WordPress Security Tip: Disable Theme and Plugin Editors in Admin Panel

WordPress administrators can modify Theme & Plugin files in build-in editor. The editor provides a convenient approach for site administrator to change something on the fly without going through FTP client. It also makes it possible for novice site owner to crash the site. As a security measure, it is recommended to disable the editor to improve security.

Plug-in-editorTo disable theme & plugin editor, we need to add following line of code into wp-config.php

// Disable the Theme and Plugin Editor
define('DISALLOW_FILE_EDIT',true);

Why does this has impact on security? Because hackers want to inject malicious codes into your website. To do so, they must gain access to the hosting server via FTP. While for WordPress website, it has a second door which is the Theme & Plugin editor. In case the administrative user’s login credentials were hacked, the second door is open.