Skip to main content

Security optimisations in WordPress

I never was a fan of the plugin/theme editor in WordPress. It creates security issues when someone is able to login. In combination of default plugins/themes, a hacker can write an automatic script that can change the code of a site and still be really fast doing so. You can easily protect yourself by disabling the editor through the DISALLOW_FILE_EDIT constant.

When you did this, you most likely also don’t want someone to install a plugin/theme. And again there is the DISALLOW_FILE_MODS constant to help you do that. When you do that, two new security issues are creating.

The first one is that you can’t see that there are updates. Setting the DISALLOW_FILE_MODS constant assumes that it needs to display a view to your client. As in, you don’t want your client to see there are updates. This should change that when you set the variable, you still see that there are updates. We can always add a new constant or even better a filter to hide the notification again.

Second issue is that you can’t update plugins/themes anymore. For clients, having this disabled is understandable. But for me, I would like to keep the ability to update my site but stop allowing new plugins/themes to be installed.

I do have admit here that for my personal site it doesn’t matter much since I use git to maintain it but I can see the advantage for a lot of others around me. With a few constants you can secure your site really well. Even if you give someone an admin account, it’s now much harder for them to make your site insecure. And the person maintaining the site, still has full control of which plugins/themes are getting installed.

The question now is, should we remove the editor from core. I’m all up for it since more and more host already disable it by default and only a small group complains about it being missing. Also the chance that their changes will be overwritten is really high. I would recommend to delete it in one of the next versions of WordPress. If more and more people are going to use automatic updates for plugins/themes then the editor becomes really dangerous to use.

2 Replies to “Security optimisations in WordPress”

  1. Bernhard -

    Hey Marko, what would you recommend, if I want to disable the possibility to use the editor and install/update plugins but still want to see, if there are updates (like translations), when I am logged into the dashboard?

    Reply

    Marko Heijnen -

    For now I don’t know. I wrote this post as a suggestion to core how to do it better. As far as I currently see is that it’s really hard to do because how the code was written. It’s something I personally also want to look into and hopefully soon I can update this post with a plugin that does this.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *