=== Read Only Mode – Telchar HiveLock ===
Contributors: telchar
Tags: read only, site freeze, change prevention, write protection, hardening
Requires at least: 6.2
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.12
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Put your WordPress site in read-only mode — block persistent changes while keeping the site browsable until an administrator disables the freeze.

== Description ==

Read Only Mode – Telchar HiveLock freezes an already working site by restricting persistent WordPress actions while keeping the site online, browsable, and accessible to administrators.

While freeze mode is enabled:

* Frontend browsing continues to work.
* Administrators can still log in. All users can still log out.
* Administrators can still access the dashboard.
* Administrators can return to the plugin page and disable the freeze.
* Standard WordPress-level persistent changes are blocked.

This plugin is designed for already-finished sites that should stay online and readable without allowing routine changes, uploads, updates, or content edits until an administrator intentionally unfreezes the site again.

It is not a maintenance mode plugin. Its purpose is to harden finished sites by reducing their WordPress-level attack surface and blocking persistent changes through standard WordPress write routes.

Blocked surfaces include:

* post, page, attachment, and custom post type writes
* taxonomy changes
* comment creation and standard moderation changes
* option and settings updates
* user creation, deletion, and password reset flows
* media uploads
* plugin, theme, and core file modification flows handled through WordPress
* REST write requests across all namespaces, including third-party plugin routes
* admin AJAX restricted to a narrow allowlist of safe core read actions, while taxonomy creation requests return a visible error
* XML-RPC publishing and pingback-style mutation routes

This plugin aims to provide a practical WordPress-level freeze mode. It does not claim to provide absolute immutability, server-level filesystem protection, or protection against every possible vulnerability or every custom plugin write path.

== Screenshots ==

1. Plugin settings with freeze mode enabled

== Installation ==

1. Upload the `telchar-site-freeze` folder to the `/wp-content/plugins/` directory, or install the plugin through the WordPress admin area.
2. Activate the plugin through the `Plugins` screen in WordPress.
3. Open `Settings > Read Only Mode`.
4. Enable freeze mode when you want to freeze the site.

== Frequently Asked Questions ==

= What does this plugin block? =

It blocks standard WordPress-level persistent changes such as content edits, taxonomy changes, user changes, settings changes, uploads, plugin and theme operations, and core write-style routes through REST, AJAX, and XML-RPC.

= What still works while freeze mode is enabled? =

Frontend page rendering, browsing, logout, administrator dashboard access, administrator login, and disabling freeze mode still work.

= Can visitors still browse the website? =

Yes. The frontend remains available for normal browsing.

= Can users still log in? =

Login is restricted to administrators only while freeze mode is enabled. Logging out continues to work.

= Can administrators still access the dashboard? =

Yes. Administrators can still access the dashboard and disable the freeze from the plugin screen, but persistent write actions remain blocked until freeze mode is disabled.

= How do I disable freeze mode? =

Open `Settings > Read Only Mode` in the WordPress admin area and click the disable button.

= Are media uploads blocked? =

Yes. Uploading new media is blocked while freeze mode is enabled.

= Are plugin and theme updates blocked? =

Yes. Installing, updating, deleting, activating, switching, and editing plugins or themes through normal WordPress routes are blocked while the freeze is enabled.

= What happens if I forget the administrator password? =

Password changes and resets are blocked while freeze mode is enabled, so recovery may require manual intervention outside the plugin.

= Are settings changes blocked? =

Yes. Persistent settings and option changes are blocked while freeze mode is enabled.

= Are comments or content changes blocked? =

Yes. New comments, comment moderation changes, post edits, page edits, and similar content mutations are blocked.

== Changelog ==

= 1.0.12 =

* Replaced the remaining admin action request helper with explicit local request inspection to reduce review ambiguity around passive mutation detection.

= 1.0.11 =

* Replaced generic request readers with explicit contextual request inspection and switched the post-toggle admin status notice to a controlled transient-based flow.

= 1.0.10 =

* Changed the main freeze toggle button to use site-focused labels instead of the plugin brand name, and updated translation catalogs accordingly.

= 1.0.9 =

* Added a warning encouraging site owners to verify site health before freezing, with a link to Telchar for security audits and related tools.

= 1.0.8 =

* Blocked `post.php?action=delete` so attachments cannot be permanently deleted from their detail screen during freeze. Returned core-compatible AJAX errors for blocked comment moderation actions so the admin UI shows a visible failure instead of behaving as if the action succeeded.

= 1.0.7 =

* Allowed the minimum safe core AJAX actions needed for media and taxonomy browsing in wp-admin, and returned a visible error for blocked AJAX term creation instead of leaving the UI loading indefinitely.

= 1.0.6 =

* Blocked low-level comment creation paths that pass through `wp_new_comment()` preprocessing so comment writes are denied more consistently during freeze.

= 1.0.5 =

* Removed the remaining Heartbeat AJAX exception so frozen sites no longer expose that write-capable route. Added low-level metadata, taxonomy relationship, and user table write blocking to reduce custom code bypasses.

= 1.0.4 =

* Fixed get_server_value() to use $_SERVER directly instead of filter_input(INPUT_SERVER), which returns null in PHP-FPM environments and silently disabled HTTP-method-dependent admin blocks.

= 1.0.3 =

* Renamed the plugin, removed manual translation loading, hardened request validation, added a persistent admin notice while frozen, and updated compatibility metadata.

= 1.0.2 =

* Closed admin-post.php write bypass. Blocked add_option and delete_option during freeze. Strengthened user capability checks. Fixed text inconsistencies in admin UI.

= 1.0.1 =

* Removed dead code in option allowlist. Session tokens are stored in user meta, not options, so the entry had no effect.

= 1.0.0 =

* Initial public release.
