Support » Plugin: Jetpack - WP Security, Backup, Speed, & Growth » “Invalid Security Token” with embed codes

  • Resolved mbrailer


    I have Jetpack comments enabled on this site, and I get a message “Invalid Security Token” when I post embed codes like the kind I get from Twitter and Instagram. These codes have a lot of HTML markup in them.

    Not every website’s embed codes fail, however. Here are some I’ve tested successfully: Flickr, Gfycat, Vimeo.

    But Twitter and Instagram’s embed codes result in the “Invalid Security Token” error every time.

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter mbrailer


    I just discovered something that may help. The embed codes from Twitter all have the — entity code in them. When I manually remove that code, I am able to post the content.

    This will be helpful to me when I want to add content from Twitter as a comment, but if other readers want to do the same, I’ll have to teach them this trick. It would be much easier for all if these embed codes would work exactly as these services provide them.

    Hi @mbrailer,

    I’ve done some testing but haven’t been able to replicate the issue you described — either through or the WP Admin dashboard. It sounds like you are using the full embed code generated by Instagram, rather than coping the post URL into the editor — is that correct?

    When the embed code is pasted into a post or page, at what point are you seeing the error message?

    I noticed you are using a plugin called oEmbed in Comments. To rule out any possible conflicts, could you try deactivating that plugin and see if adding the embed code triggers any errors?

    Thread Starter mbrailer


    Hi Gemma:

    I had installed oEmbed in Comments after I posted my original message (which I realize may have created confusion, for which I apologize). Also, to clarify my earlier post, my issue only affects Jetpack comments, not posts or pages. I have disabled the plugin.

    Pasting a Twitter or Instagram embed code into the Jetpack comment box produces an “Invalid Security Token” message after clicking the “Post Comment” button. (It looks like this:

    If I paste the content URL into a comment, it turns into a clickable link rather than embedding (except for YouTube videos, which do embed). This is why I installed oEmbed in Comments, which solves my problem.

    • This reply was modified 3 years, 1 month ago by mbrailer.
    Plugin Contributor James Huff


    Volunteer Moderator

    That’s very odd. Can you confirm that it works properly with Jetpack Comments switched _off_?

    Thread Starter mbrailer



    It looks like the only time I can successfully paste embed codes is when Jetpack comments are disabled and I’m logged in.

    I opened a second browser window in Incognito Mode (Chrome) so that I could post comments as an anonymous user. I obtained some embed codes from Twitter and Instagram.

    When I pasted these codes with Jetpack comments enabled, I saw the “Invalid Security Token” error. When I pasted them with Jetpack comments disabled, there was no error message, but the embed didn’t work right — I saw the HTML code displayed rather than the embedded content.

    Only when I post embed codes while logged on to the site AND with Jetpack comments disabled, do I see the content I’m trying to embed.

    Plugin Support darnelldibbles


    Hi there,

    Could you try reinstalling Jetpack on your site to rule out any plugin installation related errors?

    You can start with a fresh install by deleting and then reinstalling the Jetpack plugin, as described here:

    Also, I see that all of your plugins are currently deactivated. My second recommendation was going to be to deactivate all other plugins, except Jetpack. Test commenting on your site, to see if the issue persists. Have you tested commenting with them all deactivated? I was wondering if Contact Form 7 for some reason was causing a conflict.

    Let me know if you made any progress and we’ll continue to monitor the issue on our end.

    Thread Starter mbrailer


    Hello @darnelldibbles

    I did as you suggested and uninstalled/reinstalled Jetpack. I also deleted all other plugins so that Jetpack was the only one. There didn’t appear to be any change. Here are some scenarios I tried and the outcomes when pasting an embed code obtained from Twitter:

    • Jetpack enabled, Jetpack comments enabled, logged in as admin: “Invalid Security Token”
    • Jetpack enabled, Jetpack comments enabled, anonymous user: “Invalid Security Token”
    • Jetpack enabled, Jetpack comments disabled, logged in as admin: Success: embedded content appears
    • Jetpack enabled, Jetpack comments enabled, anonymous user: Embedded content doesn’t appear, just the HTML code (but a reference to has been removed. I assume WordPress does that)

    After this, I installed a plugin titled oEmbed in Comments ( This is a better solution for me overall, because readers can embed content just by pasting the URL instead of a longer embed code.

    Plugin Contributor James Huff


    Volunteer Moderator

    The issue regarding failed comments with & symbols in them (like most embed codes, including Twitter) is known:

    Sorry for not noticing that earlier!

    We don’t have a solution for that yet, so I recommend either continuing with the oEmbed plugin you found, or switching off Jetpack Comments.

    Thread Starter mbrailer


    Got it, thanks!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘“Invalid Security Token” with embed codes’ is closed to new replies.