Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialKulwinder Krishan
Full Stack JavaScript Techdegree Student 15,050 PointsPlease explain one of the reasons for not to use the editor in dashboad to avoid the malicious acts on the server.
By being novice to the WordPress, I have always used editor to make changes in the code. In the video on using FTP and SFTP; Jesse says the using the editor; can help compromise the security of the server. (I rephrased - that's what I understood ) - I did not get how it will work as you have to login anyway to the back-end to write posts, make changes to the posts and pages. How is accessing back-end to make changes in the posts and editing the code in the editor is different from each other in terms of security?
Thanks in advance
6 Answers
karennh
4,925 PointsI have had clients get into those files thru the Editor by mistake.
You can shut it off by adding this to wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
Zac Gordon
Treehouse Guest TeacherI have some thoughts on why to avoid using that editor, but I'm gonna tag Jesse Petersen for his thoughts.
karennh
4,925 PointsBecause if a hacker gets into your site's back end by guessing your user and password, they can get into your files too and either bring your site down or inject malicious code into your php files.
Kulwinder Krishan
Full Stack JavaScript Techdegree Student 15,050 PointsHi Karennh, the possibility of hacker getting to the back-end of the site by guessing is completely different issue from using editor in the WordPress to make changes in the code. Jesse said in the video that we should not use editor in WordPress and instead use FTP software to log-in and make changes for security reasons. So I could not understand how using the editor and writing posts is different from each other in terms of security. To do both, you have to log-in to the back-end. I can understand that by editing code in the WordPress editor can cause problems if there is something wrong with the code and the changes may be difficult to fixed.
karennh
4,925 PointsI'm not sure I understand your question, but leaving Editor accessible in your WordPress back-end (dashboard) means that someone can get into the php code and really mess things up. They can't cause as much damage in the other parts of the Dashboard. They could mess up the plugins, menus, change some posts but the site would still work. If they edited functions.php and put some bad code in there, the site wouldn't work. Or worse yet, it would work but could be doing something malicious like creating spam links that would get your site blocked by Google.
Anne Lupton
3,222 PointsI have this same question. So if access to the editor is so bad, is there a way to turn it off in the admin? If someone logs into your site they're going to get access to that editor whether you (as the developer) use it or not. I'm just not seeing how tweaking code within the editor, as opposed to using a separate text editor and ftp, is so evil. Sure, after doing that you have to back it up anyway, but that's pretty minor, IMO. So.... can the editor be turned off?
Anne Lupton
3,222 PointsAh, very good! Thanks! Yes, I'd say there's far more risk from clients doing something there they shouldn't than from a hacker. Thanks @karennh!
Also.... is placement of that snippet critical? Or is at the very end of the wp-config.php ok?
Anne Lupton
3,222 PointsAnne Lupton
3,222 PointsJust thought of something: what about the plugin editor? Is there a way to turn that off?