One glaring security risk is the editor, which is enabled by default in the backend of WordPress. If this setting is enabled, any admin user can access the theme and plugin files. So if a hacker gets access, they can inject havoc into your site and easily exploit it.
A complete breakdown of this function can be found on WordPress.org and by this link.
This feature is located under Appearance >> Theme Editor.
You can access critical files in your theme and plugins. So you can imagine how easy it is to break or get hacked. We highly recommend no using this feature at all to edit files. One wrong move like a simple typo could bring down the site, which if you break the site. In almost all cases, it will give you a white screen, and you will not be able to get back to the editor and instead will have to access the server and file edited through FTP or SSH to fix the error.
How to disable the Theme and Plugin Built-in Editor in WordPress
1. Manually Disable Editor in WP-Config File
If you do have access to your web files through FTP, Cpanel file editor, or SSH.
You can go to the root folder of your site
Add the code below just before “That’s all, stop editing! Happy publishing”
define( 'DISALLOW_FILE_EDIT', true );
2. Use a Plugin to Disable Editor
If you do not have access you can also use a plugin to disable the editor
An Alternative Way to Edit Theme Files
If you’re trying to edit the design, we always recommend using the theme options. Each theme is different, so we suggest checking the theme docs on the Author’s website. In most cases, you can find these options under appearance >> theme options, appearance >> customize, or in some cases at the top nav “Theme Options”.
Inside the theme options, you will find many different settings that will allow you to configure the theme. Keep in mind, it really depends on the quality of the theme and how much was put into the settings by the author.
If you need any help with your site or just need some instructions, feel free to comment on this post below or reach out to us.