PHP system exec Functions Disabled on Shared Hosting

The error "Warning: system() has been disabled for security reasons" means your PHP script is trying to execute a system command, and that function has been disabled on the server. This is intentional. On shared hosting, functions like system(), exec(), passthru(), and shell_exec() are disabled because they allow PHP scripts to run operating system commands, which is a major security risk in a shared environment.

01. Why These Functions Are Disabled

On shared hosting, hundreds of accounts share the same server. If one account's PHP script could execute system commands, a compromised script (from a hacked WordPress plugin, for example) could read other users' files, send spam, install malware, or even take over the server.

Disabling these functions is an industry-standard security practice. Every major shared hosting provider does it. CloudLinux's CageFS provides additional isolation, but disabling dangerous PHP functions is the first line of defense.

02. Full List of Disabled Functions

The following PHP functions are disabled on our shared hosting servers:

system, exec, shell_exec, passthru, popen, proc_open,
proc_close, proc_get_status, proc_nice, proc_terminate,
pcntl_exec, pcntl_fork, pcntl_signal, pcntl_waitpid,
pcntl_wexitstatus, pcntl_setpriority, pcntl_getpriority,
show_source, escapeshellcmd, escapeshellarg

You can see the full list for your account by checking phpinfo() output. Look for the disable_functions directive.

03. Alternatives and Workarounds

PHP Has Built-In Replacements for Most Tasks

Most uses of system() and exec() in PHP scripts have pure-PHP alternatives:

• File operations - use PHP's file_get_contents(), file_put_contents(), copy(), rename(), unlink() instead of calling shell commands like cp, mv, rm
• Directory operations - use mkdir(), rmdir(), scandir(), glob()
• Image processing - use PHP's GD library or ImageMagick PHP extension instead of calling the convert command
• Sending email - use PHP's mail() function or a library like PHPMailer instead of calling sendmail directly
• HTTP requests - use curl functions (the PHP extension, not the CLI tool) or file_get_contents() with stream contexts
• Compression - use PHP's ZipArchive class or gzip functions instead of calling tar or zip

WordPress Plugins That Trigger This Error

Some WordPress plugins try to use exec() for tasks like image optimization (calling optipng or jpegoptim), backups (calling mysqldump), or security scanning. These plugins usually have a fallback mode that works without shell access. Check the plugin's settings for an option like "Use PHP method" or "Disable shell commands."

04. Need These Functions? Consider a VPS

If your application genuinely requires system(), exec(), or other shell functions, a VPS or dedicated server is the right choice. On a VPS, you have root access and full control over PHP configuration, including which functions are enabled.

Common applications that need shell functions include: custom deployment scripts, video/audio processing, machine learning pipelines, and applications that shell out to command-line tools.

See our hosting comparison guide or view our VPS and dedicated server plans.

Quick Recap

If you only do 5 things from this guide, do these:

1. system(), exec(), shell_exec() are disabled - this is a security requirement on shared hosting
2. Cannot be enabled per-account - it's a server-wide setting
3. Use PHP built-in functions instead - most shell tasks have pure-PHP equivalents
4. Check plugin settings - many plugins have a "PHP mode" fallback
5. Need shell access? Get a VPS - full control over PHP configuration

Last updated March 2026 · Browse all PHP articles