ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Remove the Theme and Plugin Editors

October 25, 2018 · 08:23 · Dave Jesch
Description

These are not necessary and can pose a security risk.

Voters
+36 more
Tags
Difficulty: Moderate
Request: Remove feature
Discussion
Fabian Wolf

IMHO they are damn well necessary. Esp. when your client doesnt know nothing about the web, not being able to find his SFTP login data. For quick fixes, this really helps a lot.

BTW: people edit and delete core files, no matter what, anyway.

What would maybe do better is a specific switch in the Options / Settings to enable both editors, and set the default state to disabled.

Pieter Bos

I agree with Fabian that they actually come in handy sometimes. If you would change the petition to disabling them by default, then you have my full support!

Jeremy Ratliff

I use these all day, every day.

James Nylen

I'm in favor of disabling these by default, they are a pretty bad way to do development.

Fredrik Forsmo

I'm also in favor of disabling these by default.

Glenn Dixon

I like disabling them by default. Add a pop-up warning (first-time only) if someone disables it. The warning could explain the dangers and also link to instruction on child themes.

Josh Angehr

Also agree with disabling by default.

Rui Guerreiro

One more to disable them by default I was going to suggest this myself, besides being a security risk is used in the majority by support tasks/debug issues.

If someone just forget a semi-colon or cause any other error you will get the WSOD and leave the customer site down till the moment he can reply with any FTP credentials to fix the error caused.

Jeremy Ratliff

@ Rui Guerreiro - You won't get a WSOD.... all of the editors use code mirror now and won't save an update anymore if the code is invalid. The only way you can get the WSOD is to upload a corrupt file to your theme or plugin.

Pieter Bos

As it seems that most people here would like to disable the editors by default and the OP has not responded to this since posting it, I am opening a new petition that suggests disabling them by default.

Daniele Scasciafratte

I agree with Jeremy and also consider that now in WordPress they are working on a WSOD detection that disable plugin but was postponed to 5.1 https://core.trac.wordpress.org/attachment/ticket/44458/broken-plugin-site-admin.png
So also ClassicPress will benefit of that.
Also this editor with codemirror and live check of error before save are very helpful on support in website when you don't have other access.

Dave Jesch

My original thought was to have this feature removed, not disabled. It's more code that has to be maintained and updated. It could be moved into a plugin however. This way, if someone needs/wants to use it they can install the plugin and edit things. But from a security standpoint, having the code there -- even if it's disabled by default means that the code could still create a vulnerability. So at the very least, disable by default. But preferably remove and make this into a plugin.

Edward Brodie

I use the theme editor all the time for child theme css changes, but not beyond that

Greg Schoppe

A feature plugin would be a much better place for the code editor features. There is a lot of code involved, with a lot of hidden security gotchas, but it is all very separate from the core feature set and goal of ClassicPress as a platform. Making it a plugin would actually allow the code editor to improve faster, as well, as it wouldn't have to sync development cycles with Core, and wouldn't have to get all changes approved by the larger team that is mostly focused on other projects.

rotello

I use this function kinda often with new clients, but i think this could be removed and added as a plugin, to install only if needed

WooFunctions

Yes, disabled / removed. All editing should be done through the host (server).