Lock My Site

Lock My Site is a lightweight plugin that enables remote management of your WordPress site through a secure REST API. Perfect for agencies, freelancers, and anyone managing multiple WordPress sites.

Features

• Complete Health Check – Monitor site status, PHP version, memory usage, and more
• Update Management – Manage plugins, themes, core, and translations updates remotely
• Plugin Management – Activate, deactivate, and get detailed plugin information
• Theme Management – Switch themes and manage theme updates
• Database Optimization – Clean up and optimize database tables
• Security Audit – Basic security checks and recommendations
• Error Logs – Access PHP error logs remotely
• User Management – List users and roles

Security

• API Key authentication
• Optional HMAC signature verification
• Optional IP whitelist
• Rate limiting protection
• Automatic lockout after failed attempts
• API key expiration (90 days)
• Email alerts for suspicious activity
• Activity logging

Available Endpoints

Status & Health
* GET /ping – Connection check
* GET /health – Complete site health status

Updates
* GET /updates – Available updates (plugins, themes, core, translations)
* POST /update/plugin – Update a specific plugin
* POST /update/theme – Update a specific theme
* POST /update/core – Update WordPress core
* POST /update/all-plugins – Update all plugins
* POST /update/all-themes – Update all themes
* POST /update/translations – Update all translations

Plugins
* GET /plugins – List all plugins
* GET /plugins/{plugin} – Get plugin details
* POST /plugins/activate – Activate a plugin
* POST /plugins/deactivate – Deactivate a plugin
* GET /plugins/ignored – List ignored plugins
* POST /plugins/ignore – Ignore a plugin from bulk updates
* POST /plugins/unignore – Remove plugin from ignored list

Themes
* GET /themes – List all themes
* POST /themes/activate – Activate a theme

Database
* GET /database/stats – Database statistics
* POST /database/cleanup – Clean database (revisions, drafts, spam, etc.)
* POST /database/optimize – Optimize database tables

Logs
* GET /logs/php – PHP error log
* GET /logs/activity – Plugin activity log

Users
* GET /users – List WordPress users

External services

This plugin connects to the following external services:

1. WordPress.org Checksums API

• Service URL: https://api.wordpress.org/core/checksums/1.0/
• What it does: Retrieves the official MD5 checksums for all WordPress core files so the plugin can verify that no core file has been modified or tampered with.
• When data is sent: Only when a core integrity check is explicitly triggered by the site administrator via the authenticated REST API endpoint /security/core-integrity.
• What data is sent: The installed WordPress version number and the site locale (e.g. en_US). No personal data is sent.
• Service provider: WordPress.org (Automattic Inc.)
• Terms of use: WordPress.org Terms of Service
• Privacy policy: WordPress.org Privacy Policy

2. WordPress.org Translations API

• Service URL: https://api.wordpress.org/translations/plugins/1.0/, https://api.wordpress.org/translations/themes/1.0/, and https://api.wordpress.org/translations/core/1.0/
• What it does: Returns the latest available translation package versions for plugins, themes, and WordPress core in the site’s locale, so the plugin can determine which translations need updating.
• When data is sent: When translation updates are checked, either on demand or as part of a full updates check, explicitly triggered by the site administrator via the authenticated REST API.
• What data is sent: Plugin/theme slugs, their version numbers, and the site locale. No personal data is sent.
• Service provider: WordPress.org (Automattic Inc.)
• Terms of use: WordPress.org Terms of Service
• Privacy policy: WordPress.org Privacy Policy

These are the only two external services this plugin connects to. No other HTTP requests are made to any third-party service.

Important note about domain name references in the source code

The plugin’s security scanner contains a hardcoded list of well-known, legitimate third-party domain names used as a local string-matching whitelist only. This list includes domains such as:

• google-analytics.com, googletagmanager.com, googleapis.com
• maps.google.com, maps.googleapis.com
• tawk.to, crisp.chat, intercom.io, zendesk.com
• cdn.jsdelivr.net, cdnjs.cloudflare.com, code.jquery.com, unpkg.com
• recaptcha.net, gstatic.com

These domains are NOT contacted, called, or connected to in any way by this plugin. No HTTP requests, API calls, or any form of network communication is made to any of these domains.

The domain names appear as plain string constants in a PHP array. When the security scanner analyzes post and page content for potentially malicious script injections (e.g. <script src="..."> tags), it compares the src attribute against this whitelist using local string matching. Scripts referencing whitelisted domains are recognized as legitimate and excluded from the scan results, reducing false positives. The entire comparison happens locally in PHP memory — no data leaves the server.