Allowing Users to Use JavaScript...Revisited

Hi All,

A few months ago there were some discussions here about whether to allow multisite users to run JavaScript and/or any other code.

Now that there are lots of new people in the forums, I'd like to get a new consensus on that.

Of course, the challenge is whether to allow people to use AdSense and other popular things that require JavaScript, or whether to be safe at the expense of a popular feature.

In the past, the general consensus was that it's never a good idea to allow any "free" users to run code. But the question was whether it's even a good idea for paid customers. edublogs allows it for the Pro members, working on the assumption that paid members are unlikely to run malicious code.

What does everyone think? How much of a threat is JavaScript for multisite least for paying clients?



  • Philip John

    Hiya Mark,

    This kind of issue usually brings up differing viewpoints. I'm more liberal and will allow people to run code. However, I do understand the concerns around that.

    Allowing code only for paid members is a good route to take if you want to give that flexibility. It's like an insurance policy against malicious code.

    However, if you did want to allow free users to add code then using security/spam plugins will help!

    Check out the many, many articles on spam protection and WordPress security over at as there's an abundance of information.


  • wpcdn

    Thank you. We definitely wouldn't do it for free users.

    As for the paid users, I guess there's always the chance that someone could run malicious code. But I think they'd be more likely to go to a free hosting provider or a low-low-priced mass-market provider.

    Another thought is that JS isn't the only way people attack anyway. I think the bigger threat is from attackers who aren't our hosting clients, trying to get in via the back door and do their damage.

    However, I'd still be interested in hearing other views on this.



  • Mason

    Hiya Mark,

    I'm personally almost always against it - it's an opinion question and more about what you're comfortable with.

    Just this past week one of our own here had his entire computer pretty well hacked due to just looking at some code that a member posted on our forums :slight_frown: My point being that it's just too easy to get a piece of code and user it - even innocently - and lead to the demise of the install - or at the very least - hours and hours of wasted time.

    I had this happen to me about 2 years ago and have since said never again. :slight_smile:

    You're right though - JS isn't the only (or perhaps even most common) ways of hacking into the site. Anybody else wanna weigh in here? Curious to see what other Network Admins are doing.