Really Simple Under Construction Page

Changelog

1.5.0

Recommended security update for all existing users. No settings changes, no migration — install the update, refresh the settings page, and you are done. Headlines below.

• Security: the Under Construction HTML field now strips <script> tags, on-event handlers (onclick/onload/etc.) and javascript: URIs while preserving structural tags (DOCTYPE, html, head, style, body). A compromised admin account can no longer use this field to inject JavaScript that runs for visitors and other admins.
• Security: the bypass cookie now sets Secure (when the site uses HTTPS), HttpOnly, and SameSite=Lax attributes — was readable from JS and replayable over plain HTTP before.
• Security: the cookie value is now compared with hash_equals() to avoid timing leaks.
• Security: the IP whitelist now validates entries with FILTER_VALIDATE_IP (rejects bogus addresses like 999.x.x.x and accepts both IPv4 and IPv6).
• Bugfix: bail early on WP-CLI and cron requests — previously the plugin tried to render the Under Construction page during wp commands and wp-cron.php calls, which killed those commands silently. Cron jobs and CLI scripts now run normally.
• Bugfix: REST API requests (any URL containing /wp-json/) are now correctly bypassed. The 1.4.6 check used the wrong server variable, so REST calls were getting the Under Construction page when the plugin was active — silently broken since the bypass was added. Public REST endpoints work again.
• Bugfix: the “skip plugin if request is to /wp-json/” guard read $GLOBALS['PHP_SELF'] which is never populated, so the bypass never fired. Switched to $_SERVER['REQUEST_URI'] for actual reliability.
• Behavior: the Under Construction page now responds with HTTP 503 + Retry-After, so search engines see “temporarily unavailable” (correct semantics, won’t deindex) and proxies/CDNs no longer cache the placeholder over a real launch. Visitors see the same page as before.
• Hygiene: every translatable string now uses the matching really-simple-under-construction text domain (was rsuc short form), textareas are escaped with esc_textarea, every register_setting call has a sanitize_callback, the “Add my IP” button uses addEventListener + a JSON-encoded value. Bundled language files renamed accordingly.
• Tested up to WordPress 6.9.4.

1.4.6

• Bugfix, not working for startpage since 1.4.5.

1.4.5

• Minor code cleanup

1.4.4

• Improved handling of login page

1.4.3

• Added setting to make WordPress static Homepage to be visible, the plugin still restricts all other pages.

1.4.2

• Ignore if call to webhook wp-json

1.4.1

• Bugfix WordPress login blocked

1.4

• Ignore if call to webhook wc-api

1.3.2

• Minor bugfixes

1.3.1

• Add your IP to textfield link added.

1.3

• Whitelisting with IP address added. Settings layout updated. Refactored code.

1.2.1

• Settings link added in plugins list. Author information updated.

1.2

• Bugfix, not working for startpage in some set ups.

1.0

• Language support added. sv_SE and en_US in first version.

0.2

• Fix to ignore “Under Construction” page if current page is wp-admin or wp-login.php. Handles custom URLs.

0.1

• First commit.