PHP editing & security
SnipCraft separates snippet management from PHP editing with a dedicated capability, and provides a wp-config kill switch and additional safeguards for hosting environments and multisite networks.
A separate permission for PHP
Managing snippets — creating, enabling, and disabling them — uses the snipcraft_manage capability. Editing PHP snippets requires a stricter, separately granted snipcraft_edit_php capability.
This split lets you give a team member or editor the ability to manage CSS, JavaScript, and HTML snippets without granting the ability to write and execute arbitrary PHP on the server. The two capabilities are independent — holding snipcraft_manage does not imply snipcraft_edit_php.
The wp-config kill switch
To disable PHP editing across the entire site — for instance, on a production environment where you want to prevent any code changes — define the following constant in your wp-config.php:
define( 'SNIPCRAFT_DISABLE_PHP', true );When this constant is truthy, the PHP editing interface is hidden and no PHP snippet code can be modified, regardless of the user's capabilities. Existing enabled PHP snippets continue to run normally — only editing is disabled.
Hosting and multisite rules
Two additional guards apply automatically depending on your environment:
- When
DISALLOW_FILE_MODSis defined and truthy in wp-config.php, PHP editing is also disabled — the same safeguard that prevents plugin and theme file edits from the admin applies to PHP snippets. - On a WordPress multisite network, PHP editing is restricted to super admins only. Network-level administrators control PHP; site administrators cannot edit PHP snippets even if they have the capability on their own site.
Related
For recovering from a broken PHP snippet that prevents the admin from loading, see safe mode.