How to Disable File Editing in the Admin Area of WordPress
In this text and video Quick Guide, we describe how to disable all kinds of file editing within the WordPress admin area (also known as
What File Editing in the WordPress Admin Area Is, and Why to Disable It
By default, the WordPress admin area includes two file editors: an editor for theme files at Appearance > Theme Editor, and an editor for plugin files at Plugins > Plugin Editor. Both of these tools come with warnings; for example, the Plugin Editor reads “Warning: Making changes to active plugins is not recommended” near the “Update” button.
These warnings are a first step, but there’s still a strong security case for disabling file editing on a WordPress site. If an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s trivially easy for that attacker to change a plugin or theme with malicious code.
How to Disable File Editing in the WordPress Admin Area
So a lot of people, myself included, think there’s benefit to turning off these editors. For that reason, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide.
Here’s the simplest way to turn off file-editing in the WordPress admin area, using the
And here’s our text guide to the same information:
Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard
- You’ll need a text editor, and access to your
- Open up your
wp-config.phpfile in a text editor.
- Anywhere above the line in that file that says
/* That's all, stop editing! Happy blogging. */, add the line
define( 'DISALLOW_FILE_EDIT', true );.
- Save the file.
- Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.
that should do it! Use FTP or another solution to do your file editing in WordPress.
More on WordPress Security
If you want the front-to-back take on WordPress security—and to know, not just hope, that your sites and code are secure—view our comprehensive course on the topic, WordPress Security with Confidence. And for a more thorough introduction to the topic, see our article:
Thanks for reading!
Add a Comment