Should we ditch the WordPress file editor?
Ryan Sullivan makes a pretty compelling argument to ditch the file editors built into the WordPress admin. Anyone that’s been working with WordPress for a while has either heard horror stories or has some of their own, of either being hacked or borking their site with the editors enabled.
I had some long discussions / debate with Otto about this once at a wordcamp. I agree with Ryan that it’s better off just not being there, but Otto had some decent reasons about why Ryan and I are wrong.
However, we can probably all agree on something: there is room for some built in syntax checking and perhaps some safety precautions that would prevent, say, someone from completely borking their site.
I think the struggle is that this is a) an easy thing to take out b) a difficult thing to do well and leave in c) even easier to just ignore.
Most people hyper-alert to the WordPress world know not to screw with this editor. Out of sight, out of mind. However, that probably doesn’t reflect the true state of how this editor plays in day to day users: a big source for hacks and fails.
I agree the file editor is horrible, but in the case of security, what’s to stop some hacker dude from uploading a malicious plugin or theme even with the editors disabled?
Comments are closed.