How to Disable File Editing in the Admin Area of WordPress

In this text and video Quick Guide, we describe how to disable all kinds of file editing within the WordPress admin area (also known as wp-admin).

What File Editing in the WordPress Admin Area Is, and Why to Disable It

By default, the WordPress admin area includes two file editors: an editor for theme files at Appearance > Theme Editor, and an editor for plugin files at Plugins > Plugin Editor. Both of these tools come with warnings; for example, the Plugin Editor reads “Warning: Making changes to active plugins is not recommended” near the “Update” button.

These warnings are a first step, but there’s still a strong security case for disabling file editing on a WordPress site. If an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s trivially easy for that attacker to change a plugin or theme with malicious code.

How to Disable File Editing in the WordPress Admin Area

So a lot of people, myself included, think there’s benefit to turning off these editors. For that reason, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide.

Here’s the simplest way to turn off file-editing in the WordPress admin area, using the DISALLOW_FILE_EDIT constant:

And here’s our text guide to the same information:

Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard

  1. You’ll need a text editor, and access to your wp-config.php file.
  2. Open up your wp-config.php file in a text editor.
  3. Anywhere above the line in that file that says /* That's all, stop editing! Happy blogging. */, add the line define( 'DISALLOW_FILE_EDIT', true );.
  4. Save the file.
  5. Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.

that should do it! Use FTP or another solution to do your file editing in WordPress.

More on WordPress Security

If you want the front-to-back take on WordPress security—and to know, not just hope, that your sites and code are secure—view our comprehensive course on the topic, WordPress Security with Confidence. And for a more thorough introduction to the topic, see our article:

The Complete Guide to WordPress Security

Thanks for reading!


6 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Ben
December 8, 2023 2:34 am

Hi
How do I check I have done this correctly other than just checking the site loads!
B

define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );
/* That’s all, stop editing! Happy publishing. */

Member
Ivica Delic
January 10, 2024 2:22 am
Reply to  Ben

To ensure the correct implementation of the code on your WordPress website, there are a few steps you can take:

Check the wp-config.php file: Open the wp-config.php file in a text editor. Look for the following lines of code:
PHP
define( ‘WP_DEBUG’, false );
define( ‘DISALLOW_FILE_EDIT’, true );

(make sure these lines are present and have not been modified)

To access the wp-config.php file through FTP or SFTP, follow these steps: If you’re unable to access the wp-config.php file directly in your WordPress dashboard, you can utilize File Transfer Protocol (FTP) or the more secure “Secure File Transfer Protocol (SFTP)” to establish a connection with your website’s server and access the wp-config.php file. Once you successfully open the file, make sure to locate the two lines of code mentioned earlier and verify their presence and integrity.

To display detailed PHP configuration information, use the phpinfo() function. It provides the current values of various PHP variables, such as WP_DEBUG and DISALLOW_FILE_EDIT.

To use the phpinfo() function, create a new PHP file and add the following code:

https://themeisle.com/blog/wordpress-backup-plugins-compared/
(I use All in one WP migration plugin, but you have also other plugins listed above)

Last edited 1 month ago by Ivica Delic
Richard
March 6, 2020 10:26 pm

I think If hacker install plugin manager file and can edit. Then this method not working!

Thomas Tremain
September 4, 2018 12:44 am

Except that code snippet will likely run well after wp-config.php, and the setting for DISALLOW_FILE_EDIT may already be made.

You cannot define the same constant twice.

Neal Umphred
August 29, 2018 10:31 am

DAVID

If I add “define(‘DISALLOW_FILE_EDIT’, true);” to the Code Snippet plugin, will it have the same effect?

Thanks in advance!

NEAL