In this text and video Quick Guide, we describe how to disable all kinds of file editing within the WordPress admin area (also known as wp-admin
).
What File Editing in the WordPress Admin Area Is, and Why to Disable It
By default, the WordPress admin area includes two file editors: an editor for theme files at Appearance > Theme Editor, and an editor for plugin files at Plugins > Plugin Editor. Both of these tools come with warnings; for example, the Plugin Editor reads “Warning: Making changes to active plugins is not recommended” near the “Update” button.
These warnings are a first step, but there’s still a strong security case for disabling file editing on a WordPress site. If an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s trivially easy for that attacker to change a plugin or theme with malicious code.
How to Disable File Editing in the WordPress Admin Area
So a lot of people, myself included, think there’s benefit to turning off these editors. For that reason, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide.
Here’s the simplest way to turn off file-editing in the WordPress admin area, using the DISALLOW_FILE_EDIT
constant:
And here’s our text guide to the same information:
Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard
- You’ll need a text editor, and access to your
wp-config.php
file. - Open up your
wp-config.php
file in a text editor. - Anywhere above the line in that file that says
/* That's all, stop editing! Happy blogging. */
, add the linedefine( 'DISALLOW_FILE_EDIT', true );
. - Save the file.
- Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.
that should do it! Use FTP or another solution to do your file editing in WordPress.
More on WordPress Security
If you want the front-to-back take on WordPress security—and to know, not just hope, that your sites and code are secure—view our comprehensive course on the topic, WordPress Security with Confidence. And for a more thorough introduction to the topic, see our article:
Thanks for reading!
Hi
How do I check I have done this correctly other than just checking the site loads!
B
define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );
/* That’s all, stop editing! Happy publishing. */
To ensure the correct implementation of the code on your WordPress website, there are a few steps you can take:
Check the wp-config.php file: Open the wp-config.php file in a text editor. Look for the following lines of code:
PHP
define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );
(make sure these lines are present and have not been modified)
To access the wp-config.php file through FTP or SFTP, follow these steps: If you’re unable to access the wp-config.php file directly in your WordPress dashboard, you can utilize File Transfer Protocol (FTP) or the more secure “Secure File Transfer Protocol (SFTP)” to establish a connection with your website’s server and access the wp-config.php file. Once you successfully open the file, make sure to locate the two lines of code mentioned earlier and verify their presence and integrity.
To display detailed PHP configuration information, use the phpinfo() function. It provides the current values of various PHP variables, such as WP_DEBUG and DISALLOW_FILE_EDIT.
To use the phpinfo() function, create a new PHP file and add the following code:
https://themeisle.com/blog/wordpress-backup-plugins-compared/
(I use All in one WP migration plugin, but you have also other plugins listed above)
I think If hacker install plugin manager file and can edit. Then this method not working!
Except that code snippet will likely run well after wp-config.php, and the setting for DISALLOW_FILE_EDIT may already be made.
You cannot define the same constant twice.
DAVID
If I add “define(‘DISALLOW_FILE_EDIT’, true);” to the Code Snippet plugin, will it have the same effect?
Thanks in advance!
NEAL
I don’t generally use plugins like that, and don’t know that one specifically. But I can’t think of a reason it wouldn’t have the same effect 🙂