Embed Any Content†‡ Into Your WordPress Website
Content Mask allows you to embed any external content onto your own WordPress Pages, Posts, and Custom Post Types. The end result is fairly similar to setting up a Domain Mask, but the content is embedded into the front end of your website and is fully contained inside your WordPress permalink ecosystem.
Example: If you built a landing page on
landing-page-builder.com/your-landing-page/, you can simply create a new Page on your website at
your-site.com/landing-page/and paste in the URL of your landing page. The Content Mask plugin will then download and cache of copy of your landing page directly on your website, so any visitors that come to
your-site.com/landing-page/will see the landing page you built. This allows you to keep all of your links integrated into your WordPress Website.
† Do not use Content Mask to embed any content that you do not own or do not otherwise have license to share, embed, frame, or distribute.
Simple 2-Step UI
With a simple 2-Step UI, you can embed any external content into your website without any complicated URL Forwarding, DNS Records, or
.htaccess rules to mess with.
Just enable the Content Mask on any Page, Post, or Custom Post type by clicking on the check mark.
Then put in the URL that contains the content you want to embed.
It’s that simple!
Powerful Embedding and Redirect Options
Using the Download method (default) will fetch the content from the Content Mask URL, cache it on your website, and replace the current page request with that content. By default, this cache lasts 4 hours – but it can be changed anywhere from “Never Cache” all the way up to “Cache for 4 Weeks”. Caching prevents the need for additional requests that slow down your site.
Using the Iframe method will replace the current page request with a full width/height, frameless iframe containing the host URL. This method is ideal if the URL you want to embed won’t serve scripts, styles, or images to other URLs or IP Addresses. If you use the Download Method, and links or images look broken, you can try the Iframe method instead.
Using the Redirect (301) method will simply redirect the visitor to the host URL.
Simple Integrated Vistor Tracking
In the Content Mask admin panel, you can enable tracking for Content Masked pages. This will allow you to see how many visitors are viewing these links. This is ideal for when you need to track acquisition, such as on a Landing Page.
- [Views] shows how many times that Content Mask page has been viewed by anybody (even logged in users)
- [Non-User] shows how many times it’s been viewed by visitors that are not logged in to the website.
- [Unique] shows how many times it’s been viewed by unique IP addresses. Note: IP addresses are one-way hashed and are not identifiable in any way.
Creating a Content Masked Page
Using the Content Mask Admin Panel
Do NOT use Content Mask on any content you aren’t explicitly authorized to share or use. Please confirm you’re allowed to utilize and embed the content before embedding any particular URL.
Content embedded using the Download method is cached using the WordPress Transients API for 4 hours by default. If the content on the external URL is updated and you would like a fresh copy, you may just click the “Update” button on the Page, Post, or Custom Post Type to refresh the transient, or click the “Refresh” link in the Content Mask Admin panel. You may also change the cache expiration timer per page anywhere from “Never” to “4 weeks”.
You may use the Transients Manager plugin to manage transients stored with the Download method. All Content Mask related transients contain the prefix “content_mask-” plus a stripped version of the Content Mask URL, such as “content_mask-httpxhynkcom”.
‡ Your site may be prevented from processing page requests for any reason; Reasons include, but are not limited to: masking unauthorized content, at the request of the masked URL site owner, masking hateful content, masking illegal content, circumventing IP bans, etc. A dual one-way encrypted hash of your masking URL may be used to check for infraction. No identifying information will be used for this check, and no information is saved other than as a transient to prevent unnecessary duplicate checks per site
content-maskfolder to your
Activate the “Content Mask” plugin.
How to Use:
Edit (or Add) a Page, Post, or Custom Post Type.
Underneath the page editor, find the “Content Mask Settings” metabox.
Click the Checkmark on the left to enable Content Mask.
Paste a URL in the Content Mask URL field.
Choose a method: Download, Iframe, or Redirect (301).
Update (or Publish) the Page, Post or Custom Post Type.
That’s all! When a user visits that Page, Post or Custom Post Type, they will instead see the content from the URL you have put in the Content Mask URL field.
I made changes to my Masked Page, and they’re not showing up on my website
Content Mask caches the masked page to your website. Click “Update” to resave the page, or click the “Refresh Transient” from the Content Mask admin page. If that doesn’t work, you can add a query string to the Masked URL, such as
https://example.com?1and Content Mask will fetch a new copy.
Can I send custom headers with the Download Method
No. If this is a feature you would like implemented, please contact me.
No. This is because of how page requests are processed. Using Content Mask will override the entire page content on the front end.
Can I Embed Multiple URLs on One Page?
No. There’s not currently a way to embed multiple URLs onto a single page. You can embed one URL on one page.
Will Content Mask Overwrite My Page Content?
No. Content Mask does not permanently alter anything on your website. The embedded content is only shown on the front-end. When you turn off Content Mask, any page content you had in the editor will still be there.
Something Isn’t Loading With the Download Method
Some websites “whitelist” IP addresses or domains for scripts, images, and files to be accessed from. If that’s the case, try using the iframe method instead.
Something Isn’t Loading with the Iframe Method
Some websites don’t allow themselves to be iframed at all. Please reach out to the webmaster for the content you wish to iframe.
If your website is secured (with https://), make sure any links on the iframed page are secure as well, as most modern browsers don’t allow insecure content (http://) to be loaded into a secure page or iframe.
Contributors & Developers
“Content Mask” is open source software. The following people have contributed to this plugin.Contributors
- adjust kses for SVGs and output
- Fix count in unique views
- allow more in kses
- Allow ‘id’ attribute in style and script tags for kses
- More pragmatic approach to wp_kses for scripts, styles, and HTML elements in single script areas and universal script areas
- Fixed Universal CSS in iframe and download
- Adjust wp_kses to allow script src
- Fixed individual footer scripts not being parsed and displayed
- Fixed missed/broken escapes and entity decoding for some header/footer sections
- Fixed missed SE/EL/AV mantra
- Added kses to some outputs
- Additional early sanitization
- additional late escaping in iframe output
- Additional Sanitization and Escaping
- Fixed accidental var_dump
- Adjusted script field display
- Added much more escaping and sanitization where required. Attributes, URLs, and bare HTML are escaped.
- Added individual function nonces for additional security, no longer reliant on a single nonce.
- Changed most concatenation to formatted strings for clarity and ease of escaping.
- Added WP Nonce Validation to all AJAX requests
- Checked user permissions/caps where necessary
- Patched security vulnerability where authenticated users could modify non-content mask options
- Add “Footer Scripts” section for Download and Iframe method
- Fix minor script access issue
- Fix PHP notice from smoke test for
- Adjust single post type metabox to better illustrate Mask state
- Additional CSS to handle screen sizes better
- Prevent Content Mask save_meta function from running on post types that aren’t considered “public”, also hid meta box
- Fixed an issue with headers being sent and an error showing in the customizer
- Fixed an issue where Content Mask admin styles were being applied to other elements on the
edit.phpadmin base screen.
- Modified IFL check
- Added Post Types to “Hide Content Mask From” list. Removes meta box and all active page processing for specificed post type(s).
- In some instances, roles aren’t set when checked. Forced to array or skip in all cases.
- Replace deprecated functions
- Added “Content Mask Role” permissions. All roles enabled by default. Users with “manage_options” capability can disable Content Masking admin page/metabox for each role.
- Require “manage_options” capability to modify content mask options or scripts/styles settings
- Minor updates to IFL Request check, fix two further undefined index warnings on iframe specific requests
- Check infractions list, fix PHP string/array comparison warning in metabox.
- Fix in_array errors in metabox
- Fixed two inconsequential PHP notices
- Updated jQuery.load call to jQuery.on(‘load’)
- Added an option “Return Link” to allow users to go back to their previous page.
- Accidentally left in diagnostic code in “condition permissions”, this has been removed.
- Fixed scripts and styles saving in the admin
- Added condition permissions
- Allow use of standard wp_head() in iframes
- Minor fixes from 1.8.1
- Patched some minor security vulnerabilities exposed by PHP Grinder
- Allow Role-Based Content Mask Permission Locking.
- Added Support-based Iframe Query-Parameter Overrides
- Allow variants of ‘localhost’ in the Content Mask URL
- Allow passing of URL parameters to iframe
- update baked in version
- Updated Chrome User Agent String for HTTP Headers option
- Fixed displaying visitor tracking columns in admin panel
- Compatibility for WordPress 5.4 confirmed
- Fixed an issue where the Refresh Transient option wasn’t working properly
- Made find/replace functions in the download method more reliable.
- Added content generator meta tag in the tag on the download method.
- Fixed an issue where Error Reporting was turned on for the entire site after updating
- Introduced a method to easily create new content masks from the Content Mask admin panel.
- Content Mask has partnered with WhirLocal to embed Landing Pages and other content. A link to sign up for a FREE account has been added to the admin panel.