WordPress includes a built-in code editor that allows administrators to edit theme and plugin files directly from the browser. While this sounds convenient, it is one of the most dangerous features in WordPress from a security perspective.
What the file editor is
The file editor appears in two places in the WordPress admin:
- Appearance > Theme File Editor — allows editing any file in your active theme
- Plugins > Plugin File Editor — allows editing any file in any installed plugin
Both editors let anyone with administrator access modify PHP code that runs on your server. A single typo, a missing semicolon, or a malicious edit can take your entire site offline or open it to attackers.
Why you should disable it
1. Limits damage from compromised accounts
If an attacker gains access to your WordPress admin account — through a weak password, a phishing attack, or a stolen session — the file editor gives them the ability to inject malicious code directly into your site. Without the editor, a compromised admin account is still serious, but the attacker cannot modify server-side code from the browser.
2. Prevents accidental damage
Even experienced developers can make mistakes when editing live code. A syntax error in functions.php will immediately crash your site, often making it impossible to access the admin to undo the change. The file editor provides no undo, no version history, and no safety net.
3. Better alternatives exist
Web60 provides safer ways to edit your site files:
- File Manager — a full file browser with syntax highlighting, available in your dashboard
- SFTP — direct file access from your preferred code editor
- Terminal — command-line access for advanced users
All of these methods are more reliable and safer than editing code through a browser-based textarea.
What the setting does
When you enable Disable file editor, Web60 sets the DISALLOW_FILE_EDIT constant to true in your wp-config.php file. This tells WordPress to remove the Theme File Editor and Plugin File Editor from the admin menu entirely. No administrator — including you — can access them until the setting is turned off.
This is the same approach recommended by the official WordPress security documentation.
How to enable it
- Open your Web60 dashboard and select your website.
- Go to Advanced Settings.
- In the Security card, find Disable file editor.
- Toggle it on.
The editor is removed from WordPress immediately. No restart or cache clear is needed.
How to disable it
If you need to re-enable the editor temporarily, toggle the setting off in the Security card. The DISALLOW_FILE_EDIT constant is removed from wp-config.php and the editor reappears in the WordPress admin.
Impact on your site
| Area | Impact |
|---|---|
| WordPress Customiser | No effect — works normally |
| Site Editor (block themes) | No effect — works normally |
| Plugin and theme updates | No effect — updates work normally |
| File Manager / SFTP / Terminal | No effect — all still available |
| Theme File Editor | Removed from Appearance menu |
| Plugin File Editor | Removed from Plugins menu |
Need help?
If you have questions about this setting or need help editing your theme files safely, visit our support page and we will be happy to help.
Frequently asked questions
Can I still edit theme and plugin files if this is enabled?
Yes, but not through the WordPress admin. You can use the Web60 File Manager, SFTP, or the Terminal to edit files directly. These methods are safer because they do not expose a code editor through your website's login.
Will this affect my ability to customise my theme?
No. The WordPress Customiser (Appearance > Customise) and the Site Editor (for block themes) are completely separate from the file editor and continue to work normally.
What happens if an attacker gains admin access with the editor enabled?
An attacker with admin access and the file editor enabled can inject malicious code directly into your theme or plugin files from the browser. This is one of the most common ways WordPress sites are compromised after a password breach.
Last updated: 26 March 2026