If for some reason you wish to limit the
damage which may be done to a WordPress installation, you can quickly & easily disable a variety of powerful admin panel features by copying these one-liners into Thesis‘
The one time my blog admin account was compromised, the cracker used WordPress’ built-in file editors to insert spam links throughout my site. Disabling those editors or the ability to add/delete plugins and themes from with WordPress is a great way to keep sites secure, whether you’re leaving yours unattended for an extended period or you simply want to prevent the blogger themselves from breaking something.
Disable Theme/Plugin Editors
define( 'DISALLOW_FILE_EDIT', true );
Once you have your theme set up the way you want, you may find it to be a good idea to leave this snippet enabled all the time, for that added peace of mind. When enabled, malicious users would need to break into your host or your FTP account in order to modify files.
Disable Update/Delete/Install Abilities
define( 'DISALLOW_FILE_MODS', true );
This snippet disallows the following capabilities: update_plugins, delete_plugins, install_plugins, update_themes, delete_themes, install_themes, update_core. (What do these capabilities control?) The Thesis admin panel will also be disallowed.
Should you decide to leave this snippet active on your site, be sure to disable it at least once a week for a couple hours to ensure that available updates show up in your dashboard.