LIMITED TIME OFFER - Save 35% OFF on Password Policy Manager. Code: 35PPMWP

Disable Theme and Plugin Editors in WordPress to Improve WordPress Security

Last updated on April 12th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

WordPress administrators can use the Theme Editor and Plugin Editor in the WordPress dashboard to directly edit WordPress themes and plugin files. As a security measure it is recommended to disable the theme and plugin editors in WordPress. This blog post explains how to disable them and why you should disable them to improve the security of your WordPress.

Disable Theme and Plugin Editors From WordPress Admin Panel

Add the below line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT',true);

You can add the line of code mentioned above at the end of the editable section of wp-config.php file, exactly before the line /* That’s all, stop editing! Happy blogging. */.

For more information on how to download, modify and upload file to your WordPress blog or website refer to the How to use FTP to transfer files to and from WordPress.

Why Disable the Theme and Plugin Editors in WordPress?

The aim of a WordPress hack is to inject it with malware, include links to phishing websites or include links for blackhat SEO. To do so, malicious hackers first launch a brute force attack against a WordPress website, and once they guess the password of the WordPress administrator account they login to the WordPress dashboard from where they use the theme and plugin editors to access and modify the files of the activated theme and plugins.

By disabling the WordPress Theme and Plugin editors directly from the wp-config.php you are building a barricade between the WordPress source code and the malicious hacker; making it impossible for the attacker to modify any WordPress code directly from the WordPress dashboard.

WordPress Hosting, Firewall and Backup

This Website is:

2 comments

haseeb 07/10/2013

I’m running multiuser site. I have 14 plugins installed. I need to disable 11 plugins for editors and enable 3 plugins for editors.

How can I do that.
NB: please suggest a method that works without enabling the network.

Robert Abela 07/10/2013

Hi,

Thanks for following our blog.

As regards your question, it depends what you want to do. I.e. would you like to disallow editors from using functionality provided by the plugin or would you like to restrict them from configuring a plugin?

Can you give us more details and which plugins you are referring to?

Leave a Reply

Your email address will not be published. Required fields are marked *