Per this Trac ticket, WP intentionally disallows adding the ‘unfiltered_html’ capability to any non-Super Admin users on the WordPress multisite network. This is due to potential security vulnerabilities that could result from doing to. As that ticket points out:

Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then impersonate any of those users and wreak havoc.

If you just want those users to be able to insert things like YouTube video iframes, you could instead use WP’s built-in embed shortcode to embed that content instead.

If that’s not enough, and you need to extend the ‘unfiltered_html’ capability to non-Super Admins, the code below can be used to do that. Just be sure that you trust those users 100% – with great power comes great responsibility.

Just change ‘editor’ on line 13 with whichever user role you need to add the unfiltered_html capability to.

Props to Justin Tadlock for the code he posted on this thread.

Also see this plugin by Automattic that gives both Administrators and Editors the unfiltered_html capability on multisite installs: https://wordpress.org/plugins-wp/unfiltered-mu/

4 comments

  1. Nukium February 2, 2017 at 9:23 am

    Reply

    I’ve been looking for this for ages, you’re a hero.

  2. Anton Chizhikov February 22, 2017 at 8:55 am

    Reply

    Where shouljd I add the code , Kellen?

    • Kellen Mace March 24, 2017 at 9:28 am

      Reply

      You could create a new plugin with that code inside of it, or put that code inside of the theme’s functions.php file. Putting it inside of a plugin would be the preferred way to include it, since that way you would be able to change your theme without that capability being lost (which WOULD happen if you put it in the theme’s functions.php). Either way would work, though.

  3. Thomas May 9, 2017 at 4:57 am

    Reply

    Hello,

    I run a WP multisite network and I am interested by this feature (allowing to site admins to use unfiltered html). However, I can’t thrust the site admins.

    My network used domain mapping and every site has a different domain (I don’t use subdomain). For this reason, I don’t think that user could “steal” cookies or do anything else that could harm the network. And then, this feature wouldn’t add a security issue. Is-that correct?

    Thank you!

Leave a reply

Your email address will not be published. Required fields are marked *