FAIR

Federated and Independent Repositories

Lock My Site

Plugin Banner

Lock My Site

by Juaevpa

Download
Description

Lock My Site is a lightweight plugin that enables remote management of your WordPress site through a secure REST API. Perfect for agencies, freelancers, and anyone managing multiple WordPress sites.

Features

  • Complete Health Check – Monitor site status, PHP version, memory usage, and more
  • Update Management – Manage plugins, themes, core, and translations updates remotely
  • Plugin Management – Activate, deactivate, and get detailed plugin information
  • Theme Management – Switch themes and manage theme updates
  • Database Optimization – Clean up and optimize database tables
  • Security Audit – Basic security checks and recommendations
  • Error Logs – Access PHP error logs remotely
  • User Management – List users and roles

Security

  • API Key authentication
  • Optional HMAC signature verification
  • Optional IP whitelist
  • Rate limiting protection
  • Automatic lockout after failed attempts
  • API key expiration (90 days)
  • Email alerts for suspicious activity
  • Activity logging

Available Endpoints

Status & Health
* GET /ping – Connection check
* GET /health – Complete site health status

Updates
* GET /updates – Available updates (plugins, themes, core, translations)
* POST /update/plugin – Update a specific plugin
* POST /update/theme – Update a specific theme
* POST /update/core – Update WordPress core
* POST /update/all-plugins – Update all plugins
* POST /update/all-themes – Update all themes
* POST /update/translations – Update all translations

Plugins
* GET /plugins – List all plugins
* GET /plugins/{plugin} – Get plugin details
* POST /plugins/activate – Activate a plugin
* POST /plugins/deactivate – Deactivate a plugin
* GET /plugins/ignored – List ignored plugins
* POST /plugins/ignore – Ignore a plugin from bulk updates
* POST /plugins/unignore – Remove plugin from ignored list

Themes
* GET /themes – List all themes
* POST /themes/activate – Activate a theme

Database
* GET /database/stats – Database statistics
* POST /database/cleanup – Clean database (revisions, drafts, spam, etc.)
* POST /database/optimize – Optimize database tables

Logs
* GET /logs/php – PHP error log
* GET /logs/activity – Plugin activity log

Users
* GET /users – List WordPress users

External services

This plugin connects to the following external services:

1. WordPress.org Checksums API

  • Service URL: https://api.wordpress.org/core/checksums/1.0/
  • What it does: Retrieves the official MD5 checksums for all WordPress core files so the plugin can verify that no core file has been modified or tampered with.
  • When data is sent: Only when a core integrity check is explicitly triggered by the site administrator via the authenticated REST API endpoint /security/core-integrity.
  • What data is sent: The installed WordPress version number and the site locale (e.g. en_US). No personal data is sent.
  • Service provider: WordPress.org (Automattic Inc.)
  • Terms of use: WordPress.org Terms of Service
  • Privacy policy: WordPress.org Privacy Policy

2. WordPress.org Translations API

  • Service URL: https://api.wordpress.org/translations/plugins/1.0/, https://api.wordpress.org/translations/themes/1.0/, and https://api.wordpress.org/translations/core/1.0/
  • What it does: Returns the latest available translation package versions for plugins, themes, and WordPress core in the site’s locale, so the plugin can determine which translations need updating.
  • When data is sent: When translation updates are checked, either on demand or as part of a full updates check, explicitly triggered by the site administrator via the authenticated REST API.
  • What data is sent: Plugin/theme slugs, their version numbers, and the site locale. No personal data is sent.
  • Service provider: WordPress.org (Automattic Inc.)
  • Terms of use: WordPress.org Terms of Service
  • Privacy policy: WordPress.org Privacy Policy

These are the only two external services this plugin connects to. No other HTTP requests are made to any third-party service.

Important note about domain name references in the source code

The plugin’s security scanner contains a hardcoded list of well-known, legitimate third-party domain names used as a local string-matching whitelist only. This list includes domains such as:

  • google-analytics.com, googletagmanager.com, googleapis.com
  • maps.google.com, maps.googleapis.com
  • tawk.to, crisp.chat, intercom.io, zendesk.com
  • cdn.jsdelivr.net, cdnjs.cloudflare.com, code.jquery.com, unpkg.com
  • recaptcha.net, gstatic.com

These domains are NOT contacted, called, or connected to in any way by this plugin. No HTTP requests, API calls, or any form of network communication is made to any of these domains.

The domain names appear as plain string constants in a PHP array. When the security scanner analyzes post and page content for potentially malicious script injections (e.g. <script src="..."> tags), it compares the src attribute against this whitelist using local string matching. Scripts referencing whitelisted domains are recognized as legitimate and excluded from the scan results, reducing false positives. The entire comparison happens locally in PHP memory — no data leaves the server.

  1. Upload the lock-my-site folder to /wp-content/plugins/
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Go to Tools > Lock My Site to get your API key
  4. Use the API key in your management dashboard
Is this plugin secure?

Yes. The plugin uses API key authentication, supports HMAC signature verification, IP whitelisting, implements rate limiting, auto-lockout after failed attempts, and logs all API access. The API key is generated automatically and can be regenerated at any time.

How do I authenticate?

Include the X-API-Key header with your API key in each request.

Can I restrict access by IP?

Yes, you can configure an IP whitelist in the plugin settings page (Tools > Lock My Site).

Does it work with management dashboards?

Yes, this plugin is designed to work with any management dashboard that implements the API. It’s compatible with custom dashboards and management tools.

What happens if someone gets my API key?

You can regenerate your API key at any time from the plugin settings. The old key will immediately stop working. You can also enable email alerts to be notified of suspicious access attempts.

Does it support multisite?

The plugin works on individual sites. For multisite networks, install it on each site you want to manage.

1.5.5

  • WordPress.org approved release
  • Final compliance fixes for plugin review

1.5.4

  • Replaced WP_CONTENT_DIR paths with wp_upload_dir(), get_theme_root(), WP_PLUGIN_DIR
  • Replaced ABSPATH for error logs with get_home_path()
  • Added prominent comments for remote management features (activate_plugin, switch_theme)
  • Fixed JSON input sanitization with map_deep() after json_decode()
  • Removed Polylang Pro integration code
  • Improved external services documentation in readme.txt

1.5.3

  • Updated all internal prefixes to lockmysi_ for WordPress.org compliance
  • Replaced inline scripts with properly enqueued JavaScript
  • Added wp_localize_script for passing data to admin scripts
  • Improved input sanitization across all files
  • Documented all external service connections in readme.txt
  • Added function_exists checks for WordPress admin includes

1.0.0

  • Initial release
  • Complete health check system
  • Plugin and theme management
  • Update management (plugins, themes, core, translations)
  • Database optimization and cleanup
  • PHP error log access
  • Activity logging
  • API key authentication with HMAC support
  • IP whitelist support
  • Rate limiting
Back to top