WordPress allows editing theme/plugin files
Description
This WordPress installation has the built-in theme and plugin file editor enabled. This feature allows users with administrative privileges to modify PHP files directly through the WordPress dashboard. If an attacker gains access to an administrator account (through credential compromise, session hijacking, or other means), they can leverage this editor to inject malicious PHP code into theme or plugin files, leading to complete server compromise.
Remediation
Disable the WordPress file editor by adding configuration directives to your wp-config.php file. This file is typically located in the root directory of your WordPress installation.
Add the following line to prevent editing of theme and plugin files through the dashboard:
define( 'DISALLOW_FILE_EDIT', true );
For enhanced security, consider also preventing installation of new themes and plugins via the dashboard:
define( 'DISALLOW_FILE_MODS', true );
Note:
DISALLOW_FILE_MODS disables both the file editor and the ability to install/update themes and plugins through the dashboard. Add these lines before the comment that reads /* That's all, stop editing! Happy publishing. */. After making changes, verify that the Theme Editor and Plugin Editor options are no longer visible under the Appearance and Plugins menus respectively.