WordPress comes with a useful feature, a file editor that allows you to edit your plugins and theme files right from your Dashboard.
All you need to do is to go to Appearance -> Editor to edit your theme files, or to Plugins -> Editor to edit your plugins files.
While the WordPress file editor can come in handy, it can also be dangerous!
If someone other than yourself has an Administrator user role on your WordPress website, and they don’t need to edit code, but start “playing” around anyway in the file editor, for whatever reason, they can break your entire website.
Or worse, they can install malware.
So, since there are other ways to access your WordPress website’s files, it would be safer if you’d disable the WordPress plugin and theme editor from your admin panel.
In this tutorial, I’ll show you how.
1. Disable the WordPress plugin and theme editor via code
I recommend using this method.
Adding a small piece of code is always better than adding yet another plugin. The fewer plugins you have, the better!
So, you’ll have to access your WordPress
wp-config.php file, which can’t be accessed via the WordPress editor.
It’s normally found in the WordPress root directory, in
If you’re using and add-on domain, then it should be in
Once you’ve found the file, open it for editing and add the below code right before this line:
/* That's all, stop editing! Happy blogging. */.
define( 'DISALLOW_FILE_EDIT', true );
Save the file and that’s it! The WordPress plugin and theme editor will be disabled.
2. Disable the WordPress plugin and theme editor via plugin
A. If you’re using iThemes Security
Having a security plugin is a must! It’s one of the things to do right after installing WordPress.
And if you’re using iThemes Security or iTheme Security Pro (this is an affiliate link), then it’s a damn good choice!
I’ve also put together a highly detailed tutorial on how to secure your WordPress website with iThemes Security.
Now, iThemes Security comes with a great feature that allows you to disable the WordPresss theme and plugin editor. So, you won’t have to add a code, nor an additional plugin!
Here’s how to do it:
1. Go to Security -> Settings from your Dashboard sidebar.
2. Go to WordPress Tweaks.
3. Check Disable File Editor.
4. Click the Save Settings button.
Perhaps other security plugins might have this feature as well, but I don’t know, to be honest, since I’ve always used and recommended iThemes Security.
I really don’t think there’s a better one in order to grab my attention. At least not for me.
B. Install the ‘Disable File Editor’ plugin
I managed to find a plugin that’s not outdated, and that’s Disable File Editor.
You just have to install the plugin and activate it, nothing more, because it doesn’t have any settings.
Once you activate it, the WordPress theme and plugin editor will be disabled!
That’s a wrap
Hope you found the post useful and comprehensive!
Don’t forget to share it to help out others!
If you have any questions or thoughts, drop a comment or send a message via contact or Facebook page.
You can also hit the follow button on Twitter and subscribe to the YouTube channel.
If you want to start your own WordPress blog, or need a website for your business, ThemeSkills’ WordPress website service is at your disposal! On-going WordPress support and maintenance is on the menu as well!
You can also purchase a ready-made WordPress website with hosting and support included!
I think If hacker install plugin manager file and can edit. Then this method not working!
I totally agree with you.
This measure doesn’t really stop hackers from doing damage if they are already in the admin area.