{"id":321043,"date":"2026-06-24T06:32:21","date_gmt":"2026-06-24T06:32:21","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/zamok-debloat-security-smtp-backups-image-optimization\/"},"modified":"2026-06-30T12:02:09","modified_gmt":"2026-06-30T12:02:09","slug":"zamok","status":"publish","type":"plugin","link":"https:\/\/mfe.wordpress.org\/plugins\/zamok\/","author":18529643,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.2","stable_tag":"1.0.2","tested":"7.0","requires":"7.0","requires_php":"8.4","requires_plugins":null,"header_name":"Zamok - Security and Site Tools","header_author":"Naiche","header_description":"One lean plugin to debloat, harden, optimize, and back up WordPress \u2014 feature debloat, security (2FA, IP banning, brute-force protection, hardening), SMTP email with a delivery log, encrypted backups, image optimization to WebP, database search-replace & cleanup, and a smarter link search.","assets_banners_color":"1a2f40","last_updated":"2026-06-30 12:02:09","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/zamok\/","header_author_uri":"https:\/\/profiles.wordpress.org\/naiches\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":121,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"naiches","date":"2026-06-24 06:31:59"},"1.0.1":{"tag":"1.0.1","author":"naiches","date":"2026-06-29 19:33:58"},"1.0.2":{"tag":"1.0.2","author":"naiches","date":"2026-06-30 12:02:09"}},"upgrade_notice":{"1.0.2":"<p>Backups gain tiered (GFS) retention and storage modes: keep local, mirror off-site, or off-site only.<\/p>","1.0.1":"<p>Adds a Database Tables tool to find and safely remove orphan tables left behind by old plugins.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3584081,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3584081,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3584081,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3584081,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1","1.0.2"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3584081,"resolution":"1","location":"assets","locale":"","width":1280,"height":800},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3584081,"resolution":"2","location":"assets","locale":"","width":1280,"height":800},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3584081,"resolution":"3","location":"assets","locale":"","width":1280,"height":800},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3584081,"resolution":"4","location":"assets","locale":"","width":1280,"height":800},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3584081,"resolution":"5","location":"assets","locale":"","width":1280,"height":800},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3584081,"resolution":"6","location":"assets","locale":"","width":1280,"height":800}},"screenshots":{"1":"The Zamok modules page \u2014 toggle cards grouped by category.","2":"The Email module: SMTP settings and the email log.","3":"IP Banning: active bans and the ban log.","4":"Two-Factor Authentication: per-role enforcement and the user setup wizard.","5":"Database Tools: serialization-safe Search &amp; Replace and Database Cleanup.","6":"Backups: build a package, schedule, and push off-site over SFTP."}},"plugin_section":[],"plugin_tags":[151,263747,247,600,6696],"plugin_category":[41,54,59],"plugin_contributors":[195720],"plugin_business_model":[],"class_list":["post-321043","plugin","type-plugin","status-publish","hentry","plugin_tags-backup","plugin_tags-debloat","plugin_tags-performance","plugin_tags-security","plugin_tags-smtp","plugin_category-communication","plugin_category-security-and-spam-protection","plugin_category-utilities-and-tools","plugin_contributors-naiches","plugin_committers-naiches"],"banners":{"banner":"https:\/\/ps.w.org\/zamok\/assets\/banner-772x250.jpg?rev=3584081","banner_2x":"https:\/\/ps.w.org\/zamok\/assets\/banner-1544x500.jpg?rev=3584081","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/zamok\/assets\/icon-128x128.png?rev=3584081","icon_2x":"https:\/\/ps.w.org\/zamok\/assets\/icon-256x256.png?rev=3584081","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-1.png?rev=3584081","caption":"The Zamok modules page \u2014 toggle cards grouped by category."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-2.png?rev=3584081","caption":"The Email module: SMTP settings and the email log."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-3.png?rev=3584081","caption":"IP Banning: active bans and the ban log."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-4.png?rev=3584081","caption":"Two-Factor Authentication: per-role enforcement and the user setup wizard."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-5.png?rev=3584081","caption":"Database Tools: serialization-safe Search &amp; Replace and Database Cleanup."},{"src":"https:\/\/ps.w.org\/zamok\/assets\/screenshot-6.png?rev=3584081","caption":"Backups: build a package, schedule, and push off-site over SFTP."}],"raw_content":"<!--section=description-->\n<p>Zamok replaces a stack of single-purpose plugins \u2014 for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups \u2014 with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off.<\/p>\n\n<p><strong>About the name:<\/strong> <em>Zamok<\/em> (\u0417\u0430\u043c\u043e\u043a) is Ukrainian for both <em>castle<\/em> and <em>lock<\/em> \u2014 strength and security in one word. The name is a small tribute to the people of Ukraine. \ud83c\uddfa\ud83c\udde6<\/p>\n\n<h4>Commitments<\/h4>\n\n<ul>\n<li><strong>100% free and open source.<\/strong> GPL-2.0-or-later, forever. No \"pro\" version, no paid tier, no upsell, no ads.<\/li>\n<li><strong>No tracking or telemetry.<\/strong> No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server.<\/li>\n<li><strong>Lean by design.<\/strong> Modules load only when enabled; nothing runs that you haven't turned on.<\/li>\n<\/ul>\n\n<h4>What it does<\/h4>\n\n<p>Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories.<\/p>\n\n<p><strong>Core debloat<\/strong><\/p>\n\n<ul>\n<li>Dashboard Widgets \u2014 removes all dashboard widgets and the welcome panel.<\/li>\n<li>Comments \u2014 completely disables the comment system; existing comments preserved.<\/li>\n<li>File &amp; Site Editors \u2014 disables the Theme\/Plugin File Editors and the Site Editor.<\/li>\n<li>Gravatars \u2014 disables Gravatar avatars to stop external requests to gravatar.com.<\/li>\n<li>Toolbar Cleanup \u2014 removes the WP logo menu, \"+ New\" menu, Help tab, and footer text.<\/li>\n<li>Disable REST API \u2014 blocks REST access for non-authenticated users.<\/li>\n<li>Disable Feeds \u2014 disables all RSS, Atom, and RDF feeds.<\/li>\n<li>Disable Embeds \u2014 disables oEmbed auto-discovery and the embed script.<\/li>\n<li>Disable Auto-Updates \u2014 turns off automatic core\/plugin\/theme updates.<\/li>\n<li>Disable Author Archives \u2014 returns 404 for author archives; prevents enumeration.<\/li>\n<li>Disable Archive Pages \u2014 returns 404 for category, tag, and date archives; filters them from the sitemap.<\/li>\n<li>Disable Smaller Components \u2014 removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate.<\/li>\n<li>Disable XML-RPC \u2014 disables XML-RPC, removes the X-Pingback header, blocks pingbacks.<\/li>\n<li>Heartbeat Control \u2014 disables Heartbeat on the frontend and slows it in admin.<\/li>\n<li>Disable AI Features (WP 7.0+) \u2014 unhooks the AI Client, Abilities API, and Connectors.<\/li>\n<li>Disable Application Passwords \u2014 closes the Application Passwords auth surface.<\/li>\n<li>Limit Post Revisions \u2014 caps stored revisions per post (default: last 10).<\/li>\n<li>Strip Comment Author IP (GDPR) \u2014 stops WordPress storing commenter IPs.<\/li>\n<\/ul>\n\n<p><strong>Enhancements<\/strong><\/p>\n\n<ul>\n<li>Email \u2014 SMTP delivery, a forced consistent From address, and a full email log with view\/resend\/auto-clean.<\/li>\n<li>Image Optimization \u2014 auto-resizes and converts new uploads to WebP using native WordPress image processing.<\/li>\n<li>Better Link Search \u2014 relevance ranking, clearer result labels, and a post-type filter in the link modal.<\/li>\n<li>Content Duplication \u2014 one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields).<\/li>\n<li>Media Replacement \u2014 replace a media file while keeping the same ID, date, and filename.<\/li>\n<li>SVG Upload \u2014 allows SVG uploads with automatic sanitization.<\/li>\n<li>Missed Schedule Fix \u2014 publishes scheduled posts that missed their time.<\/li>\n<li>Admin Notices Cleanup \u2014 hides plugin spam notices, keeps the important ones.<\/li>\n<li>Custom Login URL \u2014 changes the login URL from wp-login.php to a custom slug.<\/li>\n<li>Email-Only Login \u2014 restricts login to email addresses only.<\/li>\n<li>Site Identity on Login Page \u2014 replaces the WP logo\/link with your site icon and URL.<\/li>\n<li>User Info Columns \u2014 adds Last Login and Registration Date to the Users list.<\/li>\n<li>Disable Gutenberg \u2014 restores the Classic Editor; removes block styles.<\/li>\n<\/ul>\n\n<p><strong>Security<\/strong><\/p>\n\n<ul>\n<li>Two-Factor Authentication \u2014 TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-RPC, application passwords, WP-CLI, or cron.<\/li>\n<li>Brute Force Protection \u2014 locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week).<\/li>\n<li>IP Banning \u2014 blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans \u2014 entries expire and self-clean.<\/li>\n<li>System Hardening \u2014 server\/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor.<\/li>\n<li>Block User Enumeration \u2014 blocks ?author=N and gates the REST users endpoint.<\/li>\n<li>Admin Creation Alert \u2014 emails you the moment an administrator is created or a user is promoted to admin.<\/li>\n<\/ul>\n\n<p><strong>Tools<\/strong><\/p>\n\n<ul>\n<li>Database Tools \u2014 operator-run utilities under Zamok \u2192 Tools: a serialization-safe Search &amp; Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own \u2014 every action is a manual click.<\/li>\n<\/ul>\n\n<p><strong>Backups<\/strong><\/p>\n\n<ul>\n<li>Backups \u2014 full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer \u2014 just upload it, open in a browser, and follow the wizard.<\/li>\n<\/ul>\n\n<p><strong>Plugin-specific cleanup<\/strong><\/p>\n\n<ul>\n<li>Clean Up Yoast SEO \u2014 removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards.<\/li>\n<li>Clean Up WooCommerce \u2014 removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells.<\/li>\n<\/ul>\n\n<p>Plugin-specific modules auto-disable when the target plugin is not active.<\/p>\n\n<h4>What it replaces<\/h4>\n\n<p>Zamok can replace the following plugins \u2014 gaining all their features while cutting admin page load times by 40\u201350%, database queries by 65\u201380%, and memory usage by 35\u201350% (based on automated benchmarks across 5 WordPress configurations):<\/p>\n\n<ul>\n<li><strong>WP Mail SMTP \/ Post SMTP<\/strong> \u2192 Email module (SMTP, forced From, delivery log)<\/li>\n<li><strong>Solid Security \/ Kadence Security \/ Wordfence<\/strong> \u2192 Brute Force, IP Banning, Two-Factor, Login URL, System Hardening, User Enumeration<\/li>\n<li><strong>Two Factor Authentication<\/strong> \u2192 Two-Factor module (TOTP, email, backup codes)<\/li>\n<li><strong>Smush \/ EWWW \/ ShortPixel<\/strong> \u2192 Image Optimization module (WebP conversion)<\/li>\n<li><strong>Safe SVG \/ SVG Support<\/strong> \u2192 SVG Upload module (sanitized SVGs)<\/li>\n<li><strong>Better Search Replace<\/strong> \u2192 Database Tools (serialization-safe search &amp; replace)<\/li>\n<li><strong>WP-Optimize<\/strong> \u2192 Database Tools (cleanup) + Heartbeat Control + Smaller Components<\/li>\n<li><strong>Disable Comments<\/strong> \u2192 Comments module<\/li>\n<li><strong>Duplicate Post \/ Yoast Duplicate Post<\/strong> \u2192 Content Duplication module<\/li>\n<li><strong>Duplicate Taxonomy Terms (ACF)<\/strong> \u2192 Content Duplication module (term duplication with full ACF field support)<\/li>\n<li><strong>Duplicator \/ UpdraftPlus \/ All-in-One WP Migration<\/strong> \u2192 Backups module (encrypted, scheduled, SFTP)<\/li>\n<li><strong>WPS Hide Login<\/strong> \u2192 Custom Login URL module<\/li>\n<li><strong>Enable Media Replace<\/strong> \u2192 Media Replacement module<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>zamok<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install the zip via Plugins \u2192 Add New \u2192 Upload Plugin.<\/li>\n<li>Activate the plugin through the Plugins menu in WordPress.<\/li>\n<li>Open the new <strong>Zamok<\/strong> menu in the admin sidebar.<\/li>\n<li>Toggle on the modules you want.<\/li>\n<\/ol>\n\n<p>Requires PHP 8.4 or higher and WordPress 7.0 or higher.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"is%20it%20really%20free%3F\"><h3>Is it really free?<\/h3><\/dt>\n<dd><p>Yes. GPL-2.0-or-later, forever. There is no pro tier, no upsell, no feature locked behind a payment. We built this to replace plugins whose business model is upselling you \u2014 adding our own would defeat the point.<\/p><\/dd>\n<dt id=\"does%20it%20collect%20any%20data%20or%20phone%20home%3F\"><h3>Does it collect any data or phone home?<\/h3><\/dt>\n<dd><p>No. There is no usage tracking, analytics, telemetry, or licensing call-home. Everything runs on your own server. The only outbound connections are ones you configure and opt into: your SMTP server (Email module) and your SFTP server (Backups module). The backup worker makes a local loopback request to your site's own admin-ajax.php to advance background jobs, and the standalone restore installer optionally fetches fresh salts from wordpress.org (with a local fallback).<\/p><\/dd>\n<dt id=\"will%20it%20lock%20me%20out%20if%20i%20enable%20two-factor%20authentication%3F\"><h3>Will it lock me out if I enable Two-Factor Authentication?<\/h3><\/dt>\n<dd><p>Two-Factor is opt-in and defaults off. Backup codes are mandatory at setup, an administrator can reset any user's 2FA from the user-edit screen, and the <code>ZAMOK_2FA_DISABLE<\/code> constant in wp-config.php is an emergency escape hatch.<\/p><\/dd>\n<dt id=\"can%20i%20store%20secrets%20outside%20the%20database%3F\"><h3>Can I store secrets outside the database?<\/h3><\/dt>\n<dd><p>Yes. SMTP, SFTP, and the backup encryption key can be pinned in wp-config.php via <code>ZAMOK_SMTP_PASSWORD<\/code>, <code>ZAMOK_SFTP_PASSWORD<\/code> \/ <code>ZAMOK_SFTP_KEY<\/code>, and <code>ZAMOK_BACKUP_KEY<\/code>. Secrets stored in the database are encrypted with libsodium.<\/p><\/dd>\n<dt id=\"does%20it%20work%20on%20nginx%3F\"><h3>Does it work on Nginx?<\/h3><\/dt>\n<dd><p>Every module works on any server. The System Hardening module writes .htaccess rules, which apply on Apache\/LiteSpeed; on Nginx those rules are inert and the documented Nginx snippets should be used instead.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>New: Backup retention is now tiered (GFS) \u2014 keep the N most recent plus daily \/ weekly \/ monthly \/ yearly backups, applied to both local and off-site copies. The newest backup is always kept.<\/li>\n<li>New: Backup storage modes \u2014 Local only, Mirror (local + off-site), or Off-site only (the local copy is removed after a verified upload, and downloads stream straight from your SFTP server). Off-site backups are stored as plain, directly-usable archives.<\/li>\n<li>Change: replaces the previous keep-last-N retention. Defaults retain at least as much as before, so existing sites are not pruned more aggressively on update.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>New: Database Tools \u2192 Tables. Lists every database table with its size and the core feature or plugin it belongs to, and lets you delete leftover tables from inactive or removed plugins. Core and active-plugin tables are protected and cannot be deleted. Deletion is confirmation-gated and irreversible \u2014 back up first.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release \u2014 41 toggleable modules across Core Debloat, Enhancements, Security, Tools, and Backups.<\/li>\n<li>GPL-2.0-or-later. No tracking, no telemetry, no paid tier.<\/li>\n<\/ul>","raw_excerpt":"Debloat, harden, optimize, and back up WordPress \u2014 one lean, free, open-source plugin. No tracking, no telemetry, no paid tier.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/321043","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=321043"}],"author":[{"embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/naiches"}],"wp:attachment":[{"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=321043"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=321043"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=321043"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=321043"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=321043"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/mfe.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=321043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}