Skip to main content

Why is the PHP function shell_exec() disabled?

This article explains the background of this security measure, the impact it has on your applications, and the secure alternatives available to you.

Written by Neele de Jonge

What happens when you use shell_exec()?

In our hosting environment, the PHP function shell_exec() (as well as similar functions like exec(), system(), or passthru()) is disabled by default.

When a script or plugin attempts to use this function, you will typically receive an error message that looks like this:

Warning: shell_exec() has been disabled for security reasons in /path/to/your/file.php on line X

Why is the function disabled?

The shell_exec() function allows a PHP script to execute commands directly on the operating system's command line (the server).

In a shared hosting environment, where multiple customers share a single server, this poses a significant security risk:

  • Protection against malware: If a vulnerability in your website (e.g., in an outdated plugin) is exploited, attackers could use shell_exec() to take control of server processes.

  • Stability and performance: Improperly executed system commands can degrade server performance, thereby disrupting the websites of other customers on the same server.

💡 To ensure maximum security and performance for all users, this function is blocked at the system level.

Impact on your projects

Because direct system calls from PHP are blocked, certain applications may face limitations:

  • Deployment scripts & CLI tools: Scripts that attempt to automatically call Composer (composer install) or Git (git pull) via PHP will not work.

  • Backup plugins: Some plugins try to execute server services like zip or mysqldump via the command line instead of using native PHP functions.

  • Image processing: Attempts to run ImageMagick via the command line using the convert command will fail.

Possible alternatives and solutions

You don't have to give up the functionality you need. For almost all use cases, there are secure and native alternatives:

1. Use native PHP functions

Many developers use shell_exec() out of convenience for tasks that PHP can already handle out of the box:

  • Instead of executing file system commands (like ls, rm, cp) via the shell, use the PHP functions scandir(), unlink(), or copy().

  • Instead of packing archives via shell commands, use the PHP ZipArchive class.

  • For image processing, use the GD-Library or Imagick PHP extensions instead of calling system commands.

2. Use APIs (Interfaces)

If your script needs to fetch external data or communicate with other servers (often solved via shell commands like curl or wget), use the built-in cURL library (curl_exec) or file_get_contents() instead.

3. Automation via Cronjobs

If you want to run background processes or regular tasks, you don't need to trigger them via PHP in the shell. Instead, use the Cronjob management in our customer panel. There, you can securely run scheduled PHP scripts directly from the server.

4. Direct SSH Access (if included in your plan)

⚠️ Important: Please check if SSH is available in your hosting plan.

The deactivation of shell_exec() only affects execution via PHP (e.g., when loading a website). If you, as an administrator, want to manually use tools like Composer, WP-CLI, or Git, you can log in to your web space normally via SSH and execute these commands directly in the console.

Did this answer your question?