Remove and disable WordPress theme and plugin editors

WordPress is growing at an amazing rate. It is an excellent CMS tool for companies and freelancers to build websites with. There are times when handing your finished WordPress build over to your client, that you want to keep things simple for them. Helping them not to break things.

WordPress has a built in editor. This allows administrators (and super admins) to edit the themes and plugins from within WordPress itself. Potentially this allows your client to (accidently) destroy all your good work.There are a number of ways to remove the link from the standard menu. Thus letting your client have the freedom to know that they can explore and familiarise themselves with the WordPress back end, without breaking anything serious. Here are two examples for removing the theme editor link:

1. Removing theme editor link from menu using remove_action()

function tcb_remove_editor_menu() {
  remove_action('admin_menu', '_add_themes_utility_last', 101);
add_action('admin_menu', 'tcb_remove_editor_menu', 1);

2. Removing theme editor link from menu using remove_submenu_page()

add_action('admin_init', 'tcb_remove_menu_elements', 102);
function tcb_remove_menu_elements(){
  remove_submenu_page( 'themes.php', 'theme-editor.php' );

The problem with these two methods is that they don’t actually stop anyone with the right roles and capabilities from editing the theme files. It just removes the link from the menu. If a plugin or theme provided links to the editor from somewhere else, then the above methods are pretty useless.

3. Disable theme and plugin editing completely using WordPress’s built in constant definition

Luckily WordPress has provided a really easy way to stop themes and plugins being edited from within WordPress itself.

define('DISALLOW_FILE_EDIT', true);

This not only removes the links from the menus, but effectively disables the edit_themes and edit_plugins capabilities. So even with the link to the right place, no user will have permission to edit anything. This is not only shorter, but more powerful. It is just a single line on the wp-config.php file.

Details on this and other settings can be found in the codex: Editing wp-config.php.