Disabling the WordPress File Editor

The problem with the WordPress file editor is that it allows users to run PHP code on your site.  Anytime a user is able to run their own code, this presents a security risk.  If an insecure admin account is hacked, the WordPress file editor is the gateway through which a full-fledged attack can be carried out.

Finding the WordPress File Editor

WordPress File Editor

The WordPress file editor can be a great tool because it allows you to make changes to theme and plugin files on your site directly from the WordPress administration area.  Most of the time, people who utilize this tool will edit their theme’s style.css file in order to make tweaks to their site.  This can be a blessing in disguise.  We will go into the issues with the file editor in the next section, but right now I want to point out where it is so you can know if it is enabled on your site.

Finding the file editor is pretty simple.  Log in to the administration area of your site and expand the ‘Appearance’ and ‘Plugins’ menu items by clicking on the arrow that appears on the right-hand side when you hover over the menu items.  If the word ‘Editor’ appears in either of these menus, then you know that the WordPress file editor is active on your site.

Concerns and Security Risks

A I mentioned earlier, the WordPress file editor is a great tool, but there are a few big reasons why you may want to disable it on your site.

WordPress users can mess things up. You do have to have administrative permissions to be able to view and use the file editor, but just because you are an administrator is doesn’t mean you know what you are doing.  WordPress web designers and developers will likely want to disable the theme and plugin editor for their clients in order to prevent them from messing with things that they don’t understand.  Web designers may not want the client making those css changes to the theme because their client doesn’t understand the importance of cross-browser compatibility.  Web developers may want to block this feature because inserting a single character in the wrong place in a PHP file can crash the site.

It is a gateway for hackers. WordPress is a secure platform, but users are often the weak link.  Most people don’t think about it, but your WordPress admin account is only as secure as you make it.  Let’s say a hacker knows your username and is able to crack your password.  Now they have full admin access to your WordPress site.  Where would they go to gain more access?  Yep… the WordPress file editor.  The file editor will allow them to run scripts to upload destructive files, email all your users, access your database, you name it.

Is disabling the file editor the answer?  If you don’t use it anyway, definitely.  If you do use it, just make sure you take enough precautions with site security so that you are the only one who ever sees it.

Disabling the File Editor

So if you agree with me that disabling the file editor is a good idea, you will be pleased to know that it is extremely simple to do.  Just add this line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT', TRUE);

Yep, that’s it!  Just one measly line of code can stand in the way of you and trouble… go ahead and add it right now.  It only takes 5 minutes. :)

http://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editor

 

Be Sociable, Share!

Related Posts:

4 thoughts on “Disabling the WordPress File Editor

    1. Ferdi,

      I understand the convenience of easy file editing, which is obviously why WordPress has this as a feature. But users and especially WordPress professionals should be aware of the risks and reasons why it might should be disabled.

      Another reason why I like to disable the editor is because I version control all of my sites and client sites and any changes I make to the code need to be made in my repositories and pushed up. Allowing myself or others to make changes any other way can cause conflicts and possibly data loss.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>