WordPress Plugin  ·  v3.3.0  ·  Free + Pro

Inject custom JavaScript
into any WordPress site.

The free Scriptomatic plugin gives every WordPress site a full inline script editor, external URL manager, revision history, and activity log. Scriptomatic Pro adds conditional loading, managed JS files, a full REST API, and WP-CLI. Add Google Analytics, Tag Manager, Meta Pixel, or any custom JavaScript safely into the <head> or footer — with auditability and rollback built in.

⬇ Download Free ⭐ Upgrade to Pro ★ View on GitHub
WordPress 6.2+ PHP 7.2+ GPL v2 Freemius SDK bundled Multisite ready
What it does

Everything you need, nothing you don't

Add Google Analytics, Google Tag Manager, Meta Pixel, custom jQuery, or any JavaScript to your WordPress site. The free version covers the essentials. Scriptomatic Pro unlocks conditional loading, managed JS files, REST API, and WP-CLI. Cards marked Pro require a licence.

⌨️

Inline Script Editor

Write JavaScript directly in the admin using a full CodeMirror editor — line numbers, bracket matching, and WordPress/jQuery-specific Ctrl-Space autocomplete. A live character counter colour-codes at 75% and 90% of the 100 KB limit. Falls back to a plain textarea if syntax highlighting is disabled in the user profile.

🔗

External Script URLs

Manage multiple remote <script src> tags per location via a chiclet UI. URLs are validated, deduplicated, and loaded before the inline block.

🎯

Conditional Loading Pro

Eleven condition types — Front Page, Singular, Post Type, Page ID, URL Contains, Logged In, Logged Out, Date Range, Date & Time Range, Week Number, Month — per location, independently configured.

🔁

Activity Log & Rollback

Every save creates a restorable snapshot in the Activity Log — recorded with timestamp, username, a Via column (Dashboard, API, or CLI), and a summary of what changed. Click Restore on any entry to instantly roll back via AJAX — no page reload needed. Inline script and external URL histories are tracked independently; restoring one never touches the other. View any snapshot in a lightbox before restoring. Configurable retention limit of 3–1000 entries (default 200).

🔒

Security-First Architecture

Dual nonce verification, capability checks on every callback, open-redirect hardening, and singleton deserialization guards.

📚

Contextual Help Tabs

Built-in help tabs on every admin page covering usage, load conditions, security tips, and troubleshooting — no need to leave the dashboard.

🌐

Multisite Compatible

Fully per-site within a network. Install and activate network-wide. Uninstall iterates every sub-site to clean up option data and drops the shared {prefix}scriptomatic_log activity log table.

🗂️

Managed JS Files Pro

Create, edit, and delete standalone .js files stored in wp-content/uploads/scriptomatic/. Each file gets its own Head/Footer selector and Load Conditions, and survives plugin updates.

🏗️

Modular Architecture

Eleven focused PHP traits — including dedicated traits for file management, injection, sanitization, notifications, and enqueuing — in separate files for clean separation of concerns.

🔌

REST API Pro

Full scriptomatic/v1 REST API (14 POST endpoints) covering inline scripts, external URLs, managed JS files, and Preferences Action History — including a multipart file upload endpoint. Authenticated via WordPress Application Passwords. Three independent access controls in Preferences: an enable/disable toggle (503 when off), an IP Allowlist (403 for unlisted addresses), and an Allowed Users list (403 for unlisted administrators).

💻

WP-CLI Pro

wp scriptomatic command group with subcommands for inline scripts, external URLs, managed JS files (including files upload), activity log (log list), preferences management (prefs get, prefs set, prefs history), and history. All write commands share the same service layer as the REST API — identical validation and activity logging. Preferences management is available via CLI only — intentionally absent from the REST API.

📧

Email Notifications

The site admin always receives a plain-text email on every script save, rollback, URL change, file event, preferences save, and restore — keeping them aware of all changes. Other administrators can opt in via their WordPress profile page.

Workflow

Up and running in minutes

From install to injected script, Scriptomatic keeps every step straightforward.

1

Install & Activate

Upload the plugin zip via WordPress admin or drop the folder into wp-content/plugins/. Activate normally.

2

Open Head or Footer Scripts

Navigate to Scriptomatic → Head Scripts or Footer Scripts in your WordPress admin.

3

Write or Add URLs

Paste your JavaScript into the inline editor, or add remote script URLs. No <script> tags needed — they are added automatically.

4

Set Load Conditions Pro

Optionally restrict injection to specific pages, post types, URL patterns, or user state. Requires a Pro licence. On free, scripts load on all pages.

5

Save & Verify

Click Save. Visit the front-end and check the page source. Use the revision history to roll back at any time.

Activity Log is always there

The activity log panel is embedded at the bottom of every Head Scripts, Footer Scripts, and JS Files page, filtered by location. You can view any revision's content in a lightbox, restore it in one click, and see a full record of who changed what and when — all without leaving the settings page.

Examples

Common use cases

Paste any of these into the inline editor. Scriptomatic wraps the code in <script> tags automatically.

// Google Analytics (GA4) window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-XXXXXXXXXX');
// Meta (Facebook) Pixel !function(f,b,e,v,n,t,s){ if(f.fbq)return;n=f.fbq=function(){ n.callMethod ? n.callMethod.apply(n,arguments) : n.queue.push(arguments) }; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s) }(window,document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', 'YOUR_PIXEL_ID'); fbq('track', 'PageView');
// Custom jQuery — runs after DOM is ready jQuery(document).ready(function($) { console.log('Scriptomatic loaded.'); $('.my-button').on('click', function() { $('.my-panel').toggleClass('active'); }); });
// Google Tag Manager — add to Head Scripts (function(w,d,s,l,i){ w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'}); var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:''; j.async=true; j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl; f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-XXXXXXX');

💡 Never include <script> tags — Scriptomatic adds them automatically. Do not use eval() or inject untrusted input.

Security

Defence in depth

Scriptomatic applies multiple independent security layers so that a failure in any one layer does not expose the site.

🛡️

Capability Gates

Every save callback verifies manage_options before processing any input. No data is written without this check passing.

🔑

Dual Nonce Verification

Both the WordPress Settings API nonce and a secondary per-location nonce must validate. One expired or missing nonce aborts the save.

Input Validation

Inline scripts capped at 100 KB (plugin-enforced). JS file size is limited by the server’s upload settings, not the plugin. Invalid UTF-8 and control characters rejected. <script> tags stripped. Dangerous HTML tags flagged with admin notice.

🔗

URL Validation

External script URLs are validated with wp_http_validate_url() and deduplicated before storage and before injection.

📋

Activity Logging

All saves, rollbacks, file_save, file_delete, and restore events are logged with timestamp and user identity. Inline script and external URL changes produce separate independent entries, each restorable on its own. Configurable retention limit (3–1000). Oldest entries are discarded automatically once the cap is reached.

↩️

Open Redirect Hardening

Post-action redirects use a constructed admin_url() rather than the HTTP Referer header, which can be spoofed by an attacker.

🧱

Singleton Guards

__clone() and __wakeup() methods prevent the singleton from being duplicated via object cloning or PHP unserialize().

🔒

Directory Index Files

Both the plugin root and includes/ directory contain an index.php that returns HTTP 403, preventing directory listing if web server options are misconfigured.

🌐

REST API Security

All 14 REST endpoints are POST-only. Authentication exclusively via WordPress Application Passwords (Authorization: Basic header — credentials never in the URL). Three independent access controls in Preferences: an Enable / Disable toggle (returns 503 rest_api_disabled when off), an optional IP Allowlist that blocks requests from unlisted IPv4/IPv6/CIDR addresses (403 rest_ip_forbidden), and an Allowed Users list that restricts access to specific administrator accounts (403 rest_user_forbidden). Activity logging applies equally to REST and admin UI operations through the shared service layer.

Admin Interface

Four focused admin pages

Each page is scoped to one location or purpose, keeping the interface clean and avoiding ambiguity.

Page Menu Path What's Here
Head Scripts Scriptomatic → Head Scripts Inline JS editor, external URL manager, load conditions, Activity Log (head entries only)
Footer Scripts Scriptomatic → Footer Scripts Inline JS editor, external URL manager, load conditions, Activity Log (footer entries only)
JS Files Pro Scriptomatic → JS Files Upload a .js file via the Upload a JS File card; create, edit, and delete managed .js files; each file has its own label, slug filename, Head/Footer toggle, load conditions, and CodeMirror editor
Preferences Scriptomatic → Preferences Activity log limit (3–1000), save confirmation toggle, uninstall data-retention toggle, API Enable / Disable Pro, API Allowed IPs Pro (IPv4/IPv6/CIDR), API Allowed Users Pro, and a read-only Preferences Action History panel (last 100 entries, AJAX paginated)
REST API

Automate everything over HTTP Pro

All 14 endpoints are POST-only. Authentication uses WordPress Application Passwords — credentials always travel in the Authorization: Basic header, never in the URL.

Pro Feature

The REST API requires an active Scriptomatic Pro licence. On free installations the scriptomatic/v1 namespace is not registered. View pricing →

Authentication

Generate an Application Password under Users → Profile → Application Passwords. Then pass Authorization: Basic base64(username:app-password) with every request.

API Access Controls

Three independent Pro controls in Preferences let you lock down REST API access:

  • API Enable / Disable — uncheck to disable the REST API site-wide. Returns 503 rest_api_disabled.
  • API Allowed IPs — restrict to specific IPv4/IPv6 addresses or CIDR ranges (one per line). Leave empty to allow all IPs. Returns 403 rest_ip_forbidden.
  • API Allowed Users — restrict to named administrator accounts. Leave all unchecked to allow any administrator. Returns 403 rest_user_forbidden.
Endpoint Required params Optional params Description
POST /scriptlocationGet current inline script
POST /script/setlocation, contentconditionsSave inline script
POST /script/rollbacklocation, id (DB row ID)Restore inline script snapshot
POST /historylocationList inline script history
POST /urlslocationGet external URL list
POST /urls/setlocation, urls (JSON array)Replace external URL list
POST /urls/rollbacklocation, id (DB row ID)Restore URL snapshot
POST /urls/historylocationList URL history
POST /prefs/historylimit (1–100, default 20), offsetList Preferences Action History (read-only)
POST /filesList all managed JS files
POST /files/getfile_idGet file content + metadata
POST /files/setlabel, contentfile_id, filename, location, conditionsCreate or update a file
POST /files/deletefile_idDelete a managed JS file
POST /files/uploadmultipart file fieldlabel, file_id, location, conditionsUpload a .js file

Base URL: /wp-json/scriptomatic/v1/  ·  location = "head" or "footer"  ·  id is the DB row primary key of the snapshot to restore — obtain IDs from the history endpoints

TOKEN="$(echo -n 'admin:xxxx xxxx xxxx xxxx xxxx xxxx' | base64)" BASE="https://example.com/wp-json/scriptomatic/v1" # Get current head script curl -X POST "$BASE/script" \ -H "Authorization: Basic $TOKEN" \ -H "Content-Type: application/json" \ -d '{"location":"head"}' # Upload a .js file curl -X POST "$BASE/files/upload" \ -H "Authorization: Basic $TOKEN" \ -F "file=@/path/to/tracker.js" \ -F "label=My Tracker" \ -F "location=head"
WP-CLI

Manage scripts from the command line Pro

The wp scriptomatic command group mirrors the full REST API surface and adds preferences management (prefs get, prefs set, prefs history) which is CLI-only. All write commands share the same service layer — identical validation and activity logging apply.

Pro Feature

WP-CLI commands require an active Scriptomatic Pro licence. View pricing →

Inline Script

$ wp scriptomatic script get --location=head $ wp scriptomatic script set --location=head --file=script.js $ wp scriptomatic script rollback --location=head --id=42 $ wp scriptomatic history --location=head --format=table

External URLs

$ wp scriptomatic urls get --location=footer $ wp scriptomatic urls set --location=footer --urls='[{"url":"https://cdn.example.com/lib.js","conditions":{"logic":"and","rules":[]}}]' $ wp scriptomatic urls rollback --location=footer --id=37 $ wp scriptomatic urls history --location=footer

Managed JS Files

$ wp scriptomatic files list $ wp scriptomatic files get --id=my-tracker $ wp scriptomatic files set --label="My Tracker" --file=tracker.js $ wp scriptomatic files upload --path=tracker.js --label="Tracker" $ wp scriptomatic files delete --id=my-tracker --yes

Activity Log

$ wp scriptomatic log list $ wp scriptomatic log list --location=head --limit=50

Preferences

$ wp scriptomatic prefs get $ wp scriptomatic prefs get --format=json $ wp scriptomatic prefs set --key=max_log_entries --value=500 $ wp scriptomatic prefs set --key=api_enabled --value=true $ wp scriptomatic prefs history

Preferences management is CLI-only — not available via the REST API. Valid keys: max_log_entries, keep_data_on_uninstall, save_confirm_enabled; Pro: api_enabled, api_allowed_ips, api_allowed_users.

--format defaults to table; accepts table, json, csv, yaml, count.   Use the history commands to look up --id values for rollback.   --conditions accepts a JSON {logic, rules} object.

Installation

Three ways to install

Choose whichever method fits your workflow.

📤 Upload via Admin

  1. Download the latest ZIP from the Releases page
  2. Go to Plugins → Add New
  3. Click Upload Plugin and select the ZIP
  4. Click Install Now then Activate

📁 Manual Upload

  1. Download and extract the ZIP
  2. Upload the scriptomatic folder to /wp-content/plugins/ via FTP or SFTP
  3. Go to Plugins in WordPress admin
  4. Find Scriptomatic and click Activate

💻 Git Clone

$ cd /path/to/wp-content/plugins/ $ git clone https://github.com/richardkentgates/scriptomatic.git

Then activate via WordPress admin.

Requirements

WordPress 6.2 or higher
PHP 7.2 or higher
Administrator role (manage_options)
Freemius SDK (bundled)
Pricing

Free to use. Pro to unlock.

Scriptomatic is fully free for core WordPress JavaScript injection features. Upgrade to Scriptomatic Pro to unlock conditional loading, managed JS files, REST API, and WP-CLI. Start with a 3-day free trial — credit card or PayPal required.

Free
$0
Unlimited sites
Download Free
Personal
$19.99/yr
1 site
Start 3-Day Trial
Freelancer
$39.99/yr
Up to 5 sites
Start 3-Day Trial
Agency
$79.99/yr
Up to 20 sites
Start 3-Day Trial
Studio
$149.99/yr
Up to 100 sites
Start 3-Day Trial
Unlimited
$299.99/yr
Unlimited sites
Start 3-Day Trial

All Scriptomatic Pro plans include a 3-day free trial. A credit card or PayPal is required to start the trial. Cancel any time.

FeatureFreePro
Inline script editor (head + footer)
External script URL manager
Revision history & one-click rollback
Activity log
CodeMirror editor with autocomplete
Email notifications (always: site admin; opt-in: others)
Preferences Action History (read-only, paginated)
Multisite compatible
Conditional loading (11 rule types, AND/OR)
Managed JS Files (create / edit / upload / delete)
REST API (14 endpoints)
WP-CLI (wp scriptomatic)
API IP Allowlist
API Enable / Disable
API Allowed Users