This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Insert PHP


Run PHP code inserted into WordPress posts and pages.

The PHP code is between special tags (“[insert_php]” instead of “<?php” and “[/insert_php]” instead of “?>”).

The PHP code runs as the page is sent to the browser. Output of the PHP code is published directly onto the post or page where the PHP code between the special tags is located.

The code between the tags must be complete in and of itself. References to variables or code blocks outside the area between the tags will fail. See the “more information” URL for an explanation of this.

Examples of use:

  • Publish local time (users’ computer clock settings being unreliable).

  • Insert output of a PHP script, or just to run a script whether or not it generates output.

  • Check/manipulate cookies or other actions that JavaScript can accomplish when using JavaScript is undesirable.

More information about the Insert PHP plugin can be found here:


  1. Download from the “download” link on the web page where you’re viewing this or from (direct download link)

  2. Decompress the file contents.

  3. Upload the insert-php folder to your WordPress plugins directory (/wp-content/plugins/).

  4. Activate the Insert PHP plugin from the WordPress Dashboard.

  5. See instructions for using the plugin.


Installation Instructions
  1. Download from the “download” link on the web page where you’re viewing this or from (direct download link)

  2. Decompress the file contents.

  3. Upload the insert-php folder to your WordPress plugins directory (/wp-content/plugins/).

  4. Activate the Insert PHP plugin from the WordPress Dashboard.

  5. See instructions for using the plugin.

How do I use this thing?

Make a copy of the working PHP code to be used in a post or a page.

Replace “<?php” on the first line with “[insert_php]”. Replace “?>” on the last line with “[/insert_php]”.

Paste the code into your post or page.

Examples are here:

Can I have more than one place with PHP code on individual posts and pages?

Yes. I have found no limit to the number of places PHP code can be inserted into a post or page. Probably there is no WordPress software limit. There may be a server memory limit of your PHP code uses a lot of memory.

Does the PHP output need to have paragraph and line break HTML formatting codes?

No. HTML paragraph and line break formatting are applied to PHP output.

Do I put the PHP code into content at the “Visual” tab or the “HTML/Text” tab?

Use the HTML/Text tab. While the Visual tab will, sometimes, the HTML/Text tab allows working with the code without the visual formatting.

Why can’t I set cookies or do a browser redirect?

With PHP, cookies are set in the web page header lines, before any page content is processed. Redirects, too, are done in the header lines. When PHP code is within a post or a page, all the header lines have already been sent, along with part of the content. At that point, it is too late to set cookies or redirect with PHP.

I get a “Parse error: …” What do I do now?

Unless the source code of the plugin has been changed or somehow became corrupted, the parse error is likely to be in the PHP code inserted into the post or page. Example:

Parse error: syntax error, unexpected T_STRING, expecting ‘,’ or ‘;’ in /public_html/wp331/wp-content/plugins/insert_php.php(48) : eval()’d code on line 5

Either within or at the end of the parse error message you’ll find something like this:

eval()’d code on line 5

The error is on the indicated eval()’d code line number of the PHP code you are inserting (“5” in the example). At the PHP code you inserted, count down the number of lines indicated. You’ll find the error at that line.

If you have PHP code inserted in more than one place, the error message may apply to any of those places. Temporarily remove or disable them, one at a time, until you determine which one the error message applies to.

If Insert PHP is used with an include() function, the include()’d file may be spawning the error message. In that case, the file name being include()’d and the line number of the error should be somewhere within the error message.

When the error is located, correct it and try again.


Do not EVER install this entirely irresponsible plugin

This is hands down the most irresponsible plugin ever developed for WordPress. PHP should not EVER be run from any frontend module. The point of server side code is that it runs ON THE SERVER, not from a browser. This should not even be available, because it has helped thousands of sites get hacked by malicious sources in the most convenient way possible to hackers.

Let me explain for the uninitiated. PHP has access to EVERY SINGLE THING your site does. Your database, your WooCommerce accounts and payment gateway, any and all information in your site, your passwords, etc, etc. Using this plugin makes it childs play for anyone with even a tiny little bit of programming knowledge to steal anything and everything on your site. They can erase your entire site. They can steal money from your customers which you are legally liable to reimburse. They can hack any other sites on your host besides the one running this plugin. They can literally have a field day with everything accessible to any part of your server. DO NOT INSTALL THIS. If you can’t figure out how to use FTP and write a plugin properly, you should NOT BE WRITING PHP.

Shame on the developer for submitting this, and also shame on anyone dumb enough to actually install it.

Using this plugin entirely invalidates ALL other security you have in place. Your SSL is useless, Wordfence/Sucuri/etc is useless, your login is useless, your database password is useless, all of it may as well not even be there at all. Not only does this make everything on your site hackable, it also makes everything connected to your site hackable. Got social media accounts connected? Congratulations, those are getting hacked too. Got your Google calendar account connected? Yep, your gmail is also getting hacked, which means that all of your password resets to every other account you have can also be hacked, including your bank account, student loan account, etc. This is the digital equivalent of storing your life savings out in the street during a looting spree.

Works like a charm

Even though it appears out of date, it does exactly what it says on the tin. Though it would be nice if the author updated the plugin to appear compatible with version 4.9.1

Security risk DO NOT INSTALL

This plugin opens your site up to horrible security risks. If you accept comments, you will be hacked. If you have form submissions, you will be hacked. If anyone manages to gain access to your admin area, you will be hacked. If there’s any chance that an outside person could submit content to your site, this plugin becomes a way for hackers to gain access.


I would flag this to WP admins for removal if I could. This plugin should not be available to the public.

Security Risk

The idea is just irresponsible.

Many WordPress users are not experts in PHP. But by offering such a plugin you create the impression that it is no problem at all to include PHP code in a WordPress post or page. But his is of course not the case.

Well – one may say, that embedding PHP is only for the pros who know exactly what they do. But even pros can do mistakes, as we all learned with WordPress 4.7.1 and the broken REST API. And a “pro” should be able to create his own plugin to embed scripts in a safe way – e.g. as shortcode and within a separate namespace and not the global one etc..

Read all 70 reviews

Contributors & Developers

“Insert PHP” is open source software. The following people have contributed to this plugin.


Translate “Insert PHP” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.



First public distribution version.


Bug fix. Added ob_end_flush() and changed variable names to remove opportunity for conflict with variable names in user-provided PHP code.


Changed handling of content intended to remove conflict when Insert PHP is used within content that other plugins also handle.


Fixed issue with str_replace() when haystack contained a slash character.