Running a WordPress site? Cool. Then you probably already know it’s one of the most popular platforms out there—for bloggers, businesses, online stores, you name it. But popularity comes with a price. Because WordPress is everywhere, it’s a big target for hackers. They’re always looking for ways to poke holes in your setup and do things you definitely don’t want them doing.
Now, there are a lot of ways to harden your WordPress site—firewalls, plugins, strong passwords, limited logins—but today we’re going to focus on something that doesn’t get talked about as much: dangerous PHP functions.
Some PHP functions are basically wide-open doors into your server. If a hacker finds a way in through a plugin vulnerability or an upload form, these functions can let them run commands, access system files, or even install malware. Not great.
The good news? Most WordPress sites don’t need these functions at all. So why not just shut them off?
Let’s talk about how to do that—and what your options are if you’re not in full control of your server.
So, What Functions Are We Talking About?
Here’s the hit list of PHP functions that are often used in attacks:
execshell_execsystemproc_openpopencurl_execcurl_multi_execparse_ini_fileshow_source
What do they do exactly? In short, they allow PHP to interact directly with the underlying system, run command-line operations, open pipes, or read internal configuration files. If an attacker manages to get a foothold on your site, these are the tools they’ll use to do real damage.
That’s why many security-minded developers and hosting providers recommend disabling them altogether—especially if your site doesn’t explicitly need them.
If You’ve Got Access to php.ini
If you’re on a VPS or dedicated server, or even a well-configured cloud host, you probably have access to your php.ini file. This is where you can configure core PHP settings—stuff that affects everything on the server.
To disable those risky functions, here’s what you do:
- Open up your
php.inifile. It’s usually somewhere like/etc/php/8.x/apache2/php.inior/etc/php.ini, depending on your OS and PHP version. - Look for the line that starts with
disable_functions. If it’s not there, you can add it. - Add the list of functions you want to block:
disable_functions = exec,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Make sure it’s all on one line, no spaces, and separated by commas.
- Once that’s saved, restart your web server so the changes kick in. For Apache, that’s:
sudo systemctl restart apache2
Or for PHP-FPM:
sudo systemctl restart php8.x-fpm
Now, any PHP script that tries to use one of those functions will just fail. No error messages sent to users, no risky operations running in the background. It’s like locking a toolbox you don’t need.
But What If You’re on Shared Hosting?
Here’s where it gets tricky. A lot of WordPress users are on shared hosting. It’s cheap, easy, and fast to set up—but it doesn’t give you full control over server settings. That means you can’t just edit php.ini and be done with it.
Still, there are a few things you can try.
Some shared hosts let you override certain PHP settings using a file called .htaccess, which sits in the root of your WordPress site. You can try adding this:
<IfModule mod_php7.c>
php_value disable_functions "exec,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"
</IfModule>
If your host is running PHP as an Apache module, this might work. But many shared hosts run PHP as CGI or FPM, in which case you’ll probably get a 500 error. If that happens, just delete those lines and move on.
Unfortunately, you can’t just add a line to your wp-config.php either. The disable_functions directive is what’s called a PHP_INI_SYSTEM setting, which means it can only be set at the system level—before your WordPress site ever loads.
So, What Are Your Options?
If you can’t edit php.ini or .htaccess, the next best thing is to reach out to your hosting provider. Seriously—just send a support ticket and ask them to disable those functions for your account. Some hosts already do this by default, others will do it if you ask.
You can also lean on security plugins. Wordfence, iThemes Security, and SecuPress are all solid options. While these plugins can’t directly disable system-level PHP functions, they can at least alert you if something sketchy is going on—like a plugin trying to use exec or a theme with embedded shell_exec calls.
And of course, they help with a bunch of other stuff too: blocking brute force attacks, scanning for malware, enforcing 2FA, and more.
Other Things Worth Doing
Disabling functions is great, but it’s just one piece of the puzzle. Here are a few other quick wins to tighten things up:
- Turn off file editing inside the WordPress dashboard. Just add this to
wp-config.php: phpCopydefine('DISALLOW_FILE_EDIT', true); - Don’t use plugins you don’t trust or need. Every plugin is more code that could go wrong.
- Keep WordPress core, your theme, and all plugins updated. Seriously. Most successful attacks go after out-of-date stuff.
- Use a firewall. Services like Cloudflare or Sucuri add an extra layer that can stop threats before they even hit your server.
Final Thoughts
If you’ve made it this far, you’re already ahead of the curve. A lot of WordPress users don’t even know these PHP functions exist—let alone that they can be turned off for better security.
Whether you’ve got full control of your server or you’re just trying to stay safe on shared hosting, there’s always something you can do. Disabling dangerous PHP functions is a smart, simple way to reduce your risk. If you can do it through php.ini, awesome. If not, talk to your host or use a plugin that can keep an eye out for suspicious behavior.
Security isn’t about being perfect—it’s about being harder to hit than the next guy. And this is one step in the right direction.
Add Comment