WordPress.org

Ready to get started?Download WordPress

Forums

Ultimate Maintenance Mode
[resolved] Adding '?mshot=true' will bypass maintenance mode. (9 posts)

  1. Zachary DuBois
    Member
    Posted 1 year ago #

    I have figured out that if you add the option ?mshot=true to any URL when your site is in maintenance mode, it will allow anyone to bypass the maintenance mode. I know that this is supposed to be used for WordPress.com's screenshot service but, is a major flaw in the purpose of the plugin. I have noticed the following hostnames using this URL option under WordFence live activity on my sites:

    • *.sat.wordpress.com
    • *.static.reverse.ltdomains.com

    You should fix this flaw so it will allow the screenshot service from only WordPress.com through and keep all others out.
    - Thanks

    http://wordpress.org/extend/plugins/ultimate-maintenance-mode/

  2. Kramarz
    Member
    Posted 1 year ago #

    lol, that's a BIG issue indeed... please fix :-)

  3. Zachary DuBois
    Member
    Posted 1 year ago #

    Make sure in google webmaster tools you set Google not to crawl those URL peramiters.

  4. John Turner
    Member
    Plugin Author

    Posted 1 year ago #

    Google won't crawl it unless it has that param. You have to allow the mshot or it will take a screenshot of the maintenance page. I'll look at user agent detection.

  5. Zachary DuBois
    Member
    Posted 1 year ago #

    Google will crawl it because it has the link from WordPress. It notified me of the new pattern detected via email. You would rather google get a 503 service temporarily unavailable that unfinished pages on your site.

  6. Zachary DuBois
    Member
    Posted 10 months ago #

    Will this be fixed? It is really a big issue if you need to take your site down for maintenance after a security break in or such.

  7. SeedProd
    Member
    Posted 10 months ago #

    You have to allow mshot through to take get a screenshot. I'll make it so if you use a custom background that mshot is blocked. Thx

  8. SeedProd
    Member
    Posted 10 months ago #

    This has been fixed in 1.5.2 . A unique identify is not passed to identify mshots.

  9. Zachary DuBois
    Member
    Posted 10 months ago #

    Sweet! Thanks!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic