Maintenance mode plugins look simple, but they sit directly on a sensitive boundary: they change what anonymous visitors can access, add front-end rendering paths that run outside normal themes, and expose admin settings that control access rules (whitelists, scheduling, login links). If access control or request integrity is weak, attackers may bypass the “under construction” gate, force-enable it via CSRF to create downtime, or inject malicious markup into the maintenance page content shown to visitors or administrators. Under Construction version 4.04 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64616, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for maintenance/coming-soon plugins.
| Name of | Under Construction |
| Version | 4.04 |
| Active installations | 600,000+ |
| Description | Create an Under Construction Page, Maintenance Mode Page, Coming Soon Page or a Landing Page that takes less than a minute to install & configure. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Site owners can safely use maintenance mode with the assurance of the “Plugin Security Certification” (PSC). As a best practice, restrict who can enable/disable the mode, verify whitelisted roles/users, and avoid granting broad editor-level access to global maintenance settings on production sites. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
Under Construction is designed to put a site behind a temporary “coming soon / maintenance” screen while keeping the admin workflow intact. It provides an on/off switch for maintenance mode, visual themes/templates, and content controls (title, description, headline, custom content, and optional custom CSS) to quickly publish a branded placeholder page. Operationally important features include scheduling (automatic end date/time), optional analytics tracking, and access control via whitelisted roles/users so trusted accounts can view the real site while the public sees the maintenance page. From a security standpoint, these features touch sensitive surfaces such as wp-admin settings, front-end rendering, and role-based access rules, so secure defaults, correct capability checks, and safe output handling are essential.
Security Assurance
The CleanTalk Plugin Security Certification evaluation for maintenance mode plugins focuses on preventing the most realistic failures: unauthorized users forcing downtime (CSRF or weak permission checks on enable/disable actions), bypassing the maintenance gate to view protected pages, abusing whitelisting logic to grant access to unintended roles/users, and injecting scripts into the maintenance page content that could execute in visitor browsers or in admin previews. The review validates that state-changing actions are protected with nonce/CSRF defenses, that capability checks are enforced in underlying handlers (not just in UI visibility), and that any user-controlled content that is rendered into HTML is properly output-encoded to reduce stored/reflected XSS risk. It also considers leakage vectors such as misconfigured endpoints, overly verbose debug output, and unsafe handling of settings that can be influenced by lower-privileged roles.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64616, Under Construction version 4.04 demonstrates strong baseline security for the workflows that matter most in maintenance/coming-soon plugins: controlled activation of maintenance mode, safe rendering of a temporary front-end page, and consistent enforcement of admin-only configuration and access rules. This certification helps site owners reduce operational and security risk when temporarily hiding a site during development or incident response. As a best practice, keep maintenance-mode access limited to trusted administrators, periodically review whitelist settings, and treat any maintenance page content as production-facing output that should remain minimal and free of untrusted embeds.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.