How to Disable WordPress Theme and Plugin Editors from Admin Panel
WordPress comes with built-in editors for themes and plugins, which allow users to edit folders that comprise the theme and plugins directly from the admin panel. Although this seems incredibly convenient, these built-in features can also lead to a plethora of security issues that may turn your website into a fertile ground for malware.
In this article, we’ll show you how to disable the WordPress theme and plugin editors from the admin panel. To make it easier for you to navigate, we’ve broken this down into different methods you can try:
Why You Should Disable WordPress Theme and Plugin Editors
You will find the theme editor by navigating to Appearance > Theme editor on the admin panel:
By default, your editor will display files from the currently active theme. The first file you’ll see in the editor is the style.css. The other available files are located in the Theme Files list in the right sidebar.
You can access the plugin editor by navigating to Plugins > Plugin editor in the admin panel. It will display one of the installed plugins, the first in alphabetical order.
If this is the first time you’re accessing the theme and plugin editor, you will get this notification from WordPress, warning you that these editors can be harmful to your website.
In the latest versions of WordPress, theme and plugin editors have been somewhat upgraded to prevent edits that may lead to errors and crashes. For example, if you insert a wrong line of code, the editor will report the mistake before allowing you to save changes.
As you can see, you also have the option to save changes on file regardless of the warning.
The issue with these built-in editors is that they enable access to every type of code on your website. This turns them into possible vehicles for cyberattacks.
If a hacker gains access to your WordPress admin panel, these editors will enable them to modify vulnerable files and inject them with malicious code.
They do it by engaging in brute force attacks on a WordPress site. As soon as they crack the password of the administrator account, they access the theme and plugin editor to modify the files. But the breach doesn’t always come from the outside. If you have a client or an employee who has full access to the admin panel, they can accidentally insert malicious code or cause a website crash.
This is why it is strongly recommended to disable WordPress editors for themes and plugins.
How to Disable the Theme and Plugin Editors
The easiest way to turn off both editors is to add one line of code to the wp-config.php file. Now we’ll show you how to do this using an FTP client, cPanel, and other methods.
For this method, you’ll need an FTP client such as Filezilla. Filezilla is incredibly practical and simple to use even for less experienced users.
In this article, you’ll find a detailed guide on how to access the wp-config.php file using FTP. Before you start editing the wp-config file, keep in mind that even a small mistake can cause errors on your website. To avoid these problems, create a backup of your website, as well as a copy of the wp-config.php file.
Now, open the file from your server in the text editor and insert the following line of code before the line: ‘That’s all, stop editing! Happy publishing’:
define( 'DISALLOW_FILE_EDIT', true );
When you do this, save this edit in file and replace the wp-config.php file with the edited file.
When you go back to the WordPress admin panel, you’ll see that access to these editors is no longer possible.
For some users, it’s easier to edit the wp-config.php file using cPanel. The process is similar to the FTP method. First, you need to log into your cPanel, which is usually accessed via address http://mydomain.com/cpanel. After you log in, click on the option File Manager.
In the following tab, you’ll see the structure of the directories on your server. In case you have more than one domain, you need to mark the folder with the name of your domain. This folder contains the files from your WordPress installation, including the wp-config.php file. Right-click on the file and select Edit.
In the file editor, add the following line of code and click on the Save button:
define( 'DISALLOW_FILE_EDIT', true );
Now you’ve disabled the theme and plugin editors in the WordPress admin panel. In case there has been a mistake in the process, you can always import the file copy from your backup.
If you don’t want to edit your wp-config.php file, it is also possible to add the same line of code to the functions.php file. Accessing the functions.php file using FTP is similar to finding the wp-config.php file. Just navigate to the theme folder, right-click on the functions.php file and select the option View/Edit:
When you open the file in the text editor, insert the following line of code at the end of the functions.php file.
define( 'DISALLOW_FILE_EDIT', true );
If you want to avoid modifying files and coding, you have the option to disable the theme and plugin editors using third-party plugins. One type of plugins enables you to automatically add required lines of code, while the other type simply disables editors.
If you want to use a plugin to insert code, we’ll show you how to do it using a Code Snippet plugin that will add the following line of code.
define( 'DISALLOW_FILE_EDIT', true );
To disable the editors automatically, we recommend you install the Disable File Editor plugin. All you need to do is install and activate the tool. It does not have customizable settings, so when you activate it, it will automatically disable the theme and plugin editors.
Since most WordPress users utilize theme and plugin editors to search for the code in files, add custom CSS and edit code in the child theme, here’s an alternative way to do it once you disable editors. Simply navigate to Appearance > Customize > Additional CSS field:
For editing theme and plugin files, you can use FTP software.
Since our main goal here is preventing security issues with your website, here’s another way to prevent hackers from exploiting your site’s vulnerabilities. You can disable the option for adding a new theme or installing/deleting plugins. If you add this line of code to your wp-config.php file, you’ll notice that this option will no longer be available.
define('DISALLOW_FILE_MODS',true);
You will still be able to activate or deactivate currently installed plugins.
However, be careful when you’re inserting this line of code since some plugins require file modifications to function properly. For example, Loco Translate plugin creates and changes files with extensions .mo and .po. The same goes for the plugins that allow you to configure a child theme.
You’ll know that this code is creating issues with your plugins if you see the following notification after activating the plugin.
In that case, you’ll have to allow file modification and use one of the previous steps we described.
Final Thoughts
Although the WordPress admin panel is the simplest way to access theme and plugin editors, due to the ever-growing focus on site security, our suggestion is to consider some of these options and disable the editors. This way, you’ll fully control the theme and plugin editing process and improve your site’s protection.