Skip to content

How to Disable File Editing in the Admin Area of WordPress

In this text and video Quick Guide, we describe how to disable all kinds of file editing within the WordPress admin area (also known as wp-admin).

What File Editing in the WordPress Admin Area Is, and Why to Disable It

By default, the WordPress admin area includes two file editors: an editor for theme files at Appearance > Theme Editor, and an editor for plugin files at Plugins > Plugin Editor. Both of these tools come with warnings; for example, the Plugin Editor reads “Warning: Making changes to active plugins is not recommended” near the “Update” button.

These warnings are a first step, but there’s still a strong security case for disabling file editing on a WordPress site. If an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s trivially easy for that attacker to change a plugin or theme with malicious code.

How to Disable File Editing in the WordPress Admin Area

So a lot of people, myself included, think there’s benefit to turning off these editors. For that reason, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide.

Here’s the simplest way to turn off file-editing in the WordPress admin area, using the DISALLOW_FILE_EDIT constant:

And here’s our text guide to the same information:

Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard

  1. You’ll need a text editor, and access to your wp-config.php file.
  2. Open up your wp-config.php file in a text editor.
  3. Anywhere above the line in that file that says /* That's all, stop editing! Happy blogging. */, add the line define( 'DISALLOW_FILE_EDIT', true );.
  4. Save the file.
  5. Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.

that should do it! Use FTP or another solution to do your file editing in WordPress.

More on WordPress Security

If you want the front-to-back take on WordPress security—and to know, not just hope, that your sites and code are secure—view our comprehensive course on the topic, WordPress Security with Confidence. And for a more thorough introduction to the topic, see our article:

The Complete Guide to WordPress Security

Thanks for reading!

Yay! 🎉 You made it to the end of the article!
David Hayes

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
December 8, 2023 2:34 am

How do I check I have done this correctly other than just checking the site loads!

define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );
/* That’s all, stop editing! Happy publishing. */

Ivica Delic
January 10, 2024 2:22 am
Reply to  Ben

To ensure the correct implementation of the code on your WordPress website, there are a few steps you can take:

Check the wp-config.php file: Open the wp-config.php file in a text editor. Look for the following lines of code:
define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );

(make sure these lines are present and have not been modified)

To access the wp-config.php file through FTP or SFTP, follow these steps: If you’re unable to access the wp-config.php file directly in your WordPress dashboard, you can utilize File Transfer Protocol (FTP) or the more secure “Secure File Transfer Protocol (SFTP)” to establish a connection with your website’s server and access the wp-config.php file. Once you successfully open the file, make sure to locate the two lines of code mentioned earlier and verify their presence and integrity.

To display detailed PHP configuration information, use the phpinfo() function. It provides the current values of various PHP variables, such as WP_DEBUG and DISALLOW_FILE_EDIT.

To use the phpinfo() function, create a new PHP file and add the following code:
(I use All in one WP migration plugin, but you have also other plugins listed above)

Last edited 4 months ago by Bill Widmer
March 6, 2020 10:26 pm

I think If hacker install plugin manager file and can edit. Then this method not working!

Thomas Tremain
September 4, 2018 12:44 am

Except that code snippet will likely run well after wp-config.php, and the setting for DISALLOW_FILE_EDIT may already be made.

You cannot define the same constant twice.

Neal Umphred
August 29, 2018 10:31 am


If I add “define(‘DISALLOW_FILE_EDIT’, true);” to the Code Snippet plugin, will it have the same effect?

Thanks in advance!


Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

Would love your thoughts, please comment.x

Most Searched Articles

Best JavaScript Libraries and Frameworks: Try These 14 in 2024

In this post, we look at the best JavaScript libraries and frameworks to try out this year. Why? Well, with JavaScript being available in every web browser, this makes it the most accessible programming language of ...

20 Best Free WordPress Themes for 2024 (Responsive, Mobile-Ready, Beautiful)

If you're looking for only the best free WordPress themes in the market for this year, then you're in the right place. We have more than enough such themes for you right ...

12 Best WordPress Hosting Providers of 2024 Compared and Tested

Looking for the best WordPress hosting that you can actually afford? We did the testing for you. Here are 10+ best hosts on the market ...

Handpicked Articles

How to Make a WordPress Website: Ultimate Guide for All Users – Beginners, Intermediate, Advanced

Many people wonder how to make a WordPress website. They’ve heard about WordPress, its incredible popularity, excellent features and designs, and now they want to join the pack and build a WordPress website of their own. So, where does one get ...

How to Start an Ecommerce Business: Ultimate Guide for 2024

Is this going to be the year you learn how to start an eCommerce business from scratch? You’re certainly in the right place! This guide will give you a roadmap to getting from 0 to a fully functional eCommerce business. ...