Scriptomatic gives WordPress administrators full control over custom scripts in the <head> and footer — with conditional loading, revision history, one-click rollback, and a complete audit trail.
A complete toolkit for managing custom JavaScript on any WordPress site — built for administrators who care about control and correctness.
Write JavaScript directly in the admin. A live character counter colour-codes at 75% and 90% of the 100 KB limit so you always know where you stand.
Manage multiple remote <script src> tags per location via a chiclet UI. URLs are validated, deduplicated, and loaded before the inline block.
Eight condition types — All Pages, Front Page, Singular, Post Type, Page ID, URL Contains, Logged In, Logged Out — per location, independently configured.
Every save creates a timestamped revision. Restore any prior version in one AJAX click — no page reload, no data loss. View any revision's content in a lightbox.
All saves, rollbacks, and URL changes are recorded with timestamp, username, action type, and character count or URL. Configurable limit of 10–1000 entries per location.
Dual nonce verification, capability checks on every callback, rate limiting (10-second cooldown), open-redirect hardening, and singleton deserialization guards.
Built-in help tabs on every admin page covering usage, load conditions, security tips, and troubleshooting — no need to leave the dashboard.
Fully per-site within a network. Install and activate network-wide. Uninstall iterates every sub-site to clean up option data correctly.
Eight focused PHP traits — menus, sanitizer, history, settings, renderer, pages, enqueue, injector — in separate files for clean separation of concerns.
From install to injected script, Scriptomatic keeps every step straightforward.
Upload the plugin zip via WordPress admin or drop the folder into wp-content/plugins/. Activate normally.
Navigate to Scriptomatic → Head Scripts or Footer Scripts in your WordPress admin.
Paste your JavaScript into the inline editor, or add remote script URLs. No <script> tags needed — they are added automatically.
Optionally restrict injection to specific pages, post types, URL patterns, or user state. Leave blank to load everywhere.
Click Save. Visit the front-end and check the page source. Use the revision history to roll back at any time.
The revision history panel and location-filtered audit log are embedded at the bottom of every Head Scripts and Footer Scripts page. You can view any revision's content in a lightbox, restore it in one click, and see a full record of who changed what and when — all without leaving the settings page.
Paste any of these into the inline editor. Scriptomatic wraps the code in <script> tags automatically.
💡 Never include <script> tags — Scriptomatic adds them automatically. Do not use eval() or inject untrusted input.
Scriptomatic applies multiple independent security layers so that a failure in any one layer does not expose the site.
Every save callback verifies manage_options before processing any input. No data is written without this check passing.
Both the WordPress Settings API nonce and a secondary per-location nonce must validate. One expired or missing nonce aborts the save.
A transient-based 10-second per-user, per-location cooldown prevents rapid repeated saves or brute-force form submissions.
Maximum 100 KB enforced. Invalid UTF-8 and control characters rejected. <script> tags stripped. Dangerous HTML tags flagged with admin notice.
External script URLs are validated with wp_http_validate_url() and deduplicated before storage and before injection.
All saves, rollbacks, url_added, and url_removed events are all logged with timestamp and user identity. Configurable retention limit (3–1000). Oldest entries are discarded automatically once the cap is reached.
Post-action redirects use a constructed admin_url() rather than the HTTP Referer header, which can be spoofed by an attacker.
__clone() and __wakeup() methods prevent the singleton from being duplicated via object cloning or PHP unserialize().
Both the plugin root and includes/ directory contain an index.php that returns HTTP 403, preventing directory listing if web server options are misconfigured.
Each page is scoped to one location or purpose, keeping the interface clean and avoiding ambiguity.
| Page | Menu Path | What's Here |
|---|---|---|
| Head Scripts | Scriptomatic → Head Scripts | Inline JS editor, external URL manager, load conditions, revision history lightbox, audit log (head entries only) |
| Footer Scripts | Scriptomatic → Footer Scripts | Inline JS editor, external URL manager, load conditions, revision history lightbox, audit log (footer entries only) |
| Preferences | Scriptomatic → Preferences | History revision limit, audit log entry limit (10–1000), uninstall data-retention toggle |
Choose whichever method fits your workflow.
scriptomatic folder to /wp-content/plugins/ via FTP or SFTPThen activate via WordPress admin.
manage_options)Selected highlights — see the full CHANGELOG.md on GitHub.
Six security fixes across sanitizer, settings, pages, and injector traits. View button on history entries opens a lightbox. Audit log now filters by location. "General Settings" renamed to "Preferences". Load Conditions section moved above External Script URLs.
Audit log cap moved from a hard-coded constant to a Preferences setting (10–1000, default 200). Fixed the JS addUrl() function that was producing an empty set. All network-admin-specific code removed — plugin is now strictly per-site.
Every external script URL in the list now has its own independent load-condition picker, replacing the previous model where a single condition controlled every URL in a location.
url_added / url_removed audit events added. Static double-call guard prevents Settings API duplicate invocations. AJAX rollback switched to direct $wpdb write to bypass sanitize callbacks in AJAX context.