Website Lockdown
Overview
Website Lockdown is a security feature designed to protect your WordPress website by freezing critical core files and directories. When enabled, it prevents unauthorized modifications and malicious code injection by making key WordPress files immutable.
This feature helps ensure website stability and security by preventing malware from tampering with core WordPress files, themes, and plugins.
What Does Website Lockdown Protect?
When Website Lockdown is enabled, the following protections are applied:
- WordPress Core Files: Protects essential WordPress system files from being modified
- Plugin Installation: Blocks installation of new plugins to prevent malicious plugins from being added
- Theme Installation: Prevents installation of new themes that could contain malicious code
- File Modifications: Makes critical files and directories read-only to prevent unauthorized changes
- Malicious Code Injection: Prevents attackers from injecting malicious code into protected files
When to Use Website Lockdown
Website Lockdown is recommended in the following scenarios:
- Production websites: When your site is live and you don't need to install new plugins or themes
- After development: Once your site is configured and you want to prevent unauthorized changes
- Security incidents: If you suspect your site has been compromised and want to prevent further damage
- Stable deployments: When you want to maintain a stable, unchanging configuration
When NOT to Use Website Lockdown
You should disable Website Lockdown when:
- Installing plugins or themes: Lockdown mode will block these operations
- Updating WordPress core: Core updates require write access to protected files
- Active development: When you're actively developing and need to modify files
- Troubleshooting: When you need to modify configuration or debug issues
How to Enable Website Lockdown
- Navigate to your site details page
- Click on the Utilities section
- Find Website Lockdown in the list
- Click on the Website Lockdown option
- Read the feature description in the dialog
- Click the Enable Website Lockdown button
- Wait for the job to complete
Once enabled, WordPress will display warning messages when attempting operations that are blocked by Lockdown mode.
How to Disable Website Lockdown
- Navigate to your site details page
- Click on the Utilities section
- Find Website Lockdown in the list (it will show a checkmark or indicator showing it's enabled)
- Click on the Website Lockdown option
- In the dialog, you'll see a warning message explaining that Lockdown is active
- Click the Disable Website Lockdown button
- Wait for the job to complete
After disabling, you'll be able to install plugins, themes, and modify files normally.
Important Notes
- Always disable Lockdown before updates: You must disable Website Lockdown before installing or updating plugins, themes, or WordPress core
- No impact on content: Lockdown does not affect your ability to create or edit posts, pages, and other content
- Server-level protection: Protection is applied at the file system level using immutable flags
- Reversible: You can enable and disable Lockdown at any time as needed
Troubleshooting
Cannot Install Plugin or Theme
Problem: You're trying to install a plugin or theme but it's being blocked.
Solution:
- Go to Utilities > Website Lockdown
- Click Disable Website Lockdown
- Wait for the job to complete
- Install your plugin or theme
- Re-enable Website Lockdown if desired
Updates Failing
Problem: WordPress core, plugin, or theme updates are failing.
Solution:
- Temporarily disable Website Lockdown
- Perform your updates
- Re-enable Website Lockdown after updates are complete
File Permission Errors
Problem: You're seeing file permission errors in WordPress.
Solution:
- Check if Website Lockdown is enabled
- If you need to modify files, disable Lockdown temporarily
- Make your changes
- Re-enable Lockdown when finished
Best Practices
- Enable after configuration: Turn on Lockdown once your site is fully configured and stable
- Disable for maintenance: Always disable Lockdown before performing updates or installations
- Regular monitoring: Keep an eye on your site's security logs even with Lockdown enabled
- Combine with other security: Use Lockdown alongside other security measures like firewalls and regular backups
- Document changes: Keep track of when you enable/disable Lockdown for maintenance
Technical Details
Website Lockdown works by:
- Setting immutable flags on critical WordPress files and directories
- Modifying file permissions to prevent unauthorized writes
- Protecting the WordPress core structure from tampering
The protection is applied at the operating system level, making it effective even if an attacker gains access to your WordPress admin panel.