The mystery of the stripped HTML in WordPress

I’ve been struggling with a problem with WordPress on my main photography website for a while. The editor would strip certain HTML, fields like <input> for example. With an “administrator” user role, this shouldn’t happen! I needed this embedded form to let people subscribe to my blog posts via email (using FeedPress) – and I already had it in place, and it was working!

Only when I wanted to edit that form I noticed the problem: as soon as I hit “Update” in the editor, crucial parts of the HTML code would simply vanish. Interestingly, I did find some conversations online where people had the same problem – but none had a solution (hence this post). I temporarily worked my way around it with a plugin called “HTML snippets” (I consider this a “dangerous” plugin since it comes with it’s own editor, and this way circumvents WordPress’s editor security features entirely).

So I tried everything I could think of, and even went as far as manually re-installing WordPress via FTP. Nothing worked. Eventually, I remembered that I had tried a security plugin (SecuPress) months ago, but then uninstalled it.

Turns out that the plugin didn’t clean up after itself when I uninstalled it – and left some of its configuration changes to harden the site in place. There is a WordPress setting DISALLOW_UNFILTERED_HTML and SecuPress had set that to TRUE. This setting overrides all user roles and capabilities. No one is allowed to use “dangerous” HTML in the editor. Once I removed that line from wp_config.php everything was working again and I could edit and use my subscription form again.

Interestingly, when I re-installed SecuPress to see if there would be anything in there to explain my problem, SecuPress did not recognize its own configuration changes to wp_config.php and blocked access to these settings altogether with a message like “something else has done this already, we’re not touching it”. But it lead me to the solution.

The only question now is how I overlooked the settings block that SecuPress had added to wp_config.php when I looked at it first… 😛

Thoughts? Let me hear them.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.