One of the first things we do when we set up a new website for a client is to disable the plugin and theme editor.
Here at WPvivid, we love WordPress; it is a very rich and powerful content management system that can run any kind of website.
One great feature shipped with WordPress is the ability to edit the code of your plugins and themes within your dashboard.
When we need to make a quick styling change on a WordPress site, it is expedient just to open the plugin and theme editor and do what we need to do.
That’s awesome, right? You do not need to login to your host, or FTP your files, edit them on your computer and then re-upload them.
The question, however, is; How many website owners actually know there is a plugin and theme editor in their WordPress website?
I am relatively certain unless the website owner is a developer or a zealous tech DIY enthusiast, the majority of website owners have no idea it even exists – what would they do with it anyway?
WordPress assumes that every WordPress website owner needs this feature, and further assumes that the people accessing this editor know what they are doing.
I want to believe; it is the right assumption because it is a convenient way to modify code without switching platforms.
However, every great tool is a weapon in the wrong hands.
Let us assume someone unknowingly or knowingly accessed the theme editor and deleted your code, or decided to add malware into it if you did not have a backup of your website that would spell disaster.
So, if someone does not know about the existence of the plugin and theme editor, or if they rarely use it, for whatever reason, we think it is a good practice to disable the plugin and theme editor, which is why we do it in every WordPress website we build.
So, how do we disable the plugin and theme editor?
Disable the Plugin And Theme Editor in WordPress Using A Plugin And Manually
Disable the plugin and theme editor using a security plugin
If you have a phobia for code, the easiest way you can disable the plugin and theme editor is with a plugin.
Most security plugins have that feature since it is one of the things they do as they harden a WordPress website.
Usually, the initial setup implements security recommendations disabling the plugin and theme editor, too; however, you can consult its documentation to know where and how to do it.
If you are using iThemes security, for instance, select the checkbox beside the File Editor.
Disable the plugin and theme editor by modifying the wp-config.php code
You can also disable the plugin and theme editor by modifying your code.
First, you will need access to the host, particularly to the wp-config.php file.
You can use FTP to access this file or log in to your control panel.
With cPanel, the file is in the public_html directory.
Right-click the wp-config.php file, then click edit.
When the file opens in the editor, trace for the line;
/* That’s all, stop editing! Happy blogging. */
Right below it paste the following line of code;
define( 'DISALLOW_FILE_EDIT', true );
It should now look like this, then click the Save changes button on the top far right corner of the editor.
Editing your code is actually way more straightforward than installing and configuring a plugin.
Beside, disabling the plugin will roll back the changes to the default state with the plugin and theme editor enabled.
Final thoughts
As the most used content management system, WordPress websites are targets for hackers, do not, therefore, be casual about the security of your WordPress website.
If there is a successful security breach, your website will be at the mercy of the hacker, so, make an effort to do the simple things that ensure your sites’s security.
In this quick guide, we have shown you two ways you can disable the plugin and theme editor in your WordPress website.
- You can do it with a plugin; any security plugin should work just fine.
- The second way is by modifying your wp-config.php and adding a single line of code.
Both ways are simple to implement, the first works for individuals who do not like messing with code.
If I were to recommend an option, that is if you are not using a security plugin for other security tasks on your website is to use the second method where you only need to add a single line of code into your wp-config.php file.
You may also want to learn how to rollback WordPress themes and plugins.