FAQ » Servers
Warning: shell_exec() has been disabled for security reasons
On a typical cPanel server, you'll find that shell_exec is disabled by default.
Warning: shell_exec() has been disabled for security reasons in /home/<user>/public_html/.../<file>.php
If you see a warning or error like this, it means that shell_exec() is disabled.
This is because of a disable_functions directive
in the php.ini file.
This directive allows you to disable certain functions. It takes on a comma-delimited list of function names.
Only internal functions can be disabled using this directive. User-defined functions are unaffected.
This directive must be set in
php.iniFor example, you cannot set this inhttpd.conf.
On most Linux-based systems you'll find php.ini at /usr/local/lib/php.ini.
cPanel MultiPHP INI Editor
It's recommend editing the files with WHM's MultiPHP INI Editor interface to ensure that an operable version of PHP exists on the system.
- Login to WHM
- Under the Software section go to MultiPHP INI Editor
- Go to Editor Mode and choose the PHP Version
- You should be able to change the
disable_functionsfrom there
On systems that run EasyApache 4, each version of PHP uses a separate php.ini file. You must make changes separately to
each file. Each file exists in the /opt/cpanel/ea-php72/root/etc/php.ini file, where 72 is the PHP version number.
File Paths
| PHP Version | File Path |
|---|---|
| PHP 5.4 | /opt/cpanel/ea-php54/root/etc/php.ini |
| PHP 5.5 | /opt/cpanel/ea-php55/root/etc/php.ini |
| PHP 5.6 | /opt/cpanel/ea-php56/root/etc/php.ini |
| PHP 7.1 | /opt/cpanel/ea-php71/root/etc/php.ini |
| PHP 7.2 | /opt/cpanel/ea-php72/root/etc/php.ini |
| PHP 7.3 | /opt/cpanel/ea-php73/root/etc/php.ini |
| PHP 7.4 | /opt/cpanel/ea-php74/root/etc/php.ini |
| PHP 8.0 | /opt/cpanel/ea-php80/root/etc/php.ini |
| PHP 8.1 | /opt/cpanel/ea-php81/root/etc/php.ini |
You can check each file by doing the following:
# cat /opt/cpanel/ea-php74/root/etc/php.ini | grep disable_functions
disable_functions =
In this example, we can see that the disable_functions line is empty, so we need to check elsewhere...
It may be worth checking for a .user.ini or the .htaccess file, or even a domain configuration.
Domain configuration
Confusingly and largely undocumented, you'll find that each domain name has its own configuration per version of PHP.
For example, if the PHP Version is 7.4, and the domain is example.com, then the file path would be:
/opt/cpanel/ea-php74/root/etc/php-fpm.d/example.com.conf
You can check this file by doing the following:
# cat /opt/cpanel/ea-php74/root/etc/php-fpm.d/example.com.conf | grep disable_functions
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
In this case, you can see shell_exec is set, so we should remove this.
You could use an editor like vi or nano to edit or completely remove it.
Or, you can use the sed command to remove it:
sed -i 's/php_admin_value[disable_functions] = exec,passthru,shell_exec,system//' /opt/cpanel/ea-php74/root/etc/php-fpm.d/example.com.conf
After that you can restart Apache/PHP-fpm using the following command:
# /scripts/restartsrv_apache_php_fpm
Service Status
apache_php_fpm restarted successfully.
That's it.
Last updated: 2022-03-07