diff --git a/lib/wordmove/hook.rb b/lib/wordmove/hook.rb
index 7233730..65bf3cd 100644
--- a/lib/wordmove/hook.rb
+++ b/lib/wordmove/hook.rb
@@ -102,7 +102,7 @@ def self.run(commands, options, simulate = false)
           return true if simulate
 
           stdout, stderr, exit_code =
-            copier.exec!("bash -l -c 'cd #{wordpress_path} && #{command}'")
+            copier.exec!("bash -l -c 'cd #{wordpress_path} && #{Shellwords.escape(command)}'")
 
           if exit_code.zero?
             logger.task_step false, "Output: #{stdout}"