Recommended security update for all users. Blocks JavaScript injection on the Under Construction page, hardens the bypass cookie (Secure\/HttpOnly\/SameSite), tightens IP-whitelist validation, and fixes silent breakage with REST API, WP-CLI and cron.<\/p>","0.2":"
Upgrade, fixing beeing locked out from wp-admin if no secret word is set.<\/p>","0.1":"
First commit.<\/p>"},"ratings":{"1":0,"2":0,"3":1,"4":0,"5":8},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3519653,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3519653,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.jpg":{"filename":"banner-1544x500.jpg","revision":3519653,"resolution":"1544x500","location":"assets","locale":""},"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3519653,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.jpg":{"filename":"banner-772x250.jpg","revision":3519653,"resolution":"772x250","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3519653,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5.0","1.5.7"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3519653,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3519653,"resolution":"2","location":"assets","locale":""}},"screenshots":{"1":"The settings page in Settings > Really Simple Under Construction. Toggle the page on, paste in your HTML, set a secret word, and add IP addresses to the whitelist.","2":"An Under Construction page on the public frontend, rendered from the HTML saved in the settings."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[34619,253358,732,261563,733],"plugin_category":[52],"plugin_contributors":[202990],"plugin_business_model":[],"class_list":["post-85422","plugin","type-plugin","status-publish","hentry","plugin_tags-hide-site","plugin_tags-ip-whitelist","plugin_tags-maintenance","plugin_tags-secret-key","plugin_tags-under-construction","plugin_category-performance","plugin_contributors-jonashjalmarsson","plugin_committers-jonashjalmarsson"],"banners":{"banner":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/banner-772x250.png?rev=3519653","banner_2x":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/banner-1544x500.png?rev=3519653","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/icon-128x128.png?rev=3519653","icon_2x":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/icon-256x256.png?rev=3519653","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/screenshot-1.png?rev=3519653","caption":"The settings page in Settings > Really Simple Under Construction. Toggle the page on, paste in your HTML, set a secret word, and add IP addresses to the whitelist."},{"src":"https:\/\/ps.w.org\/really-simple-under-construction\/assets\/screenshot-2.png?rev=3519653","caption":"An Under Construction page on the public frontend, rendered from the HTML saved in the settings."}],"raw_content":"\n
Version 1.5.0 is a recommended security update for all existing users.<\/strong> It blocks JavaScript injection on the Under Construction page, hardens the bypass cookie (Secure\/HttpOnly\/SameSite), tightens IP-whitelist validation, and fixes silent breakage with WP-CLI, cron, and the REST API. The plugin's behavior and settings are unchanged \u2014 existing setups upgrade in place. See the changelog for the full list.<\/p>\n\n\n\n Add a really simple Under Construction page to your website by enabling this plugin. Use IP whitelisting and a secret URL to grant access to selected users without logging in.<\/p>\n\n Go to the settings page in Settings > Really Simple Under Construction. Enable by checking the checkbox. The Under Construction page is only visible to visitors who are not logged in. You can optionally configure:<\/p>\n\n Recommended security update for all existing users.<\/strong> No settings changes, no migration \u2014 install the update, refresh the settings page, and you are done. Headlines below.<\/p>\n\n\n
?yoursecret<\/code>. A cookie is then stored so the same browser keeps access.<\/li>\n1.5.7<\/h4>\n\n
\n
1.5.6<\/h4>\n\n
\n
\/checkout\/<\/code> in the URL path and 404'd. Buy flow now lands on the correct LemonSqueezy checkout. No other changes.<\/li>\n<\/ul>\n\n1.5.5<\/h4>\n\n
\n
JHLSQ\\Purchase<\/code>) bundled at jhlsq-purchase\/<\/code>. No user-visible change.<\/li>\n1.5.4<\/h4>\n\n
\n
1.5.3<\/h4>\n\n
\n
rsuc_html_output<\/code> filter so add-ons can post-process the Under Construction HTML before it goes to the wire (e.g. resolve shortcodes inside the template). No visible changes for end users.<\/li>\n\/wp-admin\/*<\/code> paths beyond the bare \/wp-admin\/<\/code> root were being intercepted by the UC page because the admin-URL match compared a no-scheme host+path against a full URL. Switched to a REQUEST_URI<\/code> prefix match so admin-post.php<\/code>, admin-ajax.php<\/code>, etc. reach WordPress as intended.<\/li>\n<\/ul>\n\n1.5.2<\/h4>\n\n
\n
rsuc_ip_whitelisted<\/code> (passes the resolved client IP) lets an add-on whitelist by CIDR range, geolocation, or any other rule. rsuc_should_bypass<\/code> runs right before the UC page would render, so an add-on can match multiple secret URLs, time windows, or other custom signals. No visible changes for end users.<\/li>\n<\/ul>\n\n1.5.1<\/h4>\n\n
\n
rsuc_render_after_heading<\/code> on the settings page so add-on plugins can render a tab nav, an upgrade banner, or other UI between the heading and the settings form. No visible changes for end users.<\/li>\n<\/ul>\n\n1.5.0<\/h4>\n\n
\n
<script><\/code> tags, on-event handlers (onclick\/onload\/etc.) and javascript:<\/code> URIs while preserving structural tags (DOCTYPE, html, head, style, body). A compromised admin account can no longer use this field to inject JavaScript that runs for visitors and other admins.<\/li>\nhash_equals()<\/code> to avoid timing leaks.<\/li>\nFILTER_VALIDATE_IP<\/code> (rejects bogus addresses like 999.x.x.x<\/code> and accepts both IPv4 and IPv6).<\/li>\nwp<\/code> commands and wp-cron.php<\/code> calls, which killed those commands silently. Cron jobs and CLI scripts now run normally.<\/li>\n\/wp-json\/<\/code>) are now correctly bypassed. The 1.4.6 check used the wrong server variable, so REST calls were getting the Under Construction page when the plugin was active \u2014 silently broken since the bypass was added. Public REST endpoints work again.<\/li>\n$GLOBALS['PHP_SELF']<\/code> which is never populated, so the bypass never fired. Switched to $_SERVER['REQUEST_URI']<\/code> for actual reliability.<\/li>\nRetry-After<\/code>, so search engines see \"temporarily unavailable\" (correct semantics, won't deindex) and proxies\/CDNs no longer cache the placeholder over a real launch. Visitors see the same page as before.<\/li>\nreally-simple-under-construction<\/code> text domain (was rsuc<\/code> short form), textareas are escaped with esc_textarea<\/code>, every register_setting<\/code> call has a sanitize_callback<\/code>, the \"Add my IP\" button uses addEventListener<\/code> + a JSON-encoded value. Bundled language files renamed accordingly.<\/li>\n1.4.6<\/h4>\n\n
\n
1.4.5<\/h4>\n\n
\n
1.4.4<\/h4>\n\n
\n
1.4.3<\/h4>\n\n
\n
1.4.2<\/h4>\n\n
\n
1.4.1<\/h4>\n\n
\n
1.4<\/h4>\n\n
\n
1.3.2<\/h4>\n\n
\n
1.3.1<\/h4>\n\n
\n
1.3<\/h4>\n\n
\n
1.2.1<\/h4>\n\n
\n
1.2<\/h4>\n\n
\n
1.0<\/h4>\n\n
\n
0.2<\/h4>\n\n
\n
0.1<\/h4>\n\n
\n