Did you know that WordPress comes with a built-in theme and plugin editor? This plain code editor allows you to edit your theme and plugin files directly from the WordPress dashboard.
Now, this may sound really helpful, but it can also lead to issues such as breaking your site and potential security issues when combined with other vulnerabilities.
In this article, we will explain why and how to disable theme and plugin editors from the WordPress admin area.
Why Disable Theme and Plugin Editors in WordPress?
WordPress comes with a built-in code editor which allows you to edit WordPress theme and plugin files directly from the admin area.
The theme editor is located at Appearance » Theme Editor page. By default, it will show your currently active theme’s files.
Similarly, the plugin editor can be seen at Plugins » Plugin Editor page. By default, it will show you one of the installed plugins from your site that comes up first in the alphabatical order.
If you visit the theme or plugin editor page for the first time, WordPress will warn you that using the editor can break your website.
In WordPress 4.9, theme and plugin editors were upgraded to protect users from accidentally breaking their website. In most cases, the editor will catch a fatal error and will revert back the changes.
However, this is not guaranteed and some code may still slip through and you would end up losing access to the WordPress admin area.
The biggest problem with the built-in file editor is that it gives full access to add any kind of code to your website.
If a hacker broke into your WordPress admin area, then they can use the built-in editor to gain access to all your WordPress data.
Hackers can also use it to distribute malware or launch DDOS attacks from your WordPress website.
To improve WordPress security, we recommend removing the built-in file editors completely.
That being said, let’s see how to easily disable theme and plugin editors in WordPress.
How to Disable Theme and Plugin Editors in WordPress
Disabling theme and plugin editors in WordPress is quite easy.
Simply edit your wp-config.php file and paste the following code just before the line that says ‘That’s all, stop editing! Happy publishing’ :
define( 'DISALLOW_FILE_EDIT', true );
You can now save your changes and upload the file back to your website.
That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area.
If you don’t want to edit the files directly, then you can install the Sucuri WordPress plugin which offers 1-click hardening feature.
Proper Way to Edit WordPress Theme and Plugin Files
Many users actually use WordPress theme and plugin editors to look up the code, add custom CSS, or editing code in their child themes.
If you only want to add custom CSS to your theme, then you can do so by using the theme customizer located under Appearance » Customize.
For more details, see our guide on how to add custom CSS in WordPress without breaking your site.
If you want to look up the code in a plugin, then you can do so by using an FTP client.
For better file management and syntax highlighting, you can use one of these code editors for editing WordPress files on your computer.
Last but not least, you can also create a custom WordPress theme without writing any code.
We hope this article helped you learn how to easily disable theme and plugin editors from WordPress admin panel. You may also want to see our ultimate guide to improving WordPress performance and speed.