Description
Version 1.5.0 is a recommended security update for all existing users. It blocks JavaScript injection on the Under Construction page, hardens the bypass cookie (Secure/HttpOnly/SameSite), tightens IP-whitelist validation, and fixes silent breakage with WP-CLI, cron, and the REST API. The plugin’s behavior and settings are unchanged — existing setups upgrade in place. See the changelog for the full list.
Add a really simple Under Construction page to your website by enabling this plugin. Use IP whitelisting and a secret URL to grant access to selected users without logging in.
Go to the settings page in Settings > Really Simple Under Construction. Enable by checking the checkbox. The Under Construction page is only visible to visitors who are not logged in. You can optionally configure:
- The Under Construction page itself — paste any HTML (DOCTYPE, <style>, <body> etc. are supported, scripts are stripped).
- A secret word that lets you bypass the page via a URL like
?yoursecret. A cookie is then stored so the same browser keeps access. - The lifetime of that cookie, in days.
- A list of IP addresses to whitelist for users and services that should always see the real site.
Screenshots
The settings page in Settings > Really Simple Under Construction. Toggle the page on, paste in your HTML, set a secret word, and add IP addresses to the whitelist. 
An Under Construction page on the public frontend, rendered from the HTML saved in the settings.
Reviews
مارس 19, 2024
Simple as the title suggests, love the minimalistic approach, and especially the URL parameter to bypass it without having to login!
مارس 1, 2024
Do what it says. Quick way to close access and in the same time give it easy to ones who needed. Thank you.
دسامبر 16, 2023
At last a plugin to create just a simple, basic ‘under construction / maintenance page’ without tons of unnecessary options. Thanks!
نوامبر 21, 2023
A simple plugin that’s perfect for creating a customized construction page.
سپتامبر 1, 2023
1 reply
Really Simple Under Construction Page does what it says on the box. It’s a basic and developer oriented plugin, without all the weird bells and whistles and annoying ads and upselling found in other bloated plugins.
I just want to
Block visitors from accidentally accessing a demo website, thinking it’s the real thing.
Whitelist my IP-address, so I can continue working on the website.
Create a URL with a password that I can send to someone who needs temporary access to the test site.
Enable/disable the block with a click
This plugin, does that, and that’s it. Plain and simple. And that’s what makes it stand out from the crowds. 👍
Tested August ’23 on WP 6.3 and PHP 8.1
ژوئن 30, 2023
2 replies
as well /admin – /wp-admin is “under construction”
horrible pugin – – keep your hand away from this
This means – I have to reinstall everything
— Support was fast 🙂
Contributors & Developers
“Really Simple Under Construction Page” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Really Simple Under Construction Page” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.5.8
- Re-style the Pro upsell card on the settings page so it no longer uses WordPress core notice classes (Guideline 11 hygiene). Same scope as before — only the plugin’s own settings page — but it now renders as a self-styled card with a small “Pro upgrade” label, distinct from a system notice. Drops the inline color/weight from the “Get Pro” link in plugin_action_links too.
- Pro upsell card is now collapsible — click the × in the corner to shrink it down to just the “Pro upgrade” pill; click the pill to expand it back. State persists per browser via localStorage.
1.5.7
- Fix: when buying PRO from inside the free plugin, the license is now activated against LemonSqueezy during the install flow rather than left in a “pending” state for the user to activate manually afterwards. Errors that previously surfaced two steps later (most commonly “license has reached its activation limit”) now show up in the install notice immediately, so the user can act on them right away. PRO’s License tab opens already showing an active status when install succeeds.
1.5.6
- Hotfix: the “Get PRO” checkout link was missing
/checkout/in the URL path and 404’d. Buy flow now lands on the correct LemonSqueezy checkout. No other changes.
1.5.5
- Internal refactor: the PRO upsell + auto-install flow is now a reusable module (
JHLSQ\Purchase) bundled atjhlsq-purchase/. No user-visible change. - Added a “Read more ” link next to the Get PRO button so users can read about PRO on jonashjalmarsson.se before clicking through to checkout.
1.5.4
- New: a “Get Pro” link in the Plugins list and a small notice at the top of the settings page when the PRO add-on isn’t installed. Both are hidden automatically once PRO is active.
- New: clicking “Get PRO” from the settings page now opens the LemonSqueezy checkout in an overlay (lemon.js) instead of a new tab. After purchase, the same notice swaps into a short installer flow that fetches your license, downloads PRO from our update server, installs and activates it, and pre-fills the license key in PRO’s License tab — without leaving wp-admin. A paste-the-key fallback is shown if anything in the auto flow stalls.
1.5.3
- Developer: added
rsuc_html_outputfilter so add-ons can post-process the Under Construction HTML before it goes to the wire (e.g. resolve shortcodes inside the template). No visible changes for end users. - Bugfix:
/wp-admin/*paths beyond the bare/wp-admin/root were being intercepted by the UC page because the admin-URL match compared a no-scheme host+path against a full URL. Switched to aREQUEST_URIprefix match soadmin-post.php,admin-ajax.php, etc. reach WordPress as intended.
1.5.2
- Developer: added two filter hooks for add-on plugins to extend the bypass logic.
rsuc_ip_whitelisted(passes the resolved client IP) lets an add-on whitelist by CIDR range, geolocation, or any other rule.rsuc_should_bypassruns right before the UC page would render, so an add-on can match multiple secret URLs, time windows, or other custom signals. No visible changes for end users.
1.5.1
- Developer: added action
rsuc_render_after_headingon the settings page so add-on plugins can render a tab nav, an upgrade banner, or other UI between the heading and the settings form. No visible changes for end users.
1.5.0
Recommended security update for all existing users. No settings changes, no migration — install the update, refresh the settings page, and you are done. Headlines below.
- Security: the Under Construction HTML field now strips
<script>tags, on-event handlers (onclick/onload/etc.) andjavascript:URIs while preserving structural tags (DOCTYPE, html, head, style, body). A compromised admin account can no longer use this field to inject JavaScript that runs for visitors and other admins. - Security: the bypass cookie now sets Secure (when the site uses HTTPS), HttpOnly, and SameSite=Lax attributes — was readable from JS and replayable over plain HTTP before.
- Security: the cookie value is now compared with
hash_equals()to avoid timing leaks. - Security: the IP whitelist now validates entries with
FILTER_VALIDATE_IP(rejects bogus addresses like999.x.x.xand accepts both IPv4 and IPv6). - Bugfix: bail early on WP-CLI and cron requests — previously the plugin tried to render the Under Construction page during
wpcommands andwp-cron.phpcalls, which killed those commands silently. Cron jobs and CLI scripts now run normally. - Bugfix: REST API requests (any URL containing
/wp-json/) are now correctly bypassed. The 1.4.6 check used the wrong server variable, so REST calls were getting the Under Construction page when the plugin was active — silently broken since the bypass was added. Public REST endpoints work again. - Bugfix: the “skip plugin if request is to /wp-json/” guard read
$GLOBALS['PHP_SELF']which is never populated, so the bypass never fired. Switched to$_SERVER['REQUEST_URI']for actual reliability. - Behavior: the Under Construction page now responds with HTTP 503 +
Retry-After, so search engines see “temporarily unavailable” (correct semantics, won’t deindex) and proxies/CDNs no longer cache the placeholder over a real launch. Visitors see the same page as before. - Hygiene: every translatable string now uses the matching
really-simple-under-constructiontext domain (wasrsucshort form), textareas are escaped withesc_textarea, everyregister_settingcall has asanitize_callback, the “Add my IP” button usesaddEventListener+ a JSON-encoded value. Bundled language files renamed accordingly. - Tested up to WordPress 6.9.4.
1.4.6
- Bugfix, not working for startpage since 1.4.5.
1.4.5
- Minor code cleanup
1.4.4
- Improved handling of login page
1.4.3
- Added setting to make WordPress static Homepage to be visible, the plugin still restricts all other pages.
1.4.2
- Ignore if call to webhook wp-json
1.4.1
- Bugfix WordPress login blocked
1.4
- Ignore if call to webhook wc-api
1.3.2
- Minor bugfixes
1.3.1
- Add your IP to textfield link added.
1.3
- Whitelisting with IP address added. Settings layout updated. Refactored code.
1.2.1
- Settings link added in plugins list. Author information updated.
1.2
- Bugfix, not working for startpage in some set ups.
1.0
- Language support added. sv_SE and en_US in first version.
0.2
- Fix to ignore “Under Construction” page if current page is wp-admin or wp-login.php. Handles custom URLs.
0.1
- First commit.