Support » Plugin: Ultimate Maintenance Mode » Adding '?mshot=true' will bypass maintenance mode.

  • Resolved Zachary DuBois

    (@zachary-dubois)


    I have figured out that if you add the option ?mshot=true to any URL when your site is in maintenance mode, it will allow anyone to bypass the maintenance mode. I know that this is supposed to be used for WordPress.com’s screenshot service but, is a major flaw in the purpose of the plugin. I have noticed the following hostnames using this URL option under WordFence live activity on my sites:

    • *.sat.wordpress.com
    • *.static.reverse.ltdomains.com

    You should fix this flaw so it will allow the screenshot service from only WordPress.com through and keep all others out.
    – Thanks

    http://wordpress.org/extend/plugins/ultimate-maintenance-mode/

Viewing 8 replies - 1 through 8 (of 8 total)
  • lol, that’s a BIG issue indeed… please fix 🙂

    Make sure in google webmaster tools you set Google not to crawl those URL peramiters.

    Plugin Author John Turner

    (@johnnytee)

    Google won’t crawl it unless it has that param. You have to allow the mshot or it will take a screenshot of the maintenance page. I’ll look at user agent detection.

    Google will crawl it because it has the link from WordPress. It notified me of the new pattern detected via email. You would rather google get a 503 service temporarily unavailable that unfinished pages on your site.

    Will this be fixed? It is really a big issue if you need to take your site down for maintenance after a security break in or such.

    You have to allow mshot through to take get a screenshot. I’ll make it so if you use a custom background that mshot is blocked. Thx

    This has been fixed in 1.5.2 . A unique identify is not passed to identify mshots.

    Sweet! Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Adding '?mshot=true' will bypass maintenance mode.’ is closed to new replies.