WordPress allows users to edit the Theme/Plugin files directly from the WordPress dashboard. This is a great feature that makes it extremely easy to edit the files without having to access the hosting account every single time. However, this also opens a door for the hackers and exploiters to inject files and scripts to your website. So, if you ever wanted to disable this built-in feature provided by WordPress, this guide might help you in accomplishing that.
Where can you update the Theme/Plugin files in WordPress?
WordPress allows you to edit the theme and plugin files directly from the dashboard itself. This is a great feature for those who want to make changes to the themes, especially child themes, without having to access their web server. The theme editor is usually available at Appearance > Theme File Editor.
The plugin file editor accessible from Plugins > Plugin File Editor is used to make changes to the plugins installed on the WordPress website. This file editor is usually used by web masters to make changes to the plugins installed on their websites. But it is not usually recommended to directly make changes to the plugin files unless they are custom developed just for your website, and you control the updates.
Why should you disable this feature?
Both of these file editors are extremely useful for making changes quickly. However, it is not recommended to use them directly from your WordPress dashboard itself. The reason is obvious. Anyone who has access to your WordPress backend with necessary permissions can directly make changes to your website’s files.
Unless you are absolutely sure that nobody can access your back end. In most cases, you should keep this feature disabled. At least, after making the necessary changes to your website.
In addition to just the security aspect, directly editing the theme or plugin files from the WordPress backend can cause errors in the code really easily. Usually, these files are edited using a code editor such as Visual Studio Code in a staging environment.
Steps to Disable File Editing in WordPress Admin Area
- Open the wp-config.php file located in the directory of your WordPress installation.
- Add the following line of code just above the line saying /* That’s all, stop editing! Happy blogging. */.
define( 'DISALLOW_FILE_EDIT', true );
- Save the changes.
As soon as you save the changes to your wp-config.php file, you will no longer see the Editor option in your Appearance or Plugins menu sections. This means, no one will be able to edit your files from the WordPress dashboard or inject some bad scripts into your content. If you don’t make frequent changes to the theme files such as functions.php or any other plugin files, it is recommended to disallow file editing from the WordPress dashboard.