English · 日本語 · 简体中文 · Español · Deutsch · Français · فارسی
Also written RequestLock or Request Lock.
A master kill-switch WordPress plugin that disarms external (internet) calls from WordPress core, your theme, and plugins — so your site keeps working when external internet is cut or restricted.
Built for resilience during connectivity restrictions: flip one switch and the site stops reaching out to the internet, serving only from local assets. As a bonus, wp-admin stops hanging on dead external requests because blocked calls fail instantly instead of waiting for timeouts.
Not just for outages — it also works as a general fix for slow network requests: block sluggish or unreliable third-party calls that drag down WordPress front-end and admin (back-end) performance, even when the internet is up. Blocked calls fail instantly, so they can't stall page loads waiting on timeouts.
Project home: https://apps.rackset.com/reqlock/
Server-side (PHP / WP HTTP API)
- Outbound
wp_remote_*requests to external hosts: WordPress.org update & version checks, analytics, OpenAI / Gemini APIs, remote fonts, etc. - External calls fail instantly (instead of timing out) → faster admin when offline.
Browser-side (rendered HTML)
- External
<script src="…"> - External
<link rel="stylesheet">(e.g. Google Fonts) - Resource hints:
preconnect/dns-prefetch/preload/prefetch - External
<iframe>→ replaced with a clean local placeholder - Inline analytics snippets: Google Analytics / Tag Manager, Microsoft Clarity, Ahrefs, Meta Pixel, Hotjar, Yandex Metrica
- (optional) External
<img>→ transparent placeholder
- Your own domain and all its subdomains are always allowed (e.g.
my.yoursite.com). - Allow-list: add any other hosts that should stay reachable.
- Detected-hosts panel: every external host the plugin sees is logged so you can build the allow-list quickly.
- Per-category toggles: turn each blocking layer on/off independently.
- Inert when OFF: with the master switch off, the plugin does nothing — safe to keep installed permanently and flip on only when needed.
- Admin-bar indicator shows when ReqLock is active.
- Copy the
reqlockfolder intowp-content/plugins/. - Activate ReqLock from the Plugins screen.
- Go to Settings → ReqLock.
- When external internet is unavailable, turn the Master switch ON.
| Group | Option | Default |
|---|---|---|
| Master | ReqLock | OFF |
| Server-side | Block outbound WP HTTP API | ON |
| Browser-side | External scripts | ON |
| Browser-side | External stylesheets | ON |
| Browser-side | Resource hints (preconnect/dns-prefetch/…) | ON |
| Browser-side | External iframes | ON |
| Browser-side | Inline analytics snippets | ON |
| Browser-side | External images | OFF |
| Scope | Also sanitize wp-admin | OFF |
| Scope | Log detected hosts | ON |
| — | Allow-list of hosts | empty |
- WordPress 5.0+
- PHP 7.2+ (tested on 7.4 / 8.1 / 8.2)
- HTTP API: hooks
pre_http_requestand returns aWP_Errorfor any external host (respecting the allow-list), short-circuiting the request before it leaves the server. - Enqueued assets: dequeues/deregisters any registered script/style whose source is external.
- Rendered HTML: buffers the page output and strips external resource tags and known inline analytics snippets with conservative, well-anchored patterns. Each removed element leaves a traceable
<!-- ReqLock blocked … -->comment (no request is made).
It deliberately leaves external rel="canonical" / alternate / icon <link>s intact (SEO-safe) and never touches relative/internal URLs.
Note: standalone PHP entry points that bypass WordPress entirely (e.g. custom scripts using raw
curl) are not interceptable by a WordPress plugin and must guard their own external calls.
GPL-2.0-or-later. See LICENSE.
Developed and maintained by the Rackset DevOps Team.
Website: https://rackset.com