It’s not too difficult to make a strong case for disabling access to the theme and plugin editors that are easily accessible from within the WordPress admin dashboard.
While having access to the editors can be incredibly convenient at times, they also pose some significant security risks. Not to mention what might happen if someone inadvertently makes changes to a file.
Why You Should Disable The Editors
If you’re not 100% familiar with the WordPress dashboard, you’ll find editors in two specific locations. The theme editor is located under Appearance >>Editor, and the plugin editor in located under Plugins >>Editor. Each editor provides unrestricted access to both theme and plugin files.
If a hacker gains access to your WordPress blog dashboard, they could easily edit the files as they see fit, potentially executing malicious code. The result can be an expensive and time-consuming problem to fix.
Alternatively, if you’re building a website for a client who has access to the admin dashboard, although the actions might not be malicious, they can still cause untold damage. You should always have a strong control over the WordPress login page as it is the most vulnerable part of a WordPress powered website.
The person who has the knowledge and is authorized to edit these files should be doing so via SFTP.
How to Disable Theme and Plugin Editors from the WordPress Admin Panel
The easiest way to disable both editors is by adding a single line of code to your wp-config file. We’re going to cover two ways of getting the job done – using SFTP and through your cPanel.
Modifying Your wp-config.php With SFTP
To do this properly (using SFTP), you’ll first need to open up your preferred FTP program. Filezilla is a great option if you don’t have one already.
Once you’re logged in, follow these steps:
1. Find your wp-config.php file in the root WordPress directory and download the file to your desktop.
2. Create a copy.
3. Open the file using your preferred text editor.
4. Navigate to the bottom of the file and paste in the lines of code displayed below.
/** Disable File Editor */ define( ‘DISALLOW_FILE_EDIT’, true );
Here’s how it will look:
5. Save the file and then upload it to your server, replacing the original wp-confg.php file.
If everything has worked properly, you’ll no longer be able to access the file editor from either the appearance or plugin menus.
Modifying Your wp-config.php With cPanel
Updating you wp-config file using cPanel is similar, but some users might find it a little easier. The first step is to login to your cPanel (usually found at http://mydomain.com/cpanel). Once you’ve logged in follow these steps:
1. Navigate to and click on your File Manager.
2. A directory selection window will pop-up. Select Web Root and click “Go”.
3. When your directory loads, find your wp-config.php file and select it (see the image below).
4. Click download and save a copy to your desktop (this will serve as your backup file).
5. With the file still highlighted, click edit (at the top of the screen) and then click edit in the popup window to confirm.
6. Scroll to the bottom of the file, add a single blank like and then paste in the code from above.
7. Click “Save”.
Now, if you go back into your WordPress admin panel, you should find both editors disabled. In case you have a problem or make a mistake while editing your files, you can always upload your backup file and start from scratch.
Take Your Security One Step Further
We always suggest our users take a WordPress backup of their website.
While this works well for preventing any file modifications, you might also decide that you want to prevent someone from either uploading a new theme, or installing/deleting plugins. If you also paste the code below into your wp-config.php, you will notice that the ability to “Add New” WordPress themes disappears as well as the option to add a new plugin or delete an existing one. You will still be able to enable/disable plugins as required.
/** Disable File Modifications */ define('DISALLOW_FILE_MODS',true);
Making either one of the above changes will reduce the risk of damage to your site in the event that a hacker gains access to your WordPress dashboard. Remember, it’s always a good idea to make a backup copy of any original file before you start making changes.
Also, we always advise our users use Premium WordPress themes as they are efficiently coded with extended security features.
Your wp-config file is typically considered the most important file in your WordPress installation. Any errors or accidental deletions could prevent you from accessing your site altogether as it links your database and WordPress files together.