Support » Plugin: Ultimate Maintenance Mode » Adding '?mshot=true' will bypass maintenance mode.

  • Resolved Zachary DuBois


    I have figured out that if you add the option ?mshot=true to any URL when your site is in maintenance mode, it will allow anyone to bypass the maintenance mode. I know that this is supposed to be used for’s screenshot service but, is a major flaw in the purpose of the plugin. I have noticed the following hostnames using this URL option under WordFence live activity on my sites:

    • *
    • *

    You should fix this flaw so it will allow the screenshot service from only through and keep all others out.
    – Thanks

Viewing 8 replies - 1 through 8 (of 8 total)
  • lol, that’s a BIG issue indeed… please fix 🙂

    Make sure in google webmaster tools you set Google not to crawl those URL peramiters.

    Plugin Author John Turner


    Google won’t crawl it unless it has that param. You have to allow the mshot or it will take a screenshot of the maintenance page. I’ll look at user agent detection.

    Google will crawl it because it has the link from WordPress. It notified me of the new pattern detected via email. You would rather google get a 503 service temporarily unavailable that unfinished pages on your site.

    Will this be fixed? It is really a big issue if you need to take your site down for maintenance after a security break in or such.

    You have to allow mshot through to take get a screenshot. I’ll make it so if you use a custom background that mshot is blocked. Thx

    This has been fixed in 1.5.2 . A unique identify is not passed to identify mshots.

    Sweet! Thanks!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Adding '?mshot=true' will bypass maintenance mode.’ is closed to new replies.