Why Disable Theme and Plugin Editors in WordPress?

WordPress comes with a built-in code editor which allows you to edit WordPress theme and plugin files directly from the admin area.

The theme editor is located at Appearance » Theme File Editor page. By default, it will show your currently active theme’s files. Similarly, the plugin editor can be seen at Plugins » Plugin File Editor page. By default, it will show you one of the installed plugins from your site that comes up first in the alphabetical order. If you visit the theme or plugin editor page for the first time, WordPress will warn you that using the editor can break your website.

In WordPress 4.9, theme and plugin editors were upgraded to protect users from accidentally breaking their website. In most cases, the editor will catch a fatal error and will revert back the changes. However, this is not guaranteed and some code may still slip through and you would end up losing access to the WordPress admin area. The biggest problem with the built-in file editor is that it gives full access to add any kind of code to your website.

If a hacker broke into your WordPress admin area, then they can use the built-in editor to gain access to all your WordPress data. Hackers can also use it to distribute malware or launch DDOS attacks from your WordPress website. To improve WordPress security, we recommend removing the built-in file editors completely.

That being said, let’s see how to easily disable theme and plugin editors in WordPress.

How to Disable Theme and Plugin Editors in WordPress

Disabling theme and plugin editors in WordPress is quite easy. But, it requires adding code in WordPress.

You’ll need to add this line of code to your theme’s functions.php file, a site-specific plugin, or by using a code snippets plugin.

We recommend using the WPCode plugin because it’s free, easy to use, and won’t break your website if anything goes wrong.

• First, you’ll need to install and activate the free WPCode plugin.
• Once the plugin is activated, go to Code Snippets » Add Snippet from your WordPress dashboard. Then, hover your mouse over the ‘Add Your Custom Code (New Snippet)’ option and click the ‘Use snippet’ button.
• Next, you’ll be prompted to choose the code type for your snippet. Select the ‘PHP Snippet’ option.
• After that, you can add a title for your snippet and paste the code from above into the ‘Code Preview’ box.
• Lastly, simply toggle the switch from ‘Inactive’ to ‘Active’ and click on the ‘Save Snippet’ button.

That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area.

As an alternative, you can also edit your wp-config.php file and paste the code from above just before the line that says ‘That’s all, stop editing! Happy publishing’ :

Then, save your changes and upload the file back to your website.