One of the great features of WordPress is the built-in code editor. Using the code editor you can make changes to your theme files without leaving the admin panel. But there are good reasons to disable theme and plugin editors.
If your WordPress installation is managed by more than one person, you may want to disable the editors. It helps prevent mistakes and errors from individuals who may lack development skills.
Disabling the editors also increases website security. This means there are fewer things that can go wrong within the website.
In this tutorial, I will show you how to disable the WordPress editors and remove them from the admin panel. I’ll also talk about why it’s a good idea to do it and what your alternatives are before and after removing the editors.
Why Disable the WordPress Theme and Plugin Editors?
When an automatic theme update takes place in WordPress, key files (or in many cases, all files) are overwritten. So if you have made changes to any of those files, your changes will disappear.
That is why WordPress urges you to avoid editing theme files with a warning:
A similar warning is given when editing a plugin file. However, the warning doesn’t appear when you edit child themes. Child themes aren’t subject to automatic upgrades, so they are the safest way to manage your theme.
Multiple WordPress Administrators
Often, WordPress websites have multiple users with administrative permissions. That can become a problem if one of the administrators edits a file they shouldn’t.
Also, the more administrators you have, the more likely it is that one of the computers used to access the site could be compromised. This may grant the bad guys access without having to hack WordPress at all.
If your WordPress installation is compromised and the file editor is available, a hacker can do several unpleasant things. They can inject malware into your site, putting your visitors at risk.
Hackers can also insert links to phishing websites into your posts and pages. They may even insert «blackhat» SEO links that can hurt your site’s reputation with Google.
In more severe cases, a hacker can insert code into a theme or plugin that gives them web shell access. That allows them to do things like SQL injections, uploading more malicious files, sending email from your domain name and compromise your cPanel password.
If that’s not bad enough, they can also leave a back door that will allow them into your site after you clean up the initial compromise.
Long story short: disabling the WordPress editors increases your website stability and security.
How to Disable the WordPress Theme and Plugin Editors
The good news is it’s very easy to disable the WordPress theme and plugin editors. You can do it by adding a single line to your wp-config.php file.
Open up an FTP program or a file editor and make your way to your WordPress home directory. Open the wp-config.php file for editing.
Near the bottom of the file, you’ll see a line that says, /* That’s all, stop editing! Happy publishing. */
Right above that line, insert the following code:
Now when you go back to the WordPress admin panel, you will see the editor options are gone.
This functional also removes the «Plugin Editor» link.
You can also add the DISALLOW_FILE_EDIT line of code to the functions.php file in your theme. If you don’t want to edit any files you can use a code snippets plugin.
You can also write your own plugin that contains the code. I know, writing your own plugin sounds complicated, but check out the article. You may be surprised at how easy it is.
How Do I Edit WordPress Theme and Plugin Files After I’ve Disabled the Editors?
Once you’ve removed the editors from WordPress, you may wonder how you’re going to edit theme files.
There are a few options.
You can go old school and download the file you want to edit using FTP programs like FileZilla. Then just fire up your favorite text editor to make the changes. Upload the file back to the site and you’re done.
If that’s the way you’re accustomed to working, it’s often faster than an online solution.
Web-based File Manager
If your web hosting account uses cPanel, there’s a built-in text editor that you can use to make changes. This is done through the File Manager tool in cPanel.
Theme Customizing Tools
Even without the WordPress editors, you can still make certain changes to your theme from the admin panel. Mouseover the “Appearance” link, then click the “Customize” link.
There are several display-related items that can be edited here. The items that are available will vary depending on the theme that you use.
But every theme includes the ability to add custom CSS that will override the theme’s default CSS. It’s a powerful tool, and virtually every part of your site’s appearance can be changed using the custom CSS editor.
Whichever method you use to disable theme and plugin editors, I hope that this tutorial has convinced you to give it a try and provided some useful instruction.
Disabling the editors may seem inconvenient at first. But once you get used to using one of the alternate methods, you should be able to make changes just as quickly as you could before.
Do you think you will disable the WordPress editors now? Are there other security methods or plugins you use to keep your WordPress installation safe?
Author: Michael Phillips
Michael Phillips is a web hosting industry veteran, helping people make the most of their web presence since 1995.