Adding PHP code to WordPress pages can unlock advanced customization, integrate third-party tools, or display dynamic content. However, doing it the wrong way may compromise your website’s security or even break it. In this article, we’ll walk you through safe and effective methods to add PHP code to WordPress, even if you’re not a developer.
Table of Contents
- Why WordPress doesn’t allow PHP in pages by default
- How to safely add PHP code in WordPress
- Where you should not place PHP code
- Alternative plugins for inserting PHP
- FAQ
Why WordPress doesn’t allow PHP in pages by default
For security reasons, WordPress does not allow direct execution of PHP code inside the page or post editor. This is to prevent any unauthorized or malicious user from injecting code that could compromise the entire site.
The danger of arbitrary PHP
PHP has full access to the file system, database, and WordPress core functions. Therefore, executing unfiltered PHP can:
- Execute harmful commands
- Steal or modify sensitive data
- Delete users or content
- Create hidden backdoor access
A real example of dangerous code
Imagine if someone inserts this code inside a page:
<?php
// DANGEROUS EXAMPLE – DO NOT USE
if (isset($_GET['delete_users']) && $_GET['delete_users'] == '1') {
require_once(ABSPATH . 'wp-admin/includes/user.php');
$users = get_users();
foreach ($users as $user) {
wp_delete_user($user->ID);
}
echo "All users have been deleted.";
}
?>
Then visits a URL like:
https://yoursite.com/page/?delete_users=1
The result? All users will be deleted from the site — a disaster.
That’s why WordPress filters PHP
Anything you write in the editor is treated as HTML or shortcode, but not executable code. This is intentional, to protect your site from malicious injections or accidental breakage.
How to run PHP safely
If you need to use PHP in WordPress, use safe and controlled methods such as:
Developing a custom template file or widget
Creating a custom shortcode
Using plugins like Code Snippets
How to safely add PHP code in WordPress
How to safely add PHP in WordPress
Since WordPress does not allow PHP execution directly within posts or pages, it’s essential to use safe, structured methods to customize your website without breaking it. Here’s how to do it the right way.
Method 1: Use the Code Snippets plugin
Code Snippets is a free and highly trusted plugin that lets you add custom PHP code safely through the dashboard.
Example:
function display_welcome_message() {
echo "<p>Welcome to our website!</p>";
}
add_action('wp_footer', 'display_welcome_message');
This code will show a message in the footer of every page.
Benefits:
- No need to edit theme files
- Simple, structured interface
- Enable or disable snippets at any time
Method 2: Create a custom shortcode
Shortcodes let you execute PHP logic inside posts or pages by typing a keyword in square brackets.
Example:
function current_date_shortcode() {
return "Today is " . date('F j, Y');
}
add_shortcode('today_date', 'current_date_shortcode');
Insert this in
functions.php
(preferably in a child theme), and use
[today_date]
in your content.
Method 3: Add PHP to
functions.php
(with care)
If you’re comfortable editing your theme files, you can write PHP in
functions.php
. Always use a child theme to avoid losing changes after an update.
Example:
add_action('wp_head', function() {
echo "<meta name='custom-meta' content='my-custom-value'>";
});
This code injects a custom meta tag into your site’s header.
Where you should not place PHP code
Placing PHP code in the wrong places inside WordPress can lead to critical errors, broken pages, or security vulnerabilities. Let’s look at where you should never insert PHP.
1. Inside the page or post editor
WordPress does not process PHP inserted directly into the block or classic editor. It will either:
- Show it as plain text
- Or crash the visual layout
Example of what not to do:
<?php echo "Hello world"; ?>
Result: you’ll see the raw code on the page or get a rendering error.
2. In regular text widgets
Default WordPress widgets support HTML and plain text, but not PHP. Inserting PHP there won’t work.
Better alternative:
Use plugins like “PHP Code Widget” or “Code Snippets” to run PHP safely in widgets.
3. In WordPress core files
Never edit:
-
/wp-config.php -
/wp-settings.php - any file inside
/wp-includes/or/wp-admin/
Unless you’re an expert developer, editing these files is a major risk. Updates will override changes, and a single mistake can crash your site completely (white screen of death).
4. In plugin files from other developers
Editing a plugin’s code:
- Will break on updates
- Can introduce bugs or conflicts
Instead, use hooks, filters, or create your own custom plugin to extend its behavior.
Where to insert PHP safely
In widgets only if PHP execution is enabled
Inside the
functions.php
file of a child theme
Using the Code Snippets plugin
Through custom shortcodes
Inside custom templates
Alternative plugins for inserting PHP
Besides the popular Code Snippets, there are several other safe and reliable plugins that allow you to add custom PHP code to WordPress without editing your theme files. These are great especially for non-developers.
Here are the top alternatives:
WPCode – Insert Headers and Footers + Custom Code Snippets
A powerful, flexible plugin that lets you:
- Add PHP, HTML, JS, or CSS code
- Control where and when code runs (site-wide, posts, pages)
- Insert scripts into header, body, or footer
Example:
Add this snippet:
add_action('wp_footer', function() {
echo "<p style='text-align:center;'>Copyright © " . date('Y') . " - My Website</p>";
});
This will display a custom footer message.
Insert PHP Code Snippet
Great if you want to create PHP-powered shortcodes you can reuse in pages, posts, or widgets.
Example:
Create a snippet named
welcome
:
echo "Welcome to our site!";
Then use the shortcode:
[xyz-ips snippet="welcome"]
WP Custom Code
This plugin allows you to add custom code to header, footer, body, or specific pages – all from the dashboard.
It’s easy to use and suitable even for simple PHP tasks.
When to use these plugins
Use these tools when:
You prefer to enable/disable code blocks with one click
You want to avoid editing theme files
You need conditional code placement
You want centralized snippet management
FAQ
1. Can I insert PHP code directly into a WordPress page?
No, the editor does not execute PHP for security reasons. Use a shortcode or a plugin.
2. Is it safe to use a plugin for PHP?
Yes, as long as you use a reputable and updated plugin like Code Snippets.
3. Can I use PHP in the block editor (Gutenberg)?
No, the block editor does not interpret PHP code directly. Use a shortcode instead.
4. How do I create a custom PHP shortcode?
Write a function in
functions.php
and register it with
add_shortcode()
.
5. What happens if I write PHP code incorrectly?
You could break your site. Always test code and make backups first.
6. Where can I test PHP code safely?
Use a local server (like XAMPP) or a sandbox plugin for safe testing.
7. Can I add PHP to a widget?
Yes, but you may need a plugin or to allow PHP execution in widgets manually.
8. Should I use functions.php or a plugin?
Plugins are safer and keep your changes even after theme updates.
9. How do I avoid losing custom code after a theme update?
Use a child theme or a plugin designed for custom code.
10. Can Dopstart help me with this?
Absolutely! We offer a free first consultation and custom support to implement PHP code safely and efficiently.
Sign up for the newsletter. Stay updated!
We will send you periodical important communications and news about the digital world. You can unsubscribe at any time by clicking the appropriate link at the bottom of the newsletter.
