diff --git a/SpecialHostStats.php b/SpecialHostStats.php
index 6e6e1ae..2187293 100644
--- a/SpecialHostStats.php
+++ b/SpecialHostStats.php
@@ -7,6 +7,8 @@
  */
 
 class SpecialHostStats extends SpecialPage {
+	protected $cmdwhitelist;
+
 	public function __construct() {
 		parent::__construct( 'HostStats' );
 	}
@@ -14,10 +16,23 @@ public function __construct() {
 	public function execute( $par ) {
 		global $wgHostStatsCommands;
 		$this->setHeaders();
+		$this->whitelistedcmds();
+		$commands = array();
+		foreach ( $wgHostStatsCommands as $cmd ) {
+			if ( in_array( $cmd, $this->cmdwhitelist ) ) {
+				array_push( $cmd, $commands );
+			} else {
+				# Reject those unsafe commands and log it to hoststats
+				wfDebugLog( "hoststats", "Rejected running command '" . 
+					$cmd . "' as it is unsafe, please remove it from " . 
+					"\$wgHostStatsCommands!" );
+				continue;
+			}
+		}
 		$this->getOutput->setPageTitle( wfMessage( 'hoststats-title' )->escaped() );
 		$outpage = wfMessage( 'hoststats-intro' )->escaped();
 		$outpage .= "\n";
-		foreach ( $wgHostStatsCommands as $cmd ) {
+		foreach ( $commands as $cmd ) {
 			$outpage .= '<h3>' . $cmd . '</h3>';
 			$outpage .= "\n<pre>\n" . $this->query( $cmd ) . "</pre>";
 		}
@@ -28,4 +43,12 @@ protected function query( $query ) {
 		$output = wfShellExec( $query );
 		return $output;
 	}
+
+	protected function whitelistedcmds() {
+		$this->cmdwhitelist = array(
+			'df',
+			'whoami',
+			'hostname',
+		);
+	}
 }