After days of hair pulling, here is the solution.
I followed WP codex guideline to make it more secured :
Disable File Editing
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
define(‘DISALLOW_FILE_EDIT’, true);
This also blocked the theme itself to access it’s options, and gave me the error :”You do not have sufficient permissions to access this page.” .
Nicolas
