Disabling File Editing

  • xorcise

    (@xorcise)


    5 years, 4 months ago

    I have been wondering about the Disable File Editor setting under the WordPress tweaks. It removes the plugin and theme editor, but if someone were to breach your site and saw that you had iThemes installed, they could simply untick that setting.
    I don’t think I understand the threat that this setting is protecting against?

Viewing 2 replies - 1 through 2 (of 2 total)
  • nlpro

    (@nlpro)

    5 years, 4 months ago

    It would depend on what type of WordPress account is breached.

    The iTSec plugin Security menu option is only available to user’s with the manage_options capability. By default only the Administrator role includes the manage_options capability.

    That said, disabling the editor is nothing more than adding an extra line to the wp-config.php file. When a site/hosting is breached, and the attacker has full access to the filesystem, editing the wp-config.php file is another viable option.

    I think disabling the editor is security by obscurity. It doesn’t really make your site more secure. At best it will only slow down an attacker after a breach.

    To prevent any confusion, I’m not iThemes.

    nlpro

    (@nlpro)

    5 years, 4 months ago

    Turns out, (by default) only users with the Administrator role have access to the Theme/Plugin Editor menu options (which makes sense). Learned something new today 😉

    So my first argument from the previous post doesn’t stick.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Disabling File Editing’ is closed to new replies.