WordPress allows developers to limit the availability of plugin, theme and configuration access for backend users in two ways; via the theme functions file or via user roles. Both have pros/cons.
We recently logged into a WordPress site for a client to evaluate the work done by the original developer and the general health of the site. We discovered that the login given to us did not give us access to plugins, theme files or other capabilities in the WordPress dashboard.
Our initial thought was that the login was that of an “editor” or “author” versus an “administrator.” However, we soon discovered the login was for an administrator role and that functionality was removed in the theme functions.
Because the client had no FTP access and because there was no access to the theme editor in WordPress, we could not enable these items and could not make adjustments, install new plugins or perform necessary updates.
Developers might do this to simplify the WordPress dashboard for client users who are focused on content and page editing and to ensure these users are not able to inadvertently make changes that could disrupt site functionality. However, unless given FTP access, not even a skilled WordPress user could make necessary or desired changes.
A better way to limit access to plugins and theme files is to create users with different roles, such as editor or author. These users, unlike administrators, have limited access to features in the WordPress dashboard.
For additional control, or to create custom roles, we’d recommend a plugin such as User Role Editor or Advanced Access Manager. These allow full access of the WordPress dashboard to those with an administrator role while limiting access to other users.