WordPress makes it possible to edit theme and plugin files directly in the Administration Screens. While it may look like an easy way to customize
a theme or do a quick change, it’s a dangerous feature. When visiting the theme or plugin editor for the first time, WordPress displays a warning to
make it clear that using such a feature may break the web site by mistake. More importantly, users who have access to this feature can trigger the
execution of any PHP code and may therefore take full control of the WordPress instance. This security risk could be exploited by an attacker who
manages to get access to one of the authorized users. Setting the DISALLOW_FILE_EDIT option to true in
wp-config.php disables this risky feature. The default value is false.
Ask Yourself Whether
- You really need to use the theme and plugin editors.
- The theme and plugin editors are available to users who cannot be fully trusted.
- There’s a chance that the accounts of authorized users get compromised.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Modify the theme and plugin files using a local editor and deploy them to the server in a secure way.
- Make sure that
DISALLOW_FILE_EDIT is defined in wp-config.php.
- Make sure that
DISALLOW_FILE_EDIT is set to true.
Sensitive Code Example
define( 'DISALLOW_FILE_EDIT', false ); // Sensitive
Compliant Solution
define( 'DISALLOW_FILE_EDIT', true );
See
