How to Disalbe WordPress Theme & Plugin Editor
How to Disalbe WordPress Theme & Plugin Editor

Introduction

WordPress theme editor and plugin editor are powerful yet vulnerable sections of the WordPress admin dashboard. When you navigate to Appearance > Theme Editor or Plugins > Plugin Editor, you will be able to edit your WordPress theme’s files or installed plugin’s files. This is convenient for anyone who doesn’t have FTP access or access to the file manager or file editor in their hosting account’s control panel.

To further harden your WordPress site you may consider disabling the WordPress theme editor and WordPress plugin editor. Disabling the theme and plugin editor will hide those section from any user accessing the admin dashboard. This includes your registered users, authors, and editors as well as a hacker or malicious script that gains access to your site’s admin dashboard.

Accessing the theme editor or plugin editor through the dashboard when it’s active will trigger the following message to appear:

WordPress File Editor

If you’re trying to or need to make an edit to a theme or plugin file then you would click the I Understand button to continue.

Improve WordPress Security

Disabling the WordPress theme editor and plugin editor also improves your overall security. It’s not uncommon to see WordPress sites get targeted by hackers and automated scripts continuously throughout the day. Why? Because WordPress is the most widely used content management system (CMS) in the world.

Due to the amount of WordPress sites, it makes it very easy for hackers and automated scripts to identify WordPress sites (through the browser’s source code) and exploit known vulnerabilities. Most commonly, hackers and automated scripts will gain access to your WordPress dashboard and use the built-in theme editor and plugin editor to inject malicious code thus compromising your site.

By disabling the WordPress theme editor and plugin editor in the WordPress admin dashboard, you will prevent anyone who gains access to your admin dashboard from editing important theme or plugin files.

Code Example

The following code needs to be placed inside of your WordPress site’s wp-config.php. This can be accessed through FTP or more easily, through your hosting account’s control panel. The wp-config.php sits in the root directory of your hosting account (most likely inside of your public_html).

Disable WordPress Theme & Plugin Editor

Setting the DISALLOW_FILE_MODS to true will disable the Editor links in the WordPress admin dashboard.

define('DISALLOW_FILE_MODS', true);

Setting the DISALLOW_FILE_MODS to false will enable the Editor links in the WordPress admin dashboard.

Enable WordPress Theme & Plugin Editor

define('DISALLOW_FILE_MODS', false);

wp-config.php Placement

You will need to locate and edit your wp-config.php then save the wp-config.php with the code from above. This will completely disable both the theme editor and plugin editor inside of the WordPress dashboard.

Make sure to scroll down and place the code under the WP_DEBUG line of code in the wp-config.php.

After adding the line of code to your wp-config.php be sure to Save Changes in the file editor. The Theme Editor and Plugin Editor will no longer be accessible through the WordPress admin dashboard.

Sign Up for Our Newsletters

Get notified of the best deals on our WordPress themes.

You May Also Like

How to Install WordPress Manually

Introduction Installing WordPress is a task that anyone without a technical web…

How to Setup SMTP Authentication in WordPress

Many web hosting providers disable the PHP mail() function on servers. It…

How to Limit WordPress Post & Page Revisions

Introduction By default, WordPress stores unlimited post revisions and page revisions in…

How to Redirect HTTP to HTTPS in WordPress – 301 Redirect .htaccess Code Example

Introduction Google and other leading search engines have announced that they will…