WordPress.org

Maltese

Get WordPress
WordPress.org

Plugin Directory

Read Only Mode – Telchar HiveLock

Read Only Mode – Telchar HiveLock

By telchar
Download

Description

Read Only Mode – Telchar HiveLock freezes an already working site by restricting persistent WordPress actions while keeping the site online, browsable, and accessible to administrators.

While freeze mode is enabled:

  • Frontend browsing continues to work.
  • Administrators can still log in. All users can still log out.
  • Administrators can still access the dashboard.
  • Administrators can return to the plugin page and disable the freeze.
  • Standard WordPress-level persistent changes are blocked.

This plugin is designed for already-finished sites that should stay online and readable without allowing routine changes, uploads, updates, or content edits until an administrator intentionally unfreezes the site again.

It is not a maintenance mode plugin. Its purpose is to harden finished sites by reducing their WordPress-level attack surface and blocking persistent changes through standard WordPress write routes.

Blocked surfaces include:

  • post, page, attachment, and custom post type writes
  • taxonomy changes
  • comment creation and standard moderation changes
  • option and settings updates
  • user creation, deletion, and password reset flows
  • media uploads
  • plugin, theme, and core file modification flows handled through WordPress
  • REST write requests across all namespaces, including third-party plugin routes
  • admin AJAX restricted to a narrow allowlist of safe core read actions, while taxonomy creation requests return a visible error
  • XML-RPC publishing and pingback-style mutation routes

This plugin aims to provide a practical WordPress-level freeze mode. It does not claim to provide absolute immutability, server-level filesystem protection, or protection against every possible vulnerability or every custom plugin write path.

Screenshots

  • Plugin settings with freeze mode enabled

Installation

  1. Upload the telchar-site-freeze folder to the /wp-content/plugins/ directory, or install the plugin through the WordPress admin area.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Open Settings > Read Only Mode.
  4. Enable freeze mode when you want to freeze the site.

FAQ

What does this plugin block?

It blocks standard WordPress-level persistent changes such as content edits, taxonomy changes, user changes, settings changes, uploads, plugin and theme operations, and core write-style routes through REST, AJAX, and XML-RPC.

What still works while freeze mode is enabled?

Frontend page rendering, browsing, logout, administrator dashboard access, administrator login, and disabling freeze mode still work.

Can visitors still browse the website?

Yes. The frontend remains available for normal browsing.

Can users still log in?

Login is restricted to administrators only while freeze mode is enabled. Logging out continues to work.

Can administrators still access the dashboard?

Yes. Administrators can still access the dashboard and disable the freeze from the plugin screen, but persistent write actions remain blocked until freeze mode is disabled.

How do I disable freeze mode?

Open Settings > Read Only Mode in the WordPress admin area and click the disable button.

Are media uploads blocked?

Yes. Uploading new media is blocked while freeze mode is enabled.

Are plugin and theme updates blocked?

Yes. Installing, updating, deleting, activating, switching, and editing plugins or themes through normal WordPress routes are blocked while the freeze is enabled.

What happens if I forget the administrator password?

Password changes and resets are blocked while freeze mode is enabled, so recovery may require manual intervention outside the plugin.

Are settings changes blocked?

Yes. Persistent settings and option changes are blocked while freeze mode is enabled.

Are comments or content changes blocked?

Yes. New comments, comment moderation changes, post edits, page edits, and similar content mutations are blocked.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Read Only Mode – Telchar HiveLock” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Read Only Mode – Telchar HiveLock” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.0.12

  • Replaced the remaining admin action request helper with explicit local request inspection to reduce review ambiguity around passive mutation detection.

1.0.11

  • Replaced generic request readers with explicit contextual request inspection and switched the post-toggle admin status notice to a controlled transient-based flow.

1.0.10

  • Changed the main freeze toggle button to use site-focused labels instead of the plugin brand name, and updated translation catalogs accordingly.

1.0.9

  • Added a warning encouraging site owners to verify site health before freezing, with a link to Telchar for security audits and related tools.

1.0.8

  • Blocked post.php?action=delete so attachments cannot be permanently deleted from their detail screen during freeze. Returned core-compatible AJAX errors for blocked comment moderation actions so the admin UI shows a visible failure instead of behaving as if the action succeeded.

1.0.7

  • Allowed the minimum safe core AJAX actions needed for media and taxonomy browsing in wp-admin, and returned a visible error for blocked AJAX term creation instead of leaving the UI loading indefinitely.

1.0.6

  • Blocked low-level comment creation paths that pass through wp_new_comment() preprocessing so comment writes are denied more consistently during freeze.

1.0.5

  • Removed the remaining Heartbeat AJAX exception so frozen sites no longer expose that write-capable route. Added low-level metadata, taxonomy relationship, and user table write blocking to reduce custom code bypasses.

1.0.4

  • Fixed get_server_value() to use $_SERVER directly instead of filter_input(INPUT_SERVER), which returns null in PHP-FPM environments and silently disabled HTTP-method-dependent admin blocks.

1.0.3

  • Renamed the plugin, removed manual translation loading, hardened request validation, added a persistent admin notice while frozen, and updated compatibility metadata.

1.0.2

  • Closed admin-post.php write bypass. Blocked add_option and delete_option during freeze. Strengthened user capability checks. Fixed text inconsistencies in admin UI.

1.0.1

  • Removed dead code in option allowlist. Session tokens are stored in user meta, not options, so the entry had no effect.

1.0.0

  • Initial public release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum