WordPress administrators can use the Theme Editor and Plugin Editor in the WordPress dashboard to directly edit WordPress themes and plugin files. As a security measure it is recommended to disable the theme and plugin editors in WordPress. This blog post explains how to disable them and why you should disable them to improve the security of your WordPress.
Disable Theme and Plugin Editors From WordPress Admin Panel
Add the below line of code to your wp-config.php file:
You can add the line of code mentioned above at the end of the editable section of wp-config.php file, exactly before the line /* That’s all, stop editing! Happy blogging. */.
For more information on how to download, modify and upload file to your WordPress blog or website refer to the How to use FTP to transfer files to and from WordPress.
Why Disable the Theme and Plugin Editors in WordPress?
The aim of a WordPress hack is to inject it with malware, include links to phishing websites or include links for blackhat SEO. To do so, malicious hackers first launch a brute force attack against a WordPress website, and once they guess the password of the WordPress administrator account they login to the WordPress dashboard from where they use the theme and plugin editors to access and modify the files of the activated theme and plugins.
By disabling the WordPress Theme and Plugin editors directly from the wp-config.php you are building a barricade between the WordPress source code and the malicious hacker; making it impossible for the attacker to modify any WordPress code directly from the WordPress dashboard.