How to Control Access to the Theme Editor in WordPress
The Theme Editor in WordPress allows you make direct changes to your site's theme files.
This is not always a good idea because changes made via the Theme Editor can easily take your site offline. There is no “undo” or “rollback” button if you make a mistake.
In fact, you will see this message when you visit the “Theme Editor” screen:
You appear to be making direct edits to your theme in the WordPress dashboard. We recommend that you don’t! Editing your theme directly could break your site and your changes may be lost in future updates. If you need to tweak more than your theme’s CSS, you might want to try making a child theme. If you decide to go ahead with direct edits anyway, use a file manager to create a copy with a new name and hang on to the original. That way, you can re-enable a functional version if something goes wrong.
Because this screen can be dangerous, many WordPress administrators want to control access to this screen.
By default, only Administrators can see this screen. In this tutorial, I will show you how to give or deny access to the Theme Editor.
Option #1. Use WordPress user roles
If you want to allow users access to the Theme Editor screen, you will need to give them the edit_themes permission.
- Make sure you have PublishPress Capabilities plugin installed.
- Go to “Capabilities in your WordPress admin menu.
- In “Select Role to View/Edit”, choose the role you want to allow into the Theme editor. I've chosen “Subscriber” in this example
- Check the “edit themes” box. If you want to deny them access, click the red X for the “edit themes” box.
- Click “Save Changes”.
This image shows what a users in the Subscriber role will see when they login. They will have access to the Theme Editor screen.
Option #2. Use your wp-config.php file
If is possible to hide the Theme Editor using the wp-config.php file. Check your site's wp-config.php file for this line:
define( 'DISALLOW_FILE_EDIT', true );
If you add that line, no-one will see the Theme Editor again: not even Administrators.
Option #3. Use a security plugin
Some security plugins will allow you to block access to the Theme Editor. This is because the Theme Editor can cause real problems for your site. This screenshot below is from the Sucuri plugin:
Option #4. Make the theme files unwritable:
If you lock down your files on the server, users will not be able to make changes in the Theme Editor. This guide shows how to make permission changes.
Here's how to check your files are safe:
- Tools > Site Health.
- Click the “Info” tab.
- Scroll down to the “Filesystem Permissions” box.
- Make sure that your themes directory is “Unwritable”. If the files are not writeable, you won't be able to save changes.