By default WordPress allows site administrators to edit PHP files of plugins and themes direct from WordPress admin area dashboard. If you are using this feature from backend then make sure you have a strong security plugins installed in your WordPress site because this functionality can create a major security issue. For example: If your admin password is hacked by a bot or something then they can easily add their malware or suspicious scripts in your site’s themes and plugins easily by editing their PHP files.
Plugins like Wordfence Security allows you to keep an eye on PHP file modification and they automatically notifies you if any of your site’s PHP file is edited, even you can restore that particular PHP file in just a click.
Reading this tutorial you can simply turn off (disable) PHP file editing in your WordPress site. All you need to do is open your site’s wp-config.php file (present in your site’s root directory) and add the following line of code:
define( 'DISALLOW_FILE_EDIT', true );