Title: PHP and Security Last modified: March 27, 2026 --- # PHP and Security * [dacilbf](https://wordpress.org/support/users/dacilbf/) * (@dacilbf) * [1 week, 5 days ago](https://wordpress.org/support/topic/php-and-security/) * I am a WordPress administrator managing several WordPress installations in an educational environment. We are currently evaluating whether to keep the Code Snippets plugin active across our sites. * My main concern is **security**: allowing users to add and execute arbitrary PHP code through the plugin interface represents a significant risk, especially in a multi-user environment where not all users have advanced technical knowledge. * I would like to know whether there is any built-in option — or a recommended approach — to **restrict or completely disable PHP snippet execution** while still allowing other snippet types (CSS, JavaScript, etc.). For example, a capability or role-based restriction that prevents non-admin users from creating PHP snippets, or a setting to disable PHP snippets entirely. * If this functionality is not currently available, would it be something feasible to consider for a future release? * Thank you in advance for your time. Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Contributor [Carolina](https://wordpress.org/support/users/carolinaop/) * (@carolinaop) * [1 week, 5 days ago](https://wordpress.org/support/topic/php-and-security/#post-18865188) * Hello [@dacilbf](https://wordpress.org/support/users/dacilbf/) * Thank you for contacting us, and thank you as well for raising this security concern. * Currently the plugin requires the `manage_options` capability, so by default only **Administrators** can access and use it. In practice, that means non-admin users should not be able to create or manage PHP snippets unless they have been granted elevated capabilities through custom role settings or another plugin. * There is not currently a separate built-in setting to disable only PHP snippets while still allowing CSS, JavaScript, and other snippet types. * Let us know if this helps. * Thread Starter [dacilbf](https://wordpress.org/support/users/dacilbf/) * (@dacilbf) * [1 week, 1 day ago](https://wordpress.org/support/topic/php-and-security/#post-18867685) * Hello, * Thank you for raising this — it touches on something we deal with directly in our own setup. * We run a WordPress Multisite network in an educational environment where each site is managed by a teacher who holds the Administrator role on their individual site (but not Super Admin privileges). This is a fairly common pattern in education, and it introduces a specific risk that goes beyond the standard single-site scenario. * Even though the Code Snippets plugin correctly requires the manage_options capability— which in a standard single site would limit access to trusted admins — in a Multisite context, every site administrator inherently has manage_options on their own site. This means that any teacher, regardless of their technical background, can create and execute arbitrary PHP code within their site’s context. * In practice, we have seen cases where well-intentioned but inexperienced users add PHP snippets copied from tutorials or forums without fully understanding the implications: snippets that make external HTTP requests, expose server-side information, bypass caching layers, or introduce logic errors that break the site entirely. * The risk is not necessarily malicious intent — it is the combination of broad PHP execution capability with limited technical knowledge. * For this reason, a role-based or capability-based option to disable PHP snippet execution specifically (while still allowing CSS and JS) would be extremely valuable in Multisite environments. A Super Admin toggle to restrict PHP snippets network- wide — or per site — would address exactly this gap. * We hope this use case is helpful context for future development considerations. * Thank you. Viewing 2 replies - 1 through 2 (of 2 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fphp-and-security%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/code-snippets/assets/icon.svg?rev=2148878) * [Code Snippets](https://wordpress.org/plugins/code-snippets/) * [Frequently Asked Questions](https://wordpress.org/plugins/code-snippets/#faq) * [Support Threads](https://wordpress.org/support/plugin/code-snippets/) * [Active Topics](https://wordpress.org/support/plugin/code-snippets/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/code-snippets/unresolved/) * [Reviews](https://wordpress.org/support/plugin/code-snippets/reviews/) * 2 replies * 2 participants * Last reply from: [dacilbf](https://wordpress.org/support/users/dacilbf/) * Last activity: [1 week, 1 day ago](https://wordpress.org/support/topic/php-and-security/#post-18867685) * Status: not a support question