File-editing in WordPress is an obscure feature that allows privileged users to edit plugin and theme files directly from the WordPress admin area. If one gets adventurous, this could result in making a PHP syntax error, thereby causing the site to break. And you would end up losing access to the WordPress admin area.
There is also a strong security case for disabling file editing on a WordPress site. If a hacker gets access to an “Administrator” account on your WordPress site and file editing is enabled, then the attacker can easily use the built-in editor to add malicious code to any theme or plugin files.
To improve website security, it is strongly recommended to disable file editing in WordPress admin area.
Here’s how to go about disabling this feature and ensure enhanced security:
You’ll need a text editor, and access to your wp-config.php file (via FTP).
- Open up your wp-config.php file in a code editor.
- Find the line that says
/* That's all, stop editing! Happy blogging. */
- Add the following before this line:
define( 'DISALLOW_FILE_EDIT', true );.
- Save the file.
That’s all! Check and verify in your WordPress dashboard, you should no longer see, the links at “Appearance > Theme File Editor” and “Plugins > Plugin File Editor”.