There are many examples on this blog, where we provide code to add to your theme’s functions.php file, or even for insertion into a child theme. For example, here’s a tutorial from our knowledgebase on how to add custom code to WordPress. However, we perhaps don’t stress often enough how important it is to NOT use the in-built WordPress plugin or theme editor for making these changes. In this article, I’ll explain why this is a terrible idea, and what you should use instead with precautions.
In-Built Plugin and Theme Editors – Heed the Warning!
If you go to “Plugins” on the WordPress dashboard and click the “Edit” link, you’ll get a huge warning telling you to be careful, as shown in this screenshot:
The same warning appears when you try and edit themes (parent or child) directly from inside WordPress. This is a very good warning, and I suggest you heed it. I often use the plugin editor to view the code, but never to actually make an edit.
Reversing the Change is Hard if it Crashes
The single biggest reason for avoiding the in-built WordPress, is that if something goes wrong and your site crashes, you’ll lose the ability to access the admin screen which you need to revert the changes you just made! To restore your site, you’ll have to go through another cPanel or (S)FTP file manager.
In fact, I have ignored my own advice quite a few times and made changes to WordPress directly in my laziness and have occasionally paid the price. It’s a terrible practice, and I’ve become much more disciplined now after being burned at some crucial moments. Don’t do it!
Here are two alternatives.
Alternative 1: Use the cPanel File Manager
This is available to everyone. On NameHero, you have access to the cPanel dashboard, and from there you can access the file manager as shown here:
Just navigate to the “wp-content/plugins” folder in your WordPress installation, find the plugin folder that you want to edit, and go to the file you want. Right-click the file, and it’ll open up in an editor that you can use to safely make your changes. If your site crashes, reverting it is easy – just undo whatever edits you made. The backend cPanel file manager is independent of WordPress, so you’ll always have access to it.
Alternative 2: Use (S)FTP
The second option (which I use personally), is an FTP client. I’ve written earlier about my favorite FTP program, WinSCP. Being a desktop program, it’s easier to open and your login credentials are saved automatically. So an FTP program is faster than than a web based client. Plus you can have multiple logins to different services stored at the same time in one place, which is super convenient.
If you’re going to use an FTP program, it’s absolutely critical to enable SFTP instead of plain FTP. The latter sends your passwords across the Internet in plain text, which is a terrible security risk. There are even stories of people using a public WiFi network over FTP, and who have all their credentials stolen.
So this is a massive security risk if you use ordinary FTP. Honestly, I don’t think the option should even be available. But setting up SFTP requires a few extra steps, like generating a keypair and then configuring your FTP client to locate it.
If you choose WordPress as your publishing platform, you’ll be constantly adding and editing code to your plugins and themes. Make sure that you establish a good workflow for this in a manner that is both secure, and easy to correct in case something goes wrong. The native cPanel file manager and a good FTP program are the normal choices for this. But if you can’t get SFTP to work, stick with the file manager provided by your web host’s dashboard!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!