How to Disable File Editing in the Admin Area of WordPress

With WordPress 4.9, you now get a warning when you’re about to make a change in the file editors in the WordPress back-end. (For those not following, I’m talking about the editor that you can find at Appearance > Editor, or Plugins > Editor on most WordPress sites.) This is great first-step, and does end one of arguments for disallowing editing of files in the WordPress admin side of the site. That is: people won’t know what that they could break their site when they make changes on those pages.

If we ignore that a lot of people ignore pop-ups that tell them things and seem to block their view (which is a real thing, like it or not), we still have the security case for disabling file editing on a WordPress site. That case: if an attacker gets access to an “Administrator” account on your WordPress site, if the editor is available it’s trivially easy for that attacker to change a plugin or theme with malicious code.

So a lot of people, myself included, think there’s benefit to turning off these editors. For that reasons, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide. Here’s how to turn of file-editing in the WordPress admin area:

And if you prefer text:

Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard

  1. You’ll need a text editor, and access to your wp-config.php file.
  2. Open up your wp-config.php file in a text editor.
  3. Anywhere above the line in that file that says /* That's all, stop editing! Happy blogging. */, add the line define( 'DISALLOW_FILE_EDIT', true );.
  4. Save the file.
  5. Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.

3 Responses


Add a Comment

Your email address will not be published. Required fields are marked *