How to Disable File Editing in the Admin Area of WordPress
With WordPress 4.9, you now get a warning when you’re about to make a change in the file editors in the WordPress back-end. (For those not following, I’m talking about the editor that you can find at Appearance > Editor, or Plugins > Editor on most WordPress sites.) This is great first-step, and does end one of arguments for disallowing editing of files in the WordPress admin side of the site. That is: people won’t know what that they could break their site when they make changes on those pages.
If we ignore that a lot of people ignore pop-ups that tell them things and seem to block their view (which is a real thing, like it or not), we still have the security case for disabling file editing on a WordPress site. That case: if an attacker gets access to an “Administrator” account on your WordPress site, if the editor is available it’s trivially easy for that attacker to change a plugin or theme with malicious code.
So a lot of people, myself included, think there’s benefit to turning off these editors. For that reasons, it’s one of many things I cover in WordPress Security with Confidence. I’ve decided to use the video direct from the first version of the course in this Quick Guide. Here’s how to turn of file-editing in the WordPress admin area:
And if you prefer text:
Step-by-Step Guide to Disallowing File Editing in the WordPress Dashboard
- You’ll need a text editor, and access to your
- Open up your
wp-config.phpfile in a text editor.
- Anywhere above the line in that file that says
/* That's all, stop editing! Happy blogging. */, add the line
define( 'DISALLOW_FILE_EDIT', true );.
- Save the file.
- Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.