One way to protect wordpress website is to disable theme and plugin editor, so if the website was hacked, hackers won’t be able to edit your theme and plugins.
Before disable theme and plugin editor, you are able to edit them once you login to dashboard.
This is really dangers because hackers can inject subtle, malicious code to your theme and plugin.
In order to disable theme and plugin editor feature, you will need to add the following line to wp-config.php file.
define( ‘DISALLOW_FILE_EDIT’, true );
Some people also suggest to disable allowing people to add and remove plugins, but I found that this feature is not really user friendly because every time when I need to add or remove plugins, I will need to remove that line from wp-config.php. So I think that disabling theme and plugin editor is sufficient!
define( ‘DISALLOW_FILE_MODS’, true );