Introduction
WordPress theme editor and plugin editor are powerful yet vulnerable sections of the WordPress admin dashboard. When you navigate to Appearance > Theme Editor or Plugins > Plugin Editor, you will be able to edit your WordPress theme’s files or installed plugin’s files. This is convenient for anyone who doesn’t have FTP access or access to the file manager or file editor in their hosting account’s control panel.
Table of Contents
To further harden your WordPress site you may consider disabling the WordPress theme editor and WordPress plugin editor. Disabling the theme and plugin editor will hide those section from any user accessing the admin dashboard. This includes your registered users, authors, and editors as well as a hacker or malicious script that gains access to your site’s admin dashboard.
Accessing the theme editor or plugin editor through the dashboard when it’s active will trigger the following message to appear:
If you’re trying to or need to make an edit to a theme or plugin file then you would click the I Understand button to continue.
Improve WordPress Security
Disabling the WordPress theme editor and plugin editor also improves your overall security. It’s not uncommon to see WordPress sites get targeted by hackers and automated scripts continuously throughout the day. Why? Because WordPress is the most widely used content management system (CMS) in the world.
Due to the amount of WordPress sites, it makes it very easy for hackers and automated scripts to identify WordPress sites (through the browser’s source code) and exploit known vulnerabilities. Most commonly, hackers and automated scripts will gain access to your WordPress dashboard and use the built-in theme editor and plugin editor to inject malicious code thus compromising your site.
By disabling the WordPress theme editor and plugin editor in the WordPress admin dashboard, you will prevent anyone who gains access to your admin dashboard from editing important theme or plugin files.
Code Example
The following code needs to be placed inside of your WordPress site’s wp-config.php. This can be accessed through FTP or more easily, through your hosting account’s control panel. The wp-config.php sits in the root directory of your hosting account (most likely inside of your public_html).
Disable WordPress Theme & Plugin Editor
Setting the DISALLOW_FILE_MODS to true will disable the Editor links in the WordPress admin dashboard.
define('DISALLOW_FILE_MODS', true);
Setting the DISALLOW_FILE_MODS to false will enable the Editor links in the WordPress admin dashboard.
Enable WordPress Theme & Plugin Editor
define('DISALLOW_FILE_MODS', false);
wp-config.php Placement
You will need to locate and edit your wp-config.php then save the wp-config.php with the code from above. This will completely disable both the theme editor and plugin editor inside of the WordPress dashboard.
Make sure to scroll down and place the code under the WP_DEBUG line of code in the wp-config.php.
After adding the line of code to your wp-config.php be sure to Save Changes in the file editor. The Theme Editor and Plugin Editor will no longer be accessible through the WordPress admin dashboard.