PHP code for posts used to be a rather popular WordPress plugin for enabling users to quickly embed some PHP code within a location that supports shortcodes, with over 220,000 downloads it was certainly a useful tool, so why did it disappear almost over night?

Before I explain that, there have been a lot of people looking for a location to download the plugin again; I have now moved it over to GitHub (yay!). From GitHub you should be able to download the plugin as a zip and then upload it via WordPress’ plugin uploader or FTP, however I strongly recommend reading the below first

View on GitHub

So, where did it go?

A little while back the guys who manage the plugins repository received a complaint from a university student about a vulnerability within the workings of the plugin.  This vulnerability allows users to execute code which may have adverse effects on their site. Because the plugin allows the execution of unfiltered PHP code, users could potentially run hazardous code such as rm -rf / which would remove all the files on the server (not good!).

This obviously would be an issue for those who allow lots of people access to the admin area of their WP site, or paste random code found on the internet in to their plugin.

However this exploit can also affect the main plugin editor on WP, if you allow users unsolicited access to the admin area and haven’t disabled plugin editing then they can just use the plugin editor to add their malicious code; It may also affect other variants plugins used to allow php via shortcodes.

How to prevent it

The obvious way is to not use the plugin, pure and simple. You can use custom templates in your theme to add your PHP to your post/page/other location, this way you can control the code more securely.

If you choose to use the plugin, then restrict access to the editor; the plugin allows access to those who have the Manage Options permission (it comes with the admin role) so restrict access to that and then only users you permit can add code.

Either way, its definitely never a good idea to paste random code found on the internet without first looking to see what it actually does.

Also, if you’re not very PHP-literate, you may want to hire a developer to do your coding for you, like me!

If you have further questions about this plugin, please do get in touch at hello@{this domain}