Per this Trac ticket, WP intentionally disallows adding the ‘unfiltered_html’ capability to any non-Super Admin users on the WordPress multisite network. This is due to potential security vulnerabilities that could result from doing to. As that ticket points out:

Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then impersonate any of those users and wreak havoc.

If you just want those users to be able to insert things like YouTube video iframes, you could instead use WP’s built-in embed shortcode to embed that content instead.

If that’s not enough, and you need to extend the ‘unfiltered_html’ capability to non-Super Admins, the code below can be used to do that. Just be sure that you trust those users 100% – with great power comes great responsibility.

Just change ‘editor’ on line 13 with whichever user role you need to add the unfiltered_html capability to.

Props to Justin Tadlock for the code he posted on this thread.

1 comment

  1. Nukium February 2, 2017 at 9:23 am


    I’ve been looking for this for ages, you’re a hero.

Leave a reply

Your email address will not be published. Required fields are marked *