=== Zamok - Security and Site Tools ===
Contributors: naiches
Tags: debloat, performance, security, smtp, backup
Requires at least: 7.0
Tested up to: 7.0
Requires PHP: 8.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Debloat, harden, optimize, and back up WordPress — one lean, free, open-source plugin. No tracking, no telemetry, no paid tier.

== Description ==

Zamok replaces a stack of single-purpose plugins — for admin enhancements, security hardening, SMTP email delivery, image optimization, database search-and-replace, database cleanup, and full-site backups — with one maintainable, modular package. Every feature is a toggle. Turn on what you need, leave the rest off.

**About the name:** *Zamok* (Замок) is Ukrainian for both *castle* and *lock* — strength and security in one word. The name is a small tribute to the people of Ukraine. 🇺🇦

= Commitments =

* **100% free and open source.** GPL-2.0-or-later, forever. No "pro" version, no paid tier, no upsell, no ads.
* **No tracking or telemetry.** No usage statistics, no analytics, no phone-home, no self-updater. The only network connections it makes are ones you configure: your SMTP server and your off-site SFTP backup server.
* **Lean by design.** Modules load only when enabled; nothing runs that you haven't turned on.

= What it does =

Zamok is fully modular. Every feature is a self-contained module you switch on or off from a single admin page, grouped into clear categories.

**Core debloat**

* Dashboard Widgets — removes all dashboard widgets and the welcome panel.
* Comments — completely disables the comment system; existing comments preserved.
* File & Site Editors — disables the Theme/Plugin File Editors and the Site Editor.
* Gravatars — disables Gravatar avatars to stop external requests to gravatar.com.
* Toolbar Cleanup — removes the WP logo menu, "+ New" menu, Help tab, and footer text.
* Disable REST API — blocks REST access for non-authenticated users.
* Disable Feeds — disables all RSS, Atom, and RDF feeds.
* Disable Embeds — disables oEmbed auto-discovery and the embed script.
* Disable Auto-Updates — turns off automatic core/plugin/theme updates.
* Disable Author Archives — returns 404 for author archives; prevents enumeration.
* Disable Archive Pages — returns 404 for category, tag, and date archives; filters them from the sitemap.
* Disable Smaller Components — removes version disclosure, legacy meta tags, emoji, frontend Dashicons, and jQuery Migrate.
* Disable XML-RPC — disables XML-RPC, removes the X-Pingback header, blocks pingbacks.
* Heartbeat Control — disables Heartbeat on the frontend and slows it in admin.
* Disable AI Features (WP 7.0+) — unhooks the AI Client, Abilities API, and Connectors.
* Disable Application Passwords — closes the Application Passwords auth surface.
* Limit Post Revisions — caps stored revisions per post (default: last 10).
* Strip Comment Author IP (GDPR) — stops WordPress storing commenter IPs.

**Enhancements**

* Email — SMTP delivery, a forced consistent From address, and a full email log with view/resend/auto-clean.
* Image Optimization — auto-resizes and converts new uploads to WebP using native WordPress image processing.
* Better Link Search — relevance ranking, clearer result labels, and a post-type filter in the link modal.
* Content Duplication — one-click duplicate for pages, posts, custom post types, and taxonomy terms. Copies all content, taxonomy assignments, custom fields, and term meta (including ACF fields).
* Media Replacement — replace a media file while keeping the same ID, date, and filename.
* SVG Upload — allows SVG uploads with automatic sanitization.
* Missed Schedule Fix — publishes scheduled posts that missed their time.
* Admin Notices Cleanup — hides plugin spam notices, keeps the important ones.
* Custom Login URL — changes the login URL from wp-login.php to a custom slug.
* Email-Only Login — restricts login to email addresses only.
* Site Identity on Login Page — replaces the WP logo/link with your site icon and URL.
* User Info Columns — adds Last Login and Registration Date to the Users list.
* Disable Gutenberg — restores the Classic Editor; removes block styles.

**Security**

* Two-Factor Authentication — TOTP authenticator app, emailed code, or single-use backup codes; enforced per role; fully self-hosted. Does not affect REST, XML-RPC, application passwords, WP-CLI, or cron.
* Brute Force Protection — locks out IPs after repeated failed logins, with escalating duration (1 hour, 6 hours, 24 hours, 1 week).
* IP Banning — blocks abusive IPs automatically (escalating, up to 7 days) plus manual bans, an allowlist, and a ban log. No permanent bans — entries expire and self-clean.
* System Hardening — server/filesystem hardening via .htaccess (protect system files, disable directory browsing, block PHP execution in writable dirs) and disables the dashboard file editor.
* Block User Enumeration — blocks ?author=N and gates the REST users endpoint.
* Admin Creation Alert — emails you the moment an administrator is created or a user is promoted to admin.

**Tools**

* Database Tools — operator-run utilities under Zamok → Tools: a serialization-safe Search & Replace and a Database Cleanup for revisions, trash, spam, expired transients, and orphaned meta. Nothing runs on its own — every action is a manual click.

**Backups**

* Backups — full-site backup of files and database as a single encrypted package. Builds in resumable, timeout-safe steps so it works on shared hosting, with optional scheduling and off-site SFTP push. Archives are encrypted at rest with libsodium; both the browser download and the SFTP upload deliver a plain, restore-anywhere zip. Each package includes a standalone restore installer — just upload it, open in a browser, and follow the wizard.

**Plugin-specific cleanup**

* Clean Up Yoast SEO — removes promotional modals, upsell popups, menu bloat, the dashboard widget, admin bar menu, and premium upsell cards.
* Clean Up WooCommerce — removes marketplace suggestions, setup wizards, inbox notifications, payment install offers, and extension upsells.

Plugin-specific modules auto-disable when the target plugin is not active.

= What it replaces =

Zamok can replace the following plugins — gaining all their features while cutting admin page load times by 40–50%, database queries by 65–80%, and memory usage by 35–50% (based on automated benchmarks across 5 WordPress configurations):

* **WP Mail SMTP / Post SMTP** → Email module (SMTP, forced From, delivery log)
* **Solid Security / Kadence Security / Wordfence** → Brute Force, IP Banning, Two-Factor, Login URL, System Hardening, User Enumeration
* **Two Factor Authentication** → Two-Factor module (TOTP, email, backup codes)
* **Smush / EWWW / ShortPixel** → Image Optimization module (WebP conversion)
* **Safe SVG / SVG Support** → SVG Upload module (sanitized SVGs)
* **Better Search Replace** → Database Tools (serialization-safe search & replace)
* **WP-Optimize** → Database Tools (cleanup) + Heartbeat Control + Smaller Components
* **Disable Comments** → Comments module
* **Duplicate Post / Yoast Duplicate Post** → Content Duplication module
* **Duplicate Taxonomy Terms (ACF)** → Content Duplication module (term duplication with full ACF field support)
* **Duplicator / UpdraftPlus / All-in-One WP Migration** → Backups module (encrypted, scheduled, SFTP)
* **WPS Hide Login** → Custom Login URL module
* **Enable Media Replace** → Media Replacement module

== Installation ==

1. Upload the `zamok` folder to `/wp-content/plugins/`, or install the zip via Plugins → Add New → Upload Plugin.
2. Activate the plugin through the Plugins menu in WordPress.
3. Open the new **Zamok** menu in the admin sidebar.
4. Toggle on the modules you want.

Requires PHP 8.4 or higher and WordPress 7.0 or higher.

== Frequently Asked Questions ==

= Is it really free? =

Yes. GPL-2.0-or-later, forever. There is no pro tier, no upsell, no feature locked behind a payment. We built this to replace plugins whose business model is upselling you — adding our own would defeat the point.

= Does it collect any data or phone home? =

No. There is no usage tracking, analytics, telemetry, or licensing call-home. Everything runs on your own server. The only outbound connections are ones you configure and opt into: your SMTP server (Email module) and your SFTP server (Backups module). The backup worker makes a local loopback request to your site's own admin-ajax.php to advance background jobs, and the standalone restore installer optionally fetches fresh salts from wordpress.org (with a local fallback).

= Will it lock me out if I enable Two-Factor Authentication? =

Two-Factor is opt-in and defaults off. Backup codes are mandatory at setup, an administrator can reset any user's 2FA from the user-edit screen, and the `ZAMOK_2FA_DISABLE` constant in wp-config.php is an emergency escape hatch.

= Can I store secrets outside the database? =

Yes. SMTP, SFTP, and the backup encryption key can be pinned in wp-config.php via `ZAMOK_SMTP_PASSWORD`, `ZAMOK_SFTP_PASSWORD` / `ZAMOK_SFTP_KEY`, and `ZAMOK_BACKUP_KEY`. Secrets stored in the database are encrypted with libsodium.

= Does it work on Nginx? =

Every module works on any server. The System Hardening module writes .htaccess rules, which apply on Apache/LiteSpeed; on Nginx those rules are inert and the documented Nginx snippets should be used instead.

== Screenshots ==

1. The Zamok modules page — toggle cards grouped by category.
2. The Email module: SMTP settings and the email log.
3. IP Banning: active bans and the ban log.
4. Two-Factor Authentication: per-role enforcement and the user setup wizard.
5. Database Tools: serialization-safe Search & Replace and Database Cleanup.
6. Backups: build a package, schedule, and push off-site over SFTP.

== Changelog ==

= 1.0.0 =
* Initial release — 41 toggleable modules across Core Debloat, Enhancements, Security, Tools, and Backups.
* GPL-2.0-or-later. No tracking, no telemetry, no paid tier.
