Disabling the Plugin/Theme editor 3.0

One of the features that is coming in WordPress 3.0 is the Plugin & Theme editors will be enabled for Super Admins (the new name for site admins). If you have a closed site with a known list of users, it will be a nice feature to have. On the other hand, if you have open registrations with a larger list of users, I strongly recommend that you disable the plugin and theme editor.

The aim of most website hacks is to gain access to the source code of the website to insert links to spam sites. If you disable the plugin & theme editor, you place another barrier between a hacker and the source code of your install. Cleaning up a couple hundred themes, is not an insignificant task. And, even one hack will cost you far more time than the convenience of the editors are likely to ever save you.

I’ve written a plugin that we will be installing in all of our MU installs before upgrading to WP 3.0 that disables both editors.

You can download it here: Disable Theme/Plugin Editors in WordPress 3.0 (863).

Updated: If the plugin causes issues with your theme’s options you can also add a line in wp-config.php to disable the editors

define('DISALLOW_FILE_EDIT',true);

That was added to after I wrote this post :)

Comments

  1. Does it work for a stand along blog as well? (ie not Mu enabled)

    • Yes, it does :) I hadn’t really thought about it from the perspective of supporting a standalone blog.

      It doesn’t have the plugin info block, so you would have to add that or add the mu-plugins folder and put it there.

  2. dumb question, but why disable the editors for the Super Admin? Or am I simply confused by the new terms? Isn’t the Super Admin = the global admin, as opposed to a blog-admin (aka a user that signs up for a blog and becomes its admin?)

    • If someone hacks their way onto the super admin list, then they have access to the theme/plugin files. In the case of the theme editor, it defaults to the active theme on the current blog. The rest of the hack script would be pretty easy writing.

  3. I put this in my /plugins folder on my MultiSite blog and went to activate it only … it’s not there. So I remembered that dropins for Multi Site go in the wp-content folder, not plugins. I went and put it there and still nothing. I even went and checked that I (as super-admin) could still edit themes and plugins and I can.

    This is 3.0-Beta with the nightly build from the 13th.

  4. Donald says:

    Great plugin! Almost exactly what I wanted. Added

    $cap == ‘delete_plugins’ || $cap == ‘activate_plugins’

    to the function to disable activation or deactivation of all plugins.

    This in addition to the “disable plugin updates” plugin works perfect, thanks!

  5. mercime says:

    Ron, thank you for this plugin. I already had an enable plugin/theme editor in mu-plugins when I upgraded dev install to WP 3.0 trunk and saw two links to each editor :-) Agreed with you 100% that theme& plugin editors should not be enabled even for Site/Super Admins in production/live installs.

    Thanks again.

  6. I assumed file permissions would be the standard way to work around this.

    Removing the editor link does make things a little smoother looking in the backend though I spose.

    • Remove the temptation to try, and even with permissions – what if you miss some?

  7. Thanks a lot.

    one simple line in wp-config.php does make a lot sense in view of security.

  8. Hey Guys,

    I’ve got a question about security and usability for my WP3 Multi-Site install.

    I’m running a pretty well moderated community site, with the ability for users to keep ‘Journals’ – our custom name for blogs. But WPMS defaults all new users as Admins of any blogs they create. What would be ideal for us is if they could default to simply Editors for their own blogs.

    Do you know if this is possible?