Why the WordPress “exec-php” Plugin is a Form of Bad Practice

It alarms me that often wordpress users will still use the exec-php plugin. It made sense when WordPress was fairly primitive and lacked functionality in terms of it’s templating system. Today, WordPress is fully enhanced enough that it should supersede the use of the exec-php plugin. Today, it should be avoided at all costs. WordPress is sophisticated enough now that you should not need to use such a plugin. It poses various number of risks.

The plugin itself allows you to execute php commands.

Utilizing such a plugin is typically bad practice:

  • Causes PHP to be stored in the database
  • Creates a developer-dependant workflow. Thus, it requires a developer to maintain it; not an end user.
  • Difficult to debug php errors.
  • Poses increased problems for scalability
  • Introduces performance problems. A database is called to retrieve the php code and then another php command must be executed.
  • Poses many security risks. If someone knew your wordpress password they could essentially turn your wordpress site / blog into malware.

Ways around utilizing the plugin would be just good planning, executing best practices of web development and taking the time to develop more robust solutions. Exec-php should be only used as a last resort for stop-gap  ephemeral solutions.