate – Deactivate a plugin
* GET /plugins/ignored – List ignored plugins
* POST /plugins/ignore – Ignore a plugin from bulk updates
* POST /plugins/unignore – Remove plugin from ignored list
Themes
* GET /themes – List all themes
* POST /themes/activate – Activate a theme
Database
* GET /database/stats – Database statistics
* POST /database/cleanup – Clean database (revisions, drafts, spam, etc.)
* POST /database/optimize – Optimize database tables
Logs
* GET /logs/php – PHP error log
* GET /logs/activity – Plugin activity log
Users
* GET /users – List WordPress users
External services
This plugin connects to the following external services:
1. WordPress.org Checksums API
Service URL: https://api.wordpress.org/core/checksums/1.0/
What it does: Retrieves the official MD5 checksums for all WordPress core files so the plugin can verify that no core file has been modified or tampered with.
When data is sent: Only when a core integrity check is explicitly triggered by the site administrator via the authenticated REST API endpoint /security/core-integrity.
What data is sent: The installed WordPress version number and the site locale (e.g. en_US). No personal data is sent.
Service provider: WordPress.org (Automattic Inc.)
Terms of use: WordPress.org Terms of Service
Privacy policy: WordPress.org Privacy Policy
2. WordPress.org Translations API
Service URL: https://api.wordpress.org/translations/plugins/1.0/, https://api.wordpress.org/translations/themes/1.0/, and https://api.wordpress.org/translations/core/1.0/
What it does: Returns the latest available translation package versions for plugins, themes, and WordPress core in the site’s locale, so the plugin can determine which translations need updating.
When data is sent: When translation updates are checked, either on demand or as part of a full updates check, explicitly triggered by the site administrator via the authenticated REST API.
What data is sent: Plugin/theme slugs, their version numbers, and the site locale. No personal data is sent.
Service provider: WordPress.org (Automattic Inc.)
Terms of use: WordPress.org Terms of Service
Privacy policy: WordPress.org Privacy Policy
These are the only two external services this plugin connects to. No other HTTP requests are made to any third-party service.
Important note about domain name references in the source code
The plugin’s security scanner contains a hardcoded list of well-known, legitimate third-party domain names used as a local string-matching whitelist only. This list includes domains such as:
google-analytics.com, googletagmanager.com, googleapis.com
maps.google.com, maps.googleapis.com
tawk.to, crisp.chat, intercom.io, zendesk.com
cdn.jsdelivr.net, cdnjs.cloudflare.com, code.jquery.com, unpkg.com
recaptcha.net, gstatic.com
These domains are NOT contacted, called, or connected to in any way by this plugin. No HTTP requests, API calls, or any form of network communication is made to any of these domains.
The domain names appear as plain string constants in a PHP array. When the security scanner analyzes post and page content for potentially malicious script injections (e.g.