How To Remove Sensitive Functionalities From WordPress Editor

WordPress is considered as the most powerful content management system presently among developers and webmasters due to the presence of versatile environment and lot of custom plugins. The interface of the WordPress is so flexible that anyone can easily plays with the features even without knowing any code. And this is the negative site of WordPress since it can spoil a well-organized custom theme. In this article you will find some code snippets which are used by experienced developer to prevent such time of phenomenon. You can use theses for any projects however they are recommended for professional custom theme development.

How To Remove Sensitive Functionalities From WordPress Editor

  • Disable The Plugins And Theme Editor
    Custom theme or plugins is easily accessible through dashboard. So anyone can mess up with the themes option with realizing the result and it can totally destroy the visual and functionality of a site. This is also considered insecure for and your website would be vulnerable to hacker. You can disable this by simply adding the following snippet to wp-config.php file. The will also disable the plugin editor.

    define( 'DISALLOW_FILE_EDIT', true );

  • Limit The Visual And Text Editor
    WYSIWYG editor supports modifying different option of a custom theme by default. So if the option is overwritten by your clients like text colors, fronts size and more it will end to an ugly outlook.  So don’t left the option useable for your clients since it is not even necessary. To keep site safe, it is recommended to disable the entire visual editor.
  • Disabling The Visual Editor
    You can integrate the following snippet to functions.php file and the tab to toggle the WYSIWYG editor will disappear.function

    wpmania_disable_visual_editor(){
    // add logic here if you want to permit it selectively    return false;
    }
    add_filter('user_can_richedit' , 'wpmania_disable_visual_editor', 50);

  • Removing Bold And Italic Quick tags From The Text Editor
    By default the text editor has quick tag button which let the user edit selected portion of text with wrap like <strong> and <em> tags. You can add the code mentioned below in the functions.php file. In this way your client will not able to play with them.# Removes bold and italic quicktags from text editor

    function wpmania_quicktags_settings( $qtInit  ) {
    //To disable ALL butons it must be set to "," (not "")
    $qtInit['buttons'] = 'more,';    return $qtInit;
    }
    add_filter('quicktags_settings', 'wpmania_quicktags_settings');

    Doing the above mention task disable the working with italicize an entire article but still there is a chance of write mark up by hand.

  • Disabling Buttons On The Visual Editor
    Usually the visual editor is enabled for the authors who used to deal with the long post and they need to add subheading for their post. For this cases You can set custom classes for subsections and certainly other buttons should be disabledThe TinyMCE editor is delicate because you need to find out the code refers to the buttons. The most tricky button is “kitchen sink” which toggle in second row and it should be removed. The under mention code could be used to disable the option.

    # Remove visual editor buttons
    function wpmania_tinymce_buttons($buttons)
    {
    # Remove the text color selector
    $remove = array('wp_adv'); //Add other button names to this array
    # Find the array key and then unset
    return array_diff($buttons,$remove);
    }
    add_filter(
    'mce_buttons',
    'wpmania_tinymce_buttons'
    );

    You can easily figure out the code by its class begins with mce-i-, by following it you would put the array above.

  • Remove The “Add Media” Button
    This buttons appear with custom post but it has wide range of function and sometimes it is inappropriate to add irrelevant image with post. It is easy to manage images by integrating them into the template but managing photos with the Add media buttons is quite hard for developer. Images uploaded with this buttons also spoil the orientation of text adherent to them. So it is better to remove the button by using the following code.# Remove media buttons

    function wpmania_remove_add_media(){
    # do this conditionally if you want to be more selective
    remove_action( 'media_buttons', 'media_buttons' );
    }
    add_action('admin_head', 'wpmania_remove_add_media');

    It is allowed to add logic before the remove_action() to remove only the media button for specific post.

  • Disable Theme Customizer Options
    The parent themes are usually modified according to need and child theme my not need to have any change so it not necessary to offer customization for the child theme. Clients may herm the theme features through this option. WordPress theme customizer API makes it easy to get rid of them by adding the following snippet to your theme’s functions.php file.# Remove customizer options.

    function wpmania_remove_customizer_options( $wp_customize ) {
    // $wp_customize->remove_section( 'static_front_page' );
    // $wp_customize->remove_section( 'title_tagline' );
    $wp_customize->remove_section( 'colors' );
    $wp_customize->remove_section( 'header_image' );
    $wp_customize->remove_section( 'background_image' );
    // $wp_customize->remove_section( 'nav' );
    // $wp_customize->remove_section( 'themes' );
    // $wp_customize->remove_section( 'featured_content' );
    // $wp_customize->remove_panel( 'widgets' );
    }
    add_action( 'customize_register','wpmania_remove_customizer_options',30);

    Every line of the snippet is connected to individual customization you need to uncomment to disable any of them.

  • Hide Unused Dashboard Menu Items
    Every website is different in purpose, suppose post menu item is unnecessary for a site without blog. Appearance of unnecessary buttons makes too much confusion and you can remove it by adding the following snippet.

    function wpmania_custom_menu_page_removing() {
    // remove_menu_page( 'index.php' ); //Dashboard
    // remove_menu_page( 'jetpack' ); //Jetpack*
    remove_menu_page( 'edit.php' ); //Posts
    remove_menu_page( 'upload.php' ); //Media
    // remove_menu_page( 'edit.php?post_type=page' ); //Pages
    remove_menu_page( 'edit-comments.php' ); //Comments
    // remove_menu_page( 'themes.php' ); //Appearance
    // remove_menu_page( 'plugins.php' ); //Plugins
    // remove_menu_page( 'users.php' ); //Users
    // remove_menu_page( 'tools.php' ); //Tools
    // remove_menu_page( 'options-general.php' ); //Settings
    }
    add_action( 'admin_menu', 'wpmania_custom_menu_page_removing' );

    Each line related to a specific menu in the dash board. Removing the menu actually does not suspend the permission of user it can be accessed through the URL directly. If you don’t want to have a filthy dashboard then doing this is a good idea. But if your aim is to prevent user from getting access then you just need to customize capabilities of the user’s role.  Add the following snippet to activation hook of the plugin.

    global $wp_roles; // global class
    $role = 'author';
    $cap = 'delete_published_posts';
    $wp_roles->remove_cap( $role, $cap );

  • Add A Hint About How Line Breaks Work In The Editor
    The built in option of visual editor is it creates new paragraph usually when user hit the Enter button. But if you like to add classic pattern then you have to hit the Enter+Shift button. This a stylish and quite impressive way but some of your clients may find it complex. There are many complain about having a wired white space in post or page after apply the same. You can add an effective snippet to your functions.php file. You need to change the value of $tip to make your author acknowledge of it.

    # Adds instruction text after the post title input
    function wpmania_edit_form_after_title() {
    $tip = 'TIP: To create a single line break use SHIFT+RETURN. By default, RETURN creates a new paragraph.';
    echo ''.$tip.'';
    }
    add_action(
    'edit_form_after_title',
    'wpmania_edit_form_after_title'
    );

    This is a nice way to leave a reminder for your clients and they will be careful about while posting or managing content on the site.

  • Do Not Dole Out Administrator Accounts
    Great power comes with great responsibility. The role of administrator is enormous and it has authorization to deal with everything of the theme or site. Some of your clients may have competence to hold the responsibility perfectly but many of them may be less familiar with the interface so they should not furnish with entire power of administrator. In such situation assign them as editor and you will need to create a separate account for admin. Until your clients are ready to manage their accounts themselves, don’t hand over the credentials to them.Similarly you can get the clients the credentials and ask them to keep them safe and use them only when it is required. From previous experience it can be said that many clients will lose the credentials but this is also good for you as because the same client will hire you for getting them back and for routine maintenance. Actually you need to be conscious about the admin account as because they are related to vulnerability and security issue.
  • Use mu-Plugins
    Um-Plugins/directory is another suitable option for installing plugins and fortunately many of the hackers never heard of it. The only one difference is that the ‘mu’ must see plugins cannot be disabled and by default they are active. They usually loaded quicker than other. So most important plugins could be installed here. The mu-plugins have to be created manually inside the

    WP-Content/.wp-content/
    mu-plugins/
    plugins/
    themes/
    ...

    But there is only one limitation that WordPress only find the files from top and usually ignore codes that exist inside of subdirectory.  You can simply handle this issue by creating a single PHP file that will load at the top of mu-plugins. So mu-plugins could a safe place for codes that will not be accessed by author.

Final Note

You might not agree with the topic of disabling default functionality of WordPress but reality is that having too much editing button actually will not bring your much profit and it could a possible source of pain if your clients try to play with them without knowing them better. Actually your task is to deliver a professional website with robust functionality as well as focus on your client’s requirement. Therefore disabling unnecessary and sensitive functionality actually let you be more professional.