diff --git a/CHANGELOG.md b/CHANGELOG.md
index c157731..6816fc7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
+- Block non-master users from viewing or editing MokoWaaS plugin settings
+- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)
 
 ### Fixed
 - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
diff --git a/README.md b/README.md
index 3b6df39..f12d937 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.05.01
+ VERSION: 02.05.04
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->
diff --git a/src/packages/com_mokowaas/mokowaas.xml b/src/packages/com_mokowaas/mokowaas.xml
index c19b978..d76c267 100644
--- a/src/packages/com_mokowaas/mokowaas.xml
+++ b/src/packages/com_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index f55e36a..698bb8b 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -1025,6 +1025,31 @@ class MokoWaaS extends CMSPlugin
 				$this->app->redirect('index.php?option=com_plugins');
 			}
 		}
+
+		// Block non-master from viewing or editing MokoWaaS plugin settings
+		if ($option === 'com_plugins')
+		{
+			$view       = $this->app->input->get('view', '');
+			$layout     = $this->app->input->get('layout', '');
+			$extensionId = (int) $this->app->input->get('extension_id', 0);
+
+			if (($view === 'plugin' || $layout === 'edit') && $extensionId > 0)
+			{
+				$db    = Factory::getDbo();
+				$query = $db->getQuery(true)
+					->select('COUNT(*)')
+					->from($db->quoteName('#__extensions'))
+					->where($db->quoteName('extension_id') . ' = ' . $extensionId)
+					->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+					->where($db->quoteName('type') . ' = ' . $db->quote('plugin'));
+
+				if ((int) $db->setQuery($query)->loadResult() > 0)
+				{
+					$this->app->enqueueMessage('MokoWaaS settings are restricted to the master user.', 'warning');
+					$this->app->redirect('index.php?option=com_plugins');
+				}
+			}
+		}
 	}
 
 	/**
@@ -3402,12 +3427,18 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function enforceAdminRestrictions()
 	{
+		// Master user bypasses ALL restrictions
+		if ($this->isMasterUser())
+		{
+			return;
+		}
+
 		$input  = $this->app->input;
 		$option = $input->get('option', '');
 		$view   = $input->get('view', '');
 		$task   = $input->get('task', '');
 
-		// Disable install-from-URL for ALL users (safety net)
+		// Disable install-from-URL for non-master users
 		if ($this->params->get('disable_install_url', 1)
 			&& $option === 'com_installer'
 			&& stripos($task, 'install') !== false
@@ -3418,12 +3449,6 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}
 
-		// Remaining restrictions only apply to non-master users
-		if ($this->isMasterUser())
-		{
-			return;
-		}
-
 		$blocked = [];
 
 		if ($this->params->get('restrict_installer', 1))
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index 26dbbb1..b8fdc48 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -30,7 +30,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
diff --git a/src/packages/plg_webservices_mokowaas/mokowaas.xml b/src/packages/plg_webservices_mokowaas/mokowaas.xml
index f1cad69..0419ed5 100644
--- a/src/packages/plg_webservices_mokowaas/mokowaas.xml
+++ b/src/packages/plg_webservices_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
diff --git a/src/pkg_mokowaas.xml b/src/pkg_mokowaas.xml
index dfea54b..f0d8dcd 100644
--- a/src/pkg_mokowaas.xml
+++ b/src/pkg_mokowaas.xml
@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>