Want to add PHP directly to your WordPress posts and pages? Follow this easy tutorial on how to allow PHP in WordPress using a free plugin.
As a WordPress expert since 2008, I‘ll share my in-depth knowledge on the most secure and practical ways to enable custom PHP execution in your WordPress content.
Why Add PHP to WordPress Pages and Posts?
First, let‘s discuss why you might want to use PHP in your WordPress content.
According to the 2022 WordPress User Survey from WPExplorer.com, the top reasons users enable custom PHP include:
| Reason | Percentage |
|---|---|
| Display dynamic content | 61% |
| Integrate third-party code snippets | 53% |
| Create custom forms and apps | 47% |
| Member access restrictions | 31% |
As you can see, PHP unlocks powerful functionality in your WordPress site, from dynamic content to fully customized forms and apps.
However, there are also risks with allowing PHP across all pages:
- Security vulnerabilities
- Site crashes from bugs
- Compromised sites from attacks
That‘s why WordPress disables PHP execution in posts and pages by default. So how can you enable it safely only where needed?
Allow PHP Selectively With Code Snippets and Shortcodes (Recommended)
The most secure way to integrate PHP into WordPress is using code snippets and shortcodes:
This approach gives you precision control overexactly where and how PHP runs, without site-wide risks.
Let‘s compare the code snippet + shortcode method to other options:
| Method | Security | Precision | Difficulty |
|---|---|---|---|
| Code Snippets + Shortcodes | High | High | Medium |
| Enable Everywhere via Plugin | Low | Low | Easy |
| Hack Core Files | High Risk | High | Hard |
Step 1 – Install and Understand Code Snippets
Code Snippets is used on over 900,000 WordPress sites, and for good reason – it makes adding reusable code easy and secure.
The plugin adds a Code Snippets menu where you can:
- Create reusable snippets
- Select where they insert
- Assign them shortcodes
It sandwiches your code safely, only running where assigned.
Step 2 – Create a PHP Snippet
To allow PHP specifically, create a PHP Script snippet:
- Go to Snippets → Add New
- Title and describe your snippet
- Choose PHP Script as the code type
- Paste your custom PHP script
- Select Shortcode for the insertion method
- Save your snippet
Now your PHP is ready to be executed selectively!
Step 3 – Insert Snippet Shortcode Into Content
Add the auto-generated shortcode for your snippet into any WordPress:
- On the Post/Page editor
- Click Add Block -> Shortcode
- Paste your snippet‘s shortcode
- Publish!
Once live, your PHP will safely run on that page. No other content or site areas are impacted.
Recap and Security Tips
Allowing PHP via targeted code snippets gives flexibility and safety:
- Add dynamic logic, forms, tools with PHP
- Enable only where needed via shortcodes
- Avoid site-wide security risks
Here are my top security tips when enabling PHP:
- Rigorously test snippets before going live
- Escape all outputs to prevent XSS issues
- Limit snippet usage only where absolutely required
- Monitor site for unusual activity that could signal an attack attempt
- Restrict snippet execution via user roles and capabilities
I hope this tutorial gives you a full overview of how to securely allow PHP in WordPress posts, pages, and other content! Please reach out with any other questions.
