Disable Theme and Plugin Editors in WordPress to Improve WordPress Security

Last updated on June 25th, 2020 by Robert Abela. Filed under WordPress Security Tutorials & Tips

WordPress administrators can use the Theme Editor and Plugin Editor in the WordPress dashboard to directly edit WordPress themes and plugin files. As a security measure it is recommended to disable the theme and plugin editors in WordPress. This blog post explains how to disable them and why you should disable them to improve the security of your WordPress.

Disable Theme and Plugin Editors From WordPress Admin Panel

Add the below line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT',true);

You can add the line of code mentioned above at the end of the editable section of wp-config.php file, exactly before the line /* That’s all, stop editing! Happy blogging. */.

For more information on how to download, modify and upload file to your WordPress blog or website refer to the How to use FTP to transfer files to and from WordPress.

Why Disable the Theme and Plugin Editors in WordPress?

The aim of a WordPress hack is to inject it with malware, include links to phishing websites or include links for blackhat SEO. To do so, malicious hackers first launch a brute force attack against a WordPress website, and once they guess the password of the WordPress administrator account they login to the WordPress dashboard from where they use the theme and plugin editors to access and modify the files of the activated theme and plugins.

By disabling the WordPress Theme and Plugin editors directly from the wp-config.php you are building a barricade between the WordPress source code and the malicious hacker; making it impossible for the attacker to modify any WordPress code directly from the WordPress dashboard.

WordPress Hosting, Firewall and Backup

This Website is:

4 comments

haseeb 07/10/2013

I’m running multiuser site. I have 14 plugins installed. I need to disable 11 plugins for editors and enable 3 plugins for editors.

How can I do that.
NB: please suggest a method that works without enabling the network.

Robert Abela 07/10/2013

Hi,

Thanks for following our blog.

As regards your question, it depends what you want to do. I.e. would you like to disallow editors from using functionality provided by the plugin or would you like to restrict them from configuring a plugin?

Can you give us more details and which plugins you are referring to?

Manuel 20/06/2020

Hello

If a hacker already brute forced his way into the admin area, the hacker could install a plugin such as file manager and edit whatever he or she wants including the wp-config.php file , theme and plugin files.

I started thinking about the effectiveness of this security measure just yesterday so I am open to new ideas about how this measure improves security.

Thanks for your plugins and blog.

Robert Abela 31/07/2020

Correct Manual, that could happen as well. The way I see it is that one should look at security as a complete picture, and not just analyze if a single fix is effective or not.

In this case, we are just making it more difficult for the attacker to implement code changes. So should the attacker manage to gain access to the site, in this case he cannot proceed to make code changes directly. He has to install a plugin which requires more time and might trigger some notification (for example if you have an activity log plugin that sends you an SMS when a change happens on your site).

So even though this security tweak might not stop the attacker, it is an extra step in making an attacker’s life more difficult, in giving us the chance to be alerted and identify the attack.

Leave a Reply

Your email address will not be published. Required fields are marked *