Did you know that WordPress comes with a built-in theme and plugin editor? This plain code editor allows you to edit your theme and plugin files directly from the WordPress dashboard.
Now, this may sound really helpful, but it can also lead to issues such as breaking your site and potential security issues when combined with other vulnerabilities.
In this article, we will explain why and how to disable theme and plugin editors from the WordPress admin area.
Why Disable Theme and Plugin Editors in WordPress?
WordPress comes with a built-in code editor which allows you to edit WordPress theme and plugin files directly from the admin area.
The theme editor is located at Appearance » Theme File Editor page. By default, it will show your currently active theme’s files.
Similarly, the plugin editor can be seen at Plugins » Plugin File Editor page. By default, it will show you one of the installed plugins from your site that comes up first in the alphabetical order.
If you visit the theme or plugin editor page for the first time, WordPress will warn you that using the editor can break your website.
In WordPress 4.9, theme and plugin editors were upgraded to protect users from accidentally breaking their website. In most cases, the editor will catch a fatal error and will revert back the changes.
However, this is not guaranteed and some code may still slip through and you would end up losing access to the WordPress admin area.
The biggest problem with the built-in file editor is that it gives full access to add any kind of code to your website.
If a hacker broke into your WordPress admin area, then they can use the built-in editor to gain access to all your WordPress data.
Hackers can also use it to distribute malware or launch DDOS attacks from your WordPress website.
To improve WordPress security, we recommend removing the built-in file editors completely.
That being said, let’s see how to easily disable theme and plugin editors in WordPress.
How to Disable Theme and Plugin Editors in WordPress
Disabling theme and plugin editors in WordPress is quite easy. But, it requires adding code in WordPress. If you haven’t done that before, see our guide on pasting snippets from the web into WordPress.
define( 'DISALLOW_FILE_EDIT', true );
We recommend using the WPCode plugin because it’s free, easy to use, and won’t break your website if anything goes wrong.
Note: There’s also a premium version of WPCode that comes with advanced features like code revisions, automatic conversion pixels, scheduled snippets, and more.
Once the plugin is activated, go to Code Snippets » Add Snippet from your WordPress dashboard. Then, hover your mouse over the ‘Add Your Custom Code (New Snippet)’ option and click the ‘Use snippet’ button.
Next, add a title for your snippet and paste the code from above into the ‘Code Preview’ box. You also need to select ‘PHP Snippet’ as the code type from the dropdown menu on the right.
After that, simply toggle the switch from ‘Inactive’ to ‘Active’ and click on the ‘Save Snippet’ button.
That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area.
As an alternative, you can also edit your wp-config.php file and paste the code from above just before the line that says ‘That’s all, stop editing! Happy publishing’ :
Then, save your changes and upload the file back to your website.
If you don’t want to edit the files directly, then you can install the Sucuri WordPress plugin which offers the 1-click hardening feature.
Proper Way to Edit WordPress Theme and Plugin Files
Many users actually use WordPress theme and plugin editors to look up the code, add custom CSS, or editing code in their child themes.
If you only want to add custom CSS to your theme, then you can do so by using the theme customizer located under Appearance » Customize.
For more details, see our guide on how to add custom CSS in WordPress without breaking your site.
If you want to look up the code in a plugin, then you can do so by using an FTP client.
For better file management and syntax highlighting, you can use one of these code editors for editing WordPress files on your computer.
Last but not least, you can also create a custom WordPress theme without writing any code.
We hope this article helped you learn how to easily disable theme and plugin editors from WordPress admin panel. You may also want to see our ultimate guide to improving WordPress performance and speed or our expert picks of the best web design software.