I have figured out that if you add the option ?mshot=true to any URL when your site is in maintenance mode, it will allow anyone to bypass the maintenance mode. I know that this is supposed to be used for WordPress.com’s screenshot service but, is a major flaw in the purpose of the plugin. I have noticed the following hostnames using this URL option under WordFence live activity on my sites:
You should fix this flaw so it will allow the screenshot service from only WordPress.com through and keep all others out.
- The topic ‘Adding '?mshot=true' will bypass maintenance mode.’ is closed to new replies.