Introducing The WP Pusher File

NB. The WP Pusher file is no longer supported in WP Pusher.

In its essence, the wppusher.php file is a secure way to run shell commands after installing or updating themes and plugins. In most cases, WordPress plugins should not make use of PHP’s exec() function, since this opens up a door for attackers to access the web server. In the meantime, it is very convenient to be able to run scripts when a package has been installed or updated, such as Composer.

By adding a PHP file, named ‘wppusher.php‘ to your projects, WP Pusher will automatically call each specified shell command through PHP’s shell_exec() function. This means that an attacker will only be able to run malicious code if he already has access to the file system, in which case the battle is already lost.

Here is how a wppusher.php file might look:

Supporting Composer is something many users have requested. Unfortunately, this is not something we can support, since Composer will not be available most places where WordPress is installed. However, we think that this solution will make advanced features, such as Composer, available to the users who already know their way around the shell and know what they are doing.


At this moment, and especially because the nature of PHP (ie. no threading), we can not control or verify that shell commands are run successfuly. Neither is any feedback provided after the commands have been run. Also, during the nature of WordPress, I strongly suggest compiling everything you need before you ship your plugin.

Consider this feature an experimental feature: If you choose to use it in production somewhere, be aware that, at the moment, there is no way for WP Pusher to assure that commands are successfully executed. Please also be aware that a command such as composer install can take a while to execute (on a related note, always include the .lock file in your repository which drastically speeds up the process).

In other news

A few new features has been added to WP Pusher in addition to the wppusher.php file.

  • WP Pusher now supports GitLab.
  • 4 new actions have been added to WP Pusher: wppusher_plugin_was_installed, wppusher_theme_was_installed, wppusher_plugin_was_updated and wppusher_theme_was_updated.
  • Dry run feature for setting up already installed themes and plugins.

These new features will all be documented soon.