[WordPress] 外掛分享: Zamok – Security and Site Tools

首頁外掛目錄 › Zamok – Security and Site Tools
WordPress 外掛 Zamok – Security and Site Tools 的封面圖片
100+
安裝啟用
尚無評分
8 天前
最後更新
問題解決
WordPress 7.0+ PHP 8.4+ v1.0.5 上架:2026-06-23

外掛標籤

開發者團隊

⬇ 下載最新版 (v1.0.5) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Zamok – Security and Site Tools」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

Zamok replaces a stack of single-purpose plugins — for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups — with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off.
About the name: Zamok (Замок) is Ukrainian for both castle and lock — strength and security in one word. The name is a small tribute to the people of Ukraine. 🇺🇦
Commitments

100% free and open source. GPL-2.0-or-later, forever. No “pro” version, no paid tier, no upsell, no ads.
No tracking or telemetry. No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server.
Lean by design. Modules load only when enabled; nothing runs that you haven’t turned on.

What it does
Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories.
Core debloat

Dashboard Widgets — removes all dashboard widgets and the welcome panel.
Comments — completely disables the comment system; existing comments preserved.
File & Site Editors — disables the Theme/Plugin File Editors and the Site Editor.
Gravatars — disables Gravatar avatars to stop external requests to gravatar.com.
Toolbar Cleanup — removes the WP logo menu, “+ New” menu, Help tab, and footer text.
Disable REST API — blocks REST access for non-authenticated users.
Disable Feeds — disables all RSS, Atom, and RDF feeds.
Disable Embeds — disables oEmbed auto-discovery and the embed script.
Disable Auto-Updates — turns off automatic core/plugin/theme updates.
Disable Author Archives — returns 404 for author archives; prevents enumeration.
Disable Archive Pages — returns 404 for category, tag, and date archives; filters them from the sitemap.
Disable Smaller Components — removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate.
Disable XML-RPC — disables XML-RPC, removes the X-Pingback header, blocks pingbacks.
Heartbeat Control — disables Heartbeat on the frontend and slows it in admin.
Disable AI Features (WP 7.0+) — unhooks the AI Client, Abilities API, and Connectors.
Disable Application Passwords — closes the Application Passwords auth surface.
Limit Post Revisions — caps stored revisions per post (default: last 10).
Strip Comment Author IP (GDPR) — stops WordPress storing commenter IPs.

Enhancements

Email — SMTP delivery, a forced consistent From address, and a full email log with view/resend/auto-clean.
Image Optimization — auto-resizes and converts new uploads to WebP using native WordPress image processing.
Better Link Search — relevance ranking, clearer result labels, and a post-type filter in the link modal.
Content Duplication — one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields).
Media Replacement — replace a media file while keeping the same ID, date, and filename.
SVG Upload — allows SVG uploads with automatic sanitization.
Missed Schedule Fix — publishes scheduled posts that missed their time.
Admin Notices Cleanup — hides plugin spam notices, keeps the important ones.
Custom Login URL — changes the login URL from wp-login.php to a custom slug.
Email-Only Login — restricts login to email addresses only.
Site Identity on Login Page — replaces the WP logo/link with your site icon and URL.
User Info Columns — adds Last Login and Registration Date to the Users list.
Disable Gutenberg — restores the Classic Editor; removes block styles.

Security

Two-Factor Authentication — TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-RPC, application passwords, WP-CLI, or cron.
Brute Force Protection — locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week).
IP Banning — blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans — entries expire and self-clean.
System Hardening — server/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor.
Block User Enumeration — blocks ?author=N and gates the REST users endpoint.
Admin Creation Alert — emails you the moment an administrator is created or a user is promoted to admin.

Tools

Database Tools — operator-run utilities under Zamok → Tools: a serialization-safe Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own — every action is a manual click.

Backups

Backups — full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer — just upload it, open in a browser, and follow the wizard.

Plugin-specific cleanup

Clean Up Yoast SEO — removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards.
Clean Up WooCommerce — removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells.

Plugin-specific modules auto-disable when the target plugin is not active.
What it replaces
Zamok can replace the following plugins — gaining all their features while cutting admin page load times by ~20%, database queries by ~60%, and memory usage by ~25% (median results across 125 real before/after benchmarks; sites without WooCommerce typically see larger gains — around 21% faster loads and 62% fewer queries):

WP Mail SMTP / Post SMTP → Email module (SMTP, forced From, delivery log)
Solid Security / Kadence Security / Wordfence → Brute Force, IP Banning, Two-Factor, Login URL, System Hardening, User Enumeration
Two Factor Authentication → Two-Factor module (TOTP, email, backup codes)
Smush / EWWW / ShortPixel → Image Optimization module (WebP conversion)
Safe SVG / SVG Support → SVG Upload module (sanitized SVGs)
Better Search Replace → Database Tools (serialization-safe search & replace)
WP-Optimize → Database Tools (cleanup) + Heartbeat Control + Smaller Components
Disable Comments → Comments module
Duplicate Post / Yoast Duplicate Post → Content Duplication module
Duplicate Taxonomy Terms (ACF) → Content Duplication module (term duplication with full ACF field support)
Duplicator / UpdraftPlus / All-in-One WP Migration → Backups module (encrypted, scheduled, SFTP)
WPS Hide Login → Custom Login URL module
Enable Media Replace → Media Replacement module

延伸相關外掛

文章
Filter
Mastodon