WordPress 4.5; built in editors

WordPress 4.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version (actually now version 4.5.1) for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

We’ve also modified our automatic installer to disable the built in theme and plugin file editor by default for new installations (existing installations are not affected).

This both improves security (many automated hacks and XSS attacks blindly try to use the editor) and avoids a problem we see happen often:

  • People think that the “Edit” link next to a plugin or theme will edit the settings of it, not the code of it, so they click it;
  • Then they see a weird screen of code and don’t know what to do, and they perhaps type something as an experiment;
  • That doesn’t help, so they click “save” to get out of the weird screen;
  • And WordPress completely stops working due to a PHP syntax error in what they typed.

We think the editor shouldn’t be enabled for most people. It should be enabled only by developers (and very brave developers who make good backups, at that). Developers can easily enable it by editing the wp-config.php file to remove the “DISALLOW_FILE_EDIT” line.

Update 2016-05-26: We have removed the customization that disabled the built-in theme and plugin editors because several customers said it is an integral part of their workflow. All new installations will have the standard theme and plugin editors functionality.