WordPress provides you with an internal editor to edit themes and plugins in the way you find suitable. This editor allows users to edit their plugins and templates straight from WordPress dashboard. Although having such a high-access editor in your WordPress panel can also be a security issue.
It’s possible that beginners misuse it and cause serious security risks to their website. Also, whoever has access to your admin dashboard can simply use it and make changes to your website. Webmasters may try to change a few features and they may break the code in the process.
Why should we disable file editor?
As mentioned above, WordPress has a file editor that allows its users to edit any of the website’s files. This editor is accessible through “Appearance”. In addition, it will open your template’s files by default. To use plugins editor, simply head over to your plugins and click on the editor. Plugins are shown alphabetically in the editor.
When users open this editor for the first time a message will pop up to warn users:
You appear to be making direct edits to your theme in the WordPress dashboard. We recommend that you don’t! Editing your theme directly could break your site and your changes may be lost in the future updates. If you need to tweak more than your theme’s CSS, you might want to try making a child theme.
If you decide to go ahead with direct edits anyway, use a file manager to create a copy with a new name and hang on to the original. That way, you can are-enable a functional version if something goes wrong.”
From WordPress version 4.9, the developers of this CMS have created an algorithm to prevent users from breaking their websites. This algorithm will stop and revert your work if it sees the damage is fatal to your website.
In some cases, the algorithm fails to detect errors and the user may be able to save their work which will ultimately break their website and lock them out of the admin dashboard.
Since WordPress is an open-source CMS, it allows users to use this editor to add any type of code to the website, and this will cause serious security risks.
If hackers are able to gain access to your admin dashboard, then they won’t need to gain access to your cPanel, because they can add any code to your files and database. For this reason, it is highly recommended by experts to disable this editor.
How to disable file editor in WordPress
You can disable file editor in WordPress through a few easy steps. You simply need to copy and paste the code below to your wp-config.php file. From your WordPress dashboard, enter your cPanel and select “file manager” and click on “wp-config.php” file.
define( 'DISALLOW_FILE_EDIT', true );
After pasting the code you will have to save the file. You now have disabled the editor. You also can use functions.php to disable the editor. Copy and paste the code above to the file or use code snippets or site-specific plugin to add the code. If you don’t want to add the code yourself, you can use the “1-click hardening” feature in Sucuri plugin.
However, a lot of WordPress users, use this editor to make changes to their template. If users want to edit their CSS file they can head over to “Appearance” find customization and click on CSS.