How to Disable WordPress Theme and Plugin Editors from Admin Panel

How to Disable WordPress Theme and Plugin Editors from Admin Panel

WordPress comes with built-in editors for themes and plugins, which allow users to edit folders that comprise the theme and plugins directly from the admin panel. Although this seems incredibly convenient, these built-in features can also lead to a plethora of security issues that may turn your website into a fertile ground for malware.

In this article, we’ll show you how to disable the WordPress theme and plugin editors from the admin panel. To make it easier for you to navigate, we’ve broken this down into different methods you can try:

Why You Should Disable WordPress Theme and Plugin Editors

You will find the theme editor by navigating to Appearance > Theme editor on the admin panel:

Appearance Theme Editor

By default, your editor will display files from the currently active theme. The first file you’ll see in the editor is the style.css. The other available files are located in the Theme Files list in the right sidebar.

You can access the plugin editor by navigating to Plugins > Plugin editor in the admin panel. It will display one of the installed plugins, the first in alphabetical order.

Plugin Editor

If this is the first time you’re accessing the theme and plugin editor, you will get this notification from WordPress, warning you that these editors can be harmful to your website.

Notification from WordPress

In the latest versions of WordPress, theme and plugin editors have been somewhat upgraded to prevent edits that may lead to errors and crashes. For example, if you insert a wrong line of code, the editor will report the mistake before allowing you to save changes.

Mistake in Theme Editor

As you can see, you also have the option to save changes on file regardless of the warning.

The issue with these built-in editors is that they enable access to every type of code on your website. This turns them into possible vehicles for cyberattacks.

If a hacker gains access to your WordPress admin panel, these editors will enable them to modify vulnerable files and inject them with malicious code.

They do it by engaging in brute force attacks on a WordPress site. As soon as they crack the password of the administrator account, they access the theme and plugin editor to modify the files. But the breach doesn’t always come from the outside. If you have a client or an employee who has full access to the admin panel, they can accidentally insert malicious code or cause a website crash.

This is why it is strongly recommended to disable WordPress editors for themes and plugins.

How to Disable the Theme and Plugin Editors

The easiest way to turn off both editors is to add one line of code to the wp-config.php file. Now we’ll show you how to do this using an FTP client, cPanel, and other methods.

Using FTP Client

For this method, you’ll need an FTP client such as Filezilla. Filezilla is incredibly practical and simple to use even for less experienced users.

In this article, you’ll find a detailed guide on how to access the wp-config.php file using FTP. Before you start editing the wp-config file, keep in mind that even a small mistake can cause errors on your website. To avoid these problems, create a backup of your website, as well as a copy of the wp-config.php file.

Now, open the file from your server in the text editor and insert the following line of code before the line: ‘That’s all, stop editing! Happy publishing’:

define( 'DISALLOW_FILE_EDIT', true );
Insert the line of code

When you do this, save this edit in file and replace the wp-config.php file with the edited file.

When you go back to the WordPress admin panel, you’ll see that access to these editors is no longer possible.

Hide the Theme Editors
Hide the Plugin Editors

Using cPanel

For some users, it’s easier to edit the wp-config.php file using cPanel. The process is similar to the FTP method. First, you need to log into your cPanel, which is usually accessed via address After you log in, click on the option File Manager.

File Manager

In the following tab, you’ll see the structure of the directories on your server. In case you have more than one domain, you need to mark the folder with the name of your domain. This folder contains the files from your WordPress installation, including the wp-config.php file. Right-click on the file and select Edit.

Select Edit

In the file editor, add the following line of code and click on the Save button:

define( 'DISALLOW_FILE_EDIT', true );
Using cPanel

Now you’ve disabled the theme and plugin editors in the WordPress admin panel. In case there has been a mistake in the process, you can always import the file copy from your backup.

Qode WordPress Themes: Top Picks
Bridge WordPress Theme Banner

Creative Multi-Purpose WordPress Theme

Stockholm WordPress Theme

A Genuinely Multi-Concept Theme

Startit WordPress Theme

Fresh Startup Business Theme

Biagiott banneri

Beauty and Cosmetics Shop

Using the Functions.Php File

If you don’t want to edit your wp-config.php file, it is also possible to add the same line of code to the functions.php file. Accessing the functions.php file using FTP is similar to finding the wp-config.php file. Just navigate to the theme folder, right-click on the functions.php file and select the option View/Edit:

Using the functions.php file

When you open the file in the text editor, insert the following line of code at the end of the functions.php file.

define( 'DISALLOW_FILE_EDIT', true );
Hide the Theme and Plugin Editors

Using Third-Party Plugins

If you want to avoid modifying files and coding, you have the option to disable the theme and plugin editors using third-party plugins. One type of plugins enables you to automatically add required lines of code, while the other type simply disables editors.

If you want to use a plugin to insert code, we’ll show you how to do it using a Code Snippet plugin that will add the following line of code.

define( 'DISALLOW_FILE_EDIT', true );
Using third party plugin

To disable the editors automatically, we recommend you install the Disable File Editor plugin. All you need to do is install and activate the tool. It does not have customizable settings, so when you activate it, it will automatically disable the theme and plugin editors.

Disable File Editor plugin

Since most WordPress users utilize theme and plugin editors to search for the code in files, add custom CSS and edit code in the child theme, here’s an alternative way to do it once you disable editors. Simply navigate to Appearance > Customize > Additional CSS field:

Additional CSS field

For editing theme and plugin files, you can use FTP software.

*Bonus Tip for Extra Security

Since our main goal here is preventing security issues with your website, here’s another way to prevent hackers from exploiting your site’s vulnerabilities. You can disable the option for adding a new theme or installing/deleting plugins. If you add this line of code to your wp-config.php file, you’ll notice that this option will no longer be available.

Bonus tip for extra security

You will still be able to activate or deactivate currently installed plugins.

However, be careful when you’re inserting this line of code since some plugins require file modifications to function properly. For example, Loco Translate plugin creates and changes files with extensions .mo and .po. The same goes for the plugins that allow you to configure a child theme.

You’ll know that this code is creating issues with your plugins if you see the following notification after activating the plugin.

Issues with your plugins

In that case, you’ll have to allow file modification and use one of the previous steps we described.

Final Thoughts

Although the WordPress admin panel is the simplest way to access theme and plugin editors, due to the ever-growing focus on site security, our suggestion is to consider some of these options and disable the editors. This way, you’ll fully control the theme and plugin editing process and improve your site’s protection.

Post your comment