Title: Lock My Site
Author: Juanma Evaristo
Published: <strong>Март 5, 2026-ж.</strong>
Last modified: Март 23, 2026-ж.

---

Плагиндерди издөө

![](https://ps.w.org/lock-my-site/assets/banner-772x250.png?rev=3475648)

![](https://ps.w.org/lock-my-site/assets/icon-256x256.png?rev=3475648)

# Lock My Site

 Автору [Juanma Evaristo](https://profiles.wordpress.org/juaevpa/)

[Жүктөө](https://downloads.wordpress.org/plugin/lock-my-site.1.5.9.zip)

 * [Кенен маалымат](https://ky.wordpress.org/plugins/lock-my-site/#description)
 * [Сын-пикирлер](https://ky.wordpress.org/plugins/lock-my-site/#reviews)
 *  [Орнотуу](https://ky.wordpress.org/plugins/lock-my-site/#installation)
 * [Development](https://ky.wordpress.org/plugins/lock-my-site/#developers)

 [Колдоо](https://wordpress.org/support/plugin/lock-my-site/)

## Сүрөттөө

Lock My Site is a lightweight plugin that enables remote management of your WordPress
site through a secure REST API. Perfect for agencies, freelancers, and anyone managing
multiple WordPress sites.

#### Features

 * **Complete Health Check** – Monitor site status, PHP version, memory usage, and
   more
 * **Update Management** – Manage plugins, themes, core, and translations updates
   remotely
 * **Plugin Management** – Activate, deactivate, and get detailed plugin information
 * **Theme Management** – Switch themes and manage theme updates
 * **Database Optimization** – Clean up and optimize database tables
 * **Security Audit** – Basic security checks and recommendations
 * **Error Logs** – Access PHP error logs remotely
 * **User Management** – List users and roles

#### Security

 * API Key authentication
 * Optional HMAC signature verification
 * Optional IP whitelist
 * Rate limiting protection
 * Automatic lockout after failed attempts
 * API key expiration (90 days)
 * Email alerts for suspicious activity
 * Activity logging

#### Available Endpoints

**Status & Health**
 * `GET /ping` – Connection check * `GET /health` – Complete
site health status

**Updates**
 * `GET /updates` – Available updates (plugins, themes, core, translations)*`
POST /update/plugin` – Update a specific plugin * `POST /update/theme` – Update 
a specific theme * `POST /update/core` – Update WordPress core * `POST /update/all-
plugins` – Update all plugins * `POST /update/all-themes` – Update all themes * `
POST /update/translations` – Update all translations

**Plugins**
 * `GET /plugins` – List all plugins * `GET /plugins/{plugin}` – Get
plugin details * `POST /plugins/activate` – Activate a plugin * `POST /plugins/deactivate`–
Deactivate a plugin * `GET /plugins/ignored` – List ignored plugins * `POST /plugins/
ignore` – Ignore a plugin from bulk updates * `POST /plugins/unignore` – Remove 
plugin from ignored list

**Themes**
 * `GET /themes` – List all themes * `POST /themes/activate` – Activate
a theme

**Database**
 * `GET /database/stats` – Database statistics * `POST /database/cleanup`–
Clean database (revisions, drafts, spam, etc.) * `POST /database/optimize` – Optimize
database tables

**Logs**
 * `GET /logs/php` – PHP error log * `GET /logs/activity` – Plugin activity
log

**Users**
 * `GET /users` – List WordPress users

### External services

This plugin connects to the following external services:

#### 1. WordPress.org Checksums API

 * **Service URL:** `https://api.wordpress.org/core/checksums/1.0/`
 * **What it does:** Retrieves the official MD5 checksums for all WordPress core
   files so the plugin can verify that no core file has been modified or tampered
   with.
 * **When data is sent:** Only when a core integrity check is explicitly triggered
   by the site administrator via the authenticated REST API endpoint `/security/
   core-integrity`.
 * **What data is sent:** The installed WordPress version number and the site locale(
   e.g. `en_US`). No personal data is sent.
 * **Service provider:** WordPress.org (Automattic Inc.)
 * **Terms of use:** [WordPress.org Terms of Service](https://wordpress.org/about/domains/)
 * **Privacy policy:** [WordPress.org Privacy Policy](https://wordpress.org/about/privacy/)

#### 2. WordPress.org Translations API

 * **Service URL:** `https://api.wordpress.org/translations/plugins/1.0/`, `https://
   api.wordpress.org/translations/themes/1.0/`, and `https://api.wordpress.org/translations/
   core/1.0/`
 * **What it does:** Returns the latest available translation package versions for
   plugins, themes, and WordPress core in the site’s locale, so the plugin can determine
   which translations need updating.
 * **When data is sent:** When translation updates are checked, either on demand
   or as part of a full updates check, explicitly triggered by the site administrator
   via the authenticated REST API.
 * **What data is sent:** Plugin/theme slugs, their version numbers, and the site
   locale. No personal data is sent.
 * **Service provider:** WordPress.org (Automattic Inc.)
 * **Terms of use:** [WordPress.org Terms of Service](https://wordpress.org/about/domains/)
 * **Privacy policy:** [WordPress.org Privacy Policy](https://wordpress.org/about/privacy/)

These are the only two external services this plugin connects to. No other HTTP 
requests are made to any third-party service.

#### Important note about domain name references in the source code

The plugin’s security scanner contains a hardcoded list of well-known, legitimate
third-party domain names used as a **local string-matching whitelist only**. This
list includes domains such as:

 * google-analytics.com, googletagmanager.com, googleapis.com
 * maps.google.com, maps.googleapis.com
 * tawk.to, crisp.chat, intercom.io, zendesk.com
 * cdn.jsdelivr.net, cdnjs.cloudflare.com, code.jquery.com, unpkg.com
 * recaptcha.net, gstatic.com

**These domains are NOT contacted, called, or connected to in any way by this plugin.**
No HTTP requests, API calls, or any form of network communication is made to any
of these domains.

The domain names appear as plain string constants in a PHP array. When the security
scanner analyzes post and page content for potentially malicious script injections(
e.g. `<script src="...">` tags), it compares the `src` attribute against this whitelist
using local string matching. Scripts referencing whitelisted domains are recognized
as legitimate and excluded from the scan results, reducing false positives. The 
entire comparison happens locally in PHP memory — no data leaves the server.

## Скриншоттор

 * [[
 * Plugin settings page with API key and security configuration
 * [[
 * Activity log showing recent API calls
 * [[
 * IP whitelist and HMAC signature configuration
 * [[
 * Security audit report – cover page with risk score and findings summary
 * [[
 * Monthly maintenance report – cover page with KPIs (updates, uptime, security,
   performance)
 * [[
 * Security audit detail – executive summary with categorized findings
 * [[
 * Maintenance report detail – site configuration and technical parameters

## Орнотуу

 1. Upload the `lock-my-site` folder to `/wp-content/plugins/`
 2. Activate the plugin through the ‘Plugins’ menu in WordPress
 3. Go to Tools > Lock My Site to get your API key
 4. Use the API key in your management dashboard

## FAQ.KG

### Is this plugin secure?

Yes. The plugin uses API key authentication, supports HMAC signature verification,
IP whitelisting, implements rate limiting, auto-lockout after failed attempts, and
logs all API access. The API key is generated automatically and can be regenerated
at any time.

### How do I authenticate?

Include the `X-API-Key` header with your API key in each request.

### Can I restrict access by IP?

Yes, you can configure an IP whitelist in the plugin settings page (Tools > Lock
My Site).

### Does it work with management dashboards?

Yes, this plugin is designed to work with any management dashboard that implements
the API. It’s compatible with custom dashboards and management tools.

### What happens if someone gets my API key?

You can regenerate your API key at any time from the plugin settings. The old key
will immediately stop working. You can also enable email alerts to be notified of
suspicious access attempts.

### Does it support multisite?

The plugin works on individual sites. For multisite networks, install it on each
site you want to manage.

## Сын-пикирлер

![](https://secure.gravatar.com/avatar/f74ea056fae31727249dc935b970814c3c9eed3a4da689f3081fef8d79ca8c4f?
s=60&d=retro&r=g)

### 󠀁[really useful and lightweight](https://wordpress.org/support/topic/really-useful-and-lightweight-2/)󠁿

 [manelio](https://profiles.wordpress.org/manelio/) Март 6, 2026-ж.

this plugin has been a great little time-saver for us. managing several wp sites
is much easier now, especially for updates and quick health checks. setup was simple,
it feels lightweight, and the security features are reassuring. The name may be 
a bit misleading at first, but the plugin itself is genuinely useful

![](https://secure.gravatar.com/avatar/2ad25152d66ab68f233ff1e771f5f5b61808045f5b306f63250027046f2b84c4?
s=60&d=retro&r=g)

### 󠀁[Useful and easy](https://wordpress.org/support/topic/useful-and-easy-46/)󠁿

 [digitalsenda](https://profiles.wordpress.org/digitalsenda/) Март 6, 2026-ж.

I tried the plugin and I really appreciate the simple configuration and the information
it gives.Nice job!

![](https://secure.gravatar.com/avatar/bd1732345ce861d427c2c5322d4b8d4fd5b4f8f0e24d335d0d8a1619112c9c5d?
s=60&d=retro&r=g)

### 󠀁[Really useful!](https://wordpress.org/support/topic/really-useful-331/)󠁿

 [Fernando Serer](https://profiles.wordpress.org/fserer/) Март 6, 2026-ж.

Thanks for this plugin, really useful!

![](https://secure.gravatar.com/avatar/5cff1a57d01955c3b32e58ed35dfbfbc97c37800e219bd4cf3d3b696168208e1?
s=60&d=retro&r=g)

### 󠀁[Great plugin! Awesome support](https://wordpress.org/support/topic/great-plugin-awesome-support-260/)󠁿

 [snieto](https://profiles.wordpress.org/snieto/) Март 6, 2026-ж.

What a plugin, man!Absolutely top notch right from the first release.Congrats!

 [ Read all 4 reviews ](https://wordpress.org/support/plugin/lock-my-site/reviews/)

## Contributors & Developers

“Lock My Site” is open source software. The following people have contributed to
this plugin.

Мүчөлөрү

 *   [ Juanma Evaristo ](https://profiles.wordpress.org/juaevpa/)

[Translate “Lock My Site” into your language.](https://translate.wordpress.org/projects/wp-plugins/lock-my-site)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/lock-my-site/), check
out the [SVN repository](https://plugins.svn.wordpress.org/lock-my-site/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/lock-my-site/) by
[RSS](https://plugins.trac.wordpress.org/log/lock-my-site/?limit=100&mode=stop_on_copy&format=rss).

## Өзгөртүүлөр

#### 1.5.9

 * Fix: Safe plugin reactivation after updates (catch activation failures to prevent
   site crash)

#### 1.5.8

 * Fix: Obfuscate malware scanner signatures to prevent hosting false positives
 * Fix: Delete stale transients before force refresh to prevent phantom updates
 * Fix: Verify actual plugin version after update (detect silent successes)
 * Fix: Object cache flush on force refresh for aggressive hosting caches

#### 1.5.6

 * Fix: Bulk plugin updates – single transient refresh per site instead of per plugin
 * Fix: Transient re-injection between updates to prevent data loss
 * Fix: wp.org API fallback when transient is stale

#### 1.5.5

 * WordPress.org approved release
 * Final compliance fixes for plugin review

#### 1.5.4

 * Replaced WP_CONTENT_DIR paths with wp_upload_dir(), get_theme_root(), WP_PLUGIN_DIR
 * Replaced ABSPATH for error logs with get_home_path()
 * Added prominent comments for remote management features (activate_plugin, switch_theme)
 * Fixed JSON input sanitization with map_deep() after json_decode()
 * Removed Polylang Pro integration code
 * Improved external services documentation in readme.txt

#### 1.5.3

 * Updated all internal prefixes to `lockmysi_` for WordPress.org compliance
 * Replaced inline scripts with properly enqueued JavaScript
 * Added wp_localize_script for passing data to admin scripts
 * Improved input sanitization across all files
 * Documented all external service connections in readme.txt
 * Added function_exists checks for WordPress admin includes

#### 1.0.0

 * Initial release
 * Complete health check system
 * Plugin and theme management
 * Update management (plugins, themes, core, translations)
 * Database optimization and cleanup
 * PHP error log access
 * Activity logging
 * API key authentication with HMAC support
 * IP whitelist support
 * Rate limiting

## Мета

 *  Нуска **1.5.9**
 *  Акыркы жаңыртуу **2 ай мурун**
 *  Активдүү орнотуулар **10+**
 *  WordPress нускасы ** 5.6 же андан жогору **
 *  Tested up to **6.9.4**
 *  PHP нускасы ** 7.4 же андан жогору **
 *  Тил
 * [English (US)](https://wordpress.org/plugins/lock-my-site/)
 * Тег:
 * [api](https://ky.wordpress.org/plugins/tags/api/)[maintenance](https://ky.wordpress.org/plugins/tags/maintenance/)
   [management](https://ky.wordpress.org/plugins/tags/management/)[remote](https://ky.wordpress.org/plugins/tags/remote/)
   [updates](https://ky.wordpress.org/plugins/tags/updates/)
 *  [Advanced View](https://ky.wordpress.org/plugins/lock-my-site/advanced/)

## Рейтинг

 5 out of 5 stars.

 *  [  4 5-star reviews     ](https://wordpress.org/support/plugin/lock-my-site/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/lock-my-site/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/lock-my-site/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/lock-my-site/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/lock-my-site/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/lock-my-site/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/lock-my-site/reviews/)

## Мүчөлөрү

 *   [ Juanma Evaristo ](https://profiles.wordpress.org/juaevpa/)

## Колдоо

Комментарийлер барбы? Жардам керекпи?

 [Колдоо форумун көрүү](https://wordpress.org/support/plugin/lock-my-site/)