What is the unfiltered_html permission in WordPress?
The unfiltered_html permission is a security feature in WordPress that prevents users from using tags such as
This unfiltered_html permission could be very dangerous in the wrong hands, so please don't give this permission to any users you do not trust. WordPress has disabled this permission for most users because they rarely need it.
I'm going to show you the unfiltered_html permission in action.
In the post below, I've created a Paragraph block. I'm using the Gutenberg editor:
In the settings for this paragraph block, I click the “Edit as HTML” option:
Now in the HTML version of the block, I enter the HTML code for an iframe:
When I try to save this post, or edit the block visually, WordPress will complain with the message: “This block contains unexpected or invalid content.” This happens because I do NOT have the unfiltered_html permission.
If you click “Resolve”, WordPress will try to convert the code to something safer. However, the code shown below in the “After Conversion” area will not work:
If you want to add code like this to WordPress, you do need the unfiltered_html permission.
Which user roles have unfiltered_html permission?
The unfiltered_html permission is available on single WordPress sites and on multisite networks.
On WordPress multisite networks, only Super Admins have the unfiltered_html permission.
Users not in these roles are not allowed to add suspicious code to posts.
Control who has the unfiltered_html permission
If you use the PublishPress Capabilities plugin, you can enable or disable the unfiltered_html permission for each user role.
- Go to “Capabilities” in your WordPress admin area.
- In the top-right corner of the screen, load the user role that you want to customize. In this image below, I’ve chosen the “Editor” role:
In the center of the screen, you can now set the permissions. If you want to allow people in the Editor role to create posts, check the “unfiltered html” box. Click the blue “Save Changes” button to finish,
If you want to set these permissions across a multisite network, follow these instructions.