Most sites on WordPress.com use a shared environment, meaning that they all run the same software. This is great because it allows us to update millions of sites at the same time. It means we can fix bugs or offer new features very quickly, which is a win for you as users.
Running multiple sites on the same software can also be dangerous. If we aren’t careful, one site can be used to take down the entirety of WordPress.com. This is why we limit some of the things you post on your site. If you write some code or copy-and-paste from another site, and it disappears after publishing the post, the code is likely being stripped out as a security precaution. If you feel it’s being stripped out improperly, or if you would like to suggest additional types of code we should allow, please contact support.
If you would like to add more custom code, plugin-enabled plans offer that option. To add code to your site’s header, see Add Code to Headers.
WordPress.com allows the following HTML tags in your posts, pages, and widgets:
a
address
abbr
acronym
area
article
aside
b
big
blockquote
br
caption
cite
class
code
col
del
details
dd
div
dl
dt
em
figure
figcaption
footer
font
h1, h2, h3, h4, h5, h6
header
hgroup
i
img
ins
kbd
li
map
mark
ol
p
pre
q
rp
rt
rtc
ruby
s
section
small
span
strike
strong
sub
summary
sup
table
tbody
td
tfoot
th
thead
tr
tt
u
ul
var
These tags are supported in titles on some themes:
a, abbr, b, cite, del, em, i, q, s, strong, strike, u
Check out W3 Schools for more information about how each of these HTML codes can be used.
The following tags are not allowed on sites that do not have a plugin-enabled plan for security reasons:
embed, frame, iframe, form, input, object, textarea, style, link
This feature is available on sites with the WordPress.com Business or Commerce plan. If your site has one of our legacy plans, it is available on the Pro plan.
JavaScript may be used with sites on our plugin-enabled plans.
For security reasons, sites not on plugin-enabled plans are not allowed to post JavaScript. This is because JavaScript can be used for malicious purposes. As an example, JavaScript has taken sites such as MySpace.com and LiveJournal offline in the past. The security of all WordPress.com sites is a top priority for us, and until we can guarantee scripting languages will not be harmful, they will not be permitted. Learn more about embedding Javascript.
JavaScript from trusted partners, such as YouTube and Google Video, is converted into a WordPress shortcode when a post is saved.
Flash and other types of embed that use the following are not allowed on WordPress.com sites without a plugin-enabled plan:
embed, frame, iframe, form, input, object, textarea
There are several safe ways to post Videos, Audio, and other items to any WordPress.com site. In addition, the Embedding content page lists the various types of embeds that are allowed. Flash and other types of embed that use potentially unsafe HTML tags are only allowed on WordPress.com sites that are on plugin-enabled plans.
See our Posting Source Code article for details on how to easily post source code on your blog.
The code limitations mentioned above apply only to the sites that do not have plugins enabled.
On the WordPress.com plugin-enabled plans, you have the option to install third-party plugins and themes. You can use a plugin to add code to your header (common for integrating with services like Google AdSense) by following these steps.
Custom plugins and themes are often vulnerable to malicious attacks, so when you choose to install them, we separate your site from the shared WordPress.com environment. We also make substantial infrastructure changes behind the scenes to help keep your site secure. Because of these changes, once you install a custom plugin or theme on a plugin-enabled site, you are free to add any code that you want anywhere on your site including JavaScript or Flash.
At the same time, please be extra careful when adding custom code. Your site is separated from the shared environment, so it can’t be exploited to attack all of WordPress.com, but may itself still be vulnerable. As such, we recommend that you only add code that comes from a reputable source. If you are ever in doubt, err on the side of caution.