PHP and Security

  • dacilbf

    (@dacilbf)


    1 week, 5 days ago

    I am a WordPress administrator managing several WordPress installations in an educational environment. We are currently evaluating whether to keep the Code Snippets plugin active across our sites.

    My main concern is security: allowing users to add and execute arbitrary PHP code through the plugin interface represents a significant risk, especially in a multi-user environment where not all users have advanced technical knowledge.

    I would like to know whether there is any built-in option — or a recommended approach — to restrict or completely disable PHP snippet execution while still allowing other snippet types (CSS, JavaScript, etc.). For example, a capability or role-based restriction that prevents non-admin users from creating PHP snippets, or a setting to disable PHP snippets entirely.

    If this functionality is not currently available, would it be something feasible to consider for a future release?

    Thank you in advance for your time.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Carolina

    (@carolinaop)

    1 week, 5 days ago

    Hello @dacilbf

    Thank you for contacting us, and thank you as well for raising this security concern.

    Currently the plugin requires the manage_options capability, so by default only Administrators can access and use it. In practice, that means non-admin users should not be able to create or manage PHP snippets unless they have been granted elevated capabilities through custom role settings or another plugin.

    There is not currently a separate built-in setting to disable only PHP snippets while still allowing CSS, JavaScript, and other snippet types.

    Let us know if this helps.

    Thread Starter dacilbf

    (@dacilbf)

    1 week, 1 day ago

    Hello,

    Thank you for raising this — it touches on something we deal with directly in our own setup.

    We run a WordPress Multisite network in an educational environment where each site is managed by a teacher who holds the Administrator role on their individual site (but not Super Admin privileges). This is a fairly common pattern in education, and it introduces a specific risk that goes beyond the standard single-site scenario.

    Even though the Code Snippets plugin correctly requires the manage_options capability — which in a standard single site would limit access to trusted admins — in a Multisite context, every site administrator inherently has manage_options on their own site. This means that any teacher, regardless of their technical background, can create and execute arbitrary PHP code within their site’s context.

    In practice, we have seen cases where well-intentioned but inexperienced users add PHP snippets copied from tutorials or forums without fully understanding the implications: snippets that make external HTTP requests, expose server-side information, bypass caching layers, or introduce logic errors that break the site entirely.

    The risk is not necessarily malicious intent — it is the combination of broad PHP execution capability with limited technical knowledge.

    For this reason, a role-based or capability-based option to disable PHP snippet execution specifically (while still allowing CSS and JS) would be extremely valuable in Multisite environments. A Super Admin toggle to restrict PHP snippets network-wide — or per site — would address exactly this gap.

    We hope this use case is helpful context for future development considerations.

    Thank you.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.