Directly editing plugin or theme files from the WordPress admin dashboard is a high-risk operation that can lead to unexpected errors or security vulnerabilities. Therefore, for security and management reasons, it is recommended to disable the ability to edit themes and plugins from the backend.
WordPress security is crucial. Disabling theme and plugin editing prevents administrators from accidentally deleting critical files and also blocks attackers who gain unauthorized access to the admin area from stealing or tampering with the site's core code.
How to Disable Theme and Plugin Editing
WordPress provides two core configuration constants to implement this feature. You need to edit the wp-config.php file in your website's root directory.
Method 1: Disable File Editing Only
This method only disables the theme and plugin editor in the admin area while still allowing installation and update operations.
// Disable online theme and plugin editing
define( 'DISALLOW_FILE_EDIT', true );Method 2: Disable All File Modifications
This method is more restrictive. In addition to disabling editing, it also prevents installing, updating, and deleting themes and plugins. It is typically used for highly locked-down production environments.
// Disable installing, upgrading, and editing themes and plugins
define( 'DISALLOW_FILE_MODS', true );Implementation Steps
- Using FTP or your server's file manager, locate the
wp-config.phpfile in your WordPress installation root directory. - Open this file in a text editor.
- Find the database configuration section, which contains lines like
define( 'DB_NAME', 'database_name_here' );. - Add one of the code snippets above below the database configuration but before the comment line that reads
/* That's all, stop editing! Happy publishing. */. - Save the file and upload it back to the server.
Note: After adding the code, the "Appearance" → "Theme Editor" and "Plugins" → "Plugin Editor" menus in the WordPress admin will disappear or become inaccessible. If you choose Method 2 (DISALLOW_FILE_MODS), the "Install Plugins/Themes" functionality will also be disabled. All updates and installations must then be performed via FTP or the command line.
Conclusion
For most websites, it is recommended to at least enable DISALLOW_FILE_EDIT to turn off the backend editor. This is a simple yet effective measure to enhance WordPress security. For production environments requiring strict control, consider using DISALLOW_FILE_MODS. Choose the method that best fits your specific management needs and security policy.