How to Add Custom Attributes to Enqueued Scripts in WordPress

When integrating third-party APIs into your WordPress site, you will often find that a simple script URL isn't enough. Many modern services, such as the Dropbox Drop-in Chooser or Google Maps, require specific attributes like id, data-app-key, or security-related attributes like integrity and crossorigin to be present directly on the <script> tag.

While the standard wp_enqueue_script() function is excellent for managing dependencies and loading order, it does not natively support adding custom attributes to the resulting HTML tag. In this guide, you will learn the most efficient ways to inject these attributes into your WordPress scripts using built-in filters.

The Modern Solution: The script_loader_tag Filter

Since WordPress 4.1, the most reliable way to modify a script tag is by using the script_loader_tag filter. This hook allows you to intercept the HTML string of the script tag before it is printed to the page. You can then check for a specific "handle" (the unique name you gave your script) and modify the string as needed.

Suppose you are integrating the Dropbox API, which requires an ID and a data-app-key attribute. Here is how you would implement it:

/**
 * Enqueue the script as usual
 */
function theme_prefix_enqueue_dropbox() {
    wp_enqueue_script('dropbox-js', 'https://www.dropbox.com/static/api/1/dropins.js', array(), null, false);
}
add_action('wp_enqueue_scripts', 'theme_prefix_enqueue_dropbox');

/**
 * Filter the script tag to add custom attributes
 */
add_filter('script_loader_tag', 'theme_prefix_add_dropbox_attributes', 10, 3);

function theme_prefix_add_dropbox_attributes($tag, $handle, $src) {
    // Only target our specific script handle
    if ('dropbox-js' === $handle) {
        $tag = '<script type="text/javascript" src="' . esc_url($src) . '" id="dropboxjs" data-app-key="YOUR_APP_KEY_HERE"></script>';
    }

    return $tag;
}

In this example, the filter checks if the $handle matches dropbox-js. If it does, it returns a completely rebuilt string containing your required attributes.

Managing Multiple Scripts with Custom Attributes

If your project requires adding attributes to multiple scripts—such as adding Subresource Integrity (SRI) hashes to Bootstrap or Popper.js—writing individual if statements can become messy. Instead, you can use an array-based approach to map handles to their respective attributes.

add_filter('script_loader_tag', 'theme_prefix_add_multiple_attributes', 10, 3);

function theme_prefix_add_multiple_attributes($tag, $handle, $src) {
    $scripts_to_modify = array(
        'popper-js' => array(
            'integrity'   => 'sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49',
            'crossorigin' => 'anonymous'
        ),
        'bootstrap-js' => array(
            'integrity'   => 'sha384-smHYKdLADwkXOn1EmN1qk/HfnUcbVRZyYmZ4qpPea6sjB/pTJ0euyQp0Mk8ck+5T',
            'crossorigin' => 'anonymous'
        )
    );

    if (array_key_exists($handle, $scripts_to_modify)) {
        $attributes = '';
        foreach ($scripts_to_modify[$handle] as $attr => $value) {
            $attributes .= sprintf(' %s="%s"', esc_attr($attr), esc_attr($value));
        }

        $tag = sprintf('<script src="%s"%s></script>' . "\n", esc_url($src), $attributes);
    }

    return $tag;
}

This method keeps your code organized and makes it easy to add or remove attributes as your project evolves.

Why wp_localize_script Isn't the Answer

Many developers initially try to use wp_localize_script() to pass these attributes. While wp_localize_script() is perfect for passing data from PHP to JavaScript variables, it cannot modify the HTML tag itself.

wp_localize_script() outputs a separate <script> block containing a JSON object. However, many third-party libraries (like Dropbox) look specifically at the attributes of the script tag that loaded the library to initialize themselves. If the attributes aren't physically present on the <script src="..."> tag, the library will fail to authorize.

Legacy and Alternative Methods

Before script_loader_tag became the standard, developers often used the clean_url filter. This is a "hackier" approach where you append the attributes to the URL string, knowing that WordPress will eventually print it.

While this still works, it is generally discouraged because it relies on breaking the URL structure to force attributes into the HTML. If you are working on a modern WordPress installation (4.1 or higher), always prefer the script_loader_tag method.

Frequently Asked Questions

Can I use this method to add 'async' or 'defer' to scripts?

Yes! Adding async or defer is one of the most common uses for the script_loader_tag filter. Simply search for your handle and append the boolean attribute to the tag string.

Does this work for CSS stylesheets too?

Yes, but you must use the style_loader_tag filter instead. It works identically to the script filter but targets <link rel="stylesheet"> tags enqueued via wp_enqueue_style().

Why is my script handle not being recognized?

Ensure that the handle you use in the filter matches the handle you used when calling wp_enqueue_script(). Also, remember that if your script is a dependency of another script, it will still pass through this filter.

Wrapping Up

Adding custom attributes to your WordPress scripts doesn't have to be a headache. By leveraging the script_loader_tag filter, you can maintain full control over your site's HTML output while still benefiting from the robust dependency management of the WordPress enqueue system. Whether you are adding API keys for a cloud service or improving security with SRI hashes, this approach ensures your code remains clean, performant, and standards-compliant.