I’ve been struggling with a problem with WordPress on my main photography website for a while. The editor would strip certain HTML, fields like
<input> for example. With an “administrator” user role, this shouldn’t happen! I needed this embedded form to let people subscribe to my blog posts via email (using FeedPress) – and I already had it in place, and it was working!
Only when I wanted to edit that form I noticed the problem: as soon as I hit “Update” in the editor, crucial parts of the HTML code would simply vanish. Interestingly, I did find some conversations online where people had the same problem – but none had a solution (hence this post). I temporarily worked my way around it with a plugin called “HTML snippets” (I consider this a “dangerous” plugin since it comes with it’s own editor, and this way circumvents WordPress’s editor security features entirely).
So I tried everything I could think of, and even went as far as manually re-installing WordPress via FTP. Nothing worked. Eventually, I remembered that I had tried a security plugin (SecuPress) months ago, but then uninstalled it.
Turns out that the plugin didn’t clean up after itself when I uninstalled it – and left some of its configuration changes to harden the site in place. There is a WordPress setting
DISALLOW_UNFILTERED_HTML and SecuPress had set that to
TRUE. This setting overrides all user roles and capabilities. No one is allowed to use “dangerous” HTML in the editor. Once I removed that line from wp_config.php everything was working again and I could edit and use my subscription form again.
Interestingly, when I re-installed SecuPress to see if there would be anything in there to explain my problem, SecuPress did not recognize its own configuration changes to wp_config.php and blocked access to these settings altogether with a message like “something else has done this already, we’re not touching it”. But it lead me to the solution.
The only question now is how I overlooked the settings block that SecuPress had added to wp_config.php when I looked at it first… 😛