One of the simplest ways to increase your WordPress site security is to block WordPress users’ ability to edit files from within the dashboard.
Assuming you have a default WordPress installation, if you look under the Plugins and Themes menu, you’ll see a link to ‘Editor’. This lets you edit the code that executes on your site, directly from within the WordPress administrator dashboard.
For most cases this is completely unnecessary, and in this article I’ll show you how to turn it off.
How to disallow file editing within WordPress
There are a couple of ways to achieve this.
- You can directly edit one of the WordPress core files: wp-config.php
- You can use a security plugin to disable it
- You can use iControlWP to disable it
Each has their advantages and I’ll cover each of them in turn.
Option 1: Directly edit WordPress wp-config.php
Using this approach means that to turn this option off, even temporarily, you must repeat the steps below which can be a little cumbersome. You must also be familiar with PHP and ensure you use the correct syntax or you’ll knock your website offline.
- Locate and make a backup of your wp-config.php file.
- Open up your wp-config.php file for editing (you may have to download a copy to your local computer)
- Search for the text: DISALLOW_FILE_EDIT
- If you find the text, it will look something like:
define( 'DISALLOW_FILE_EDIT', true );
- If the value for this define is true or 1, you can leave it as it is; you’re done.
- If the value is not true, or this text does not exist, find a place in the file (not at the end – A good place to do it is to look for WP_DEBUG and add it immediately after this line) and copy the text above into a new line. Make sure and give it a new line all to itself and copy it exactly as it is written.
- Save the new file contents and replace the wp-config.php file on your website server.
Warning: If you put this code into your wp-config.php without searching for it first, you may have this define added twice. Your site will throw an error if you do this, so make sure you search the file fully.
Option 2: Use a WordPress security plugin
Generally block file editing access should always be blocked, but sometimes you may want to turn it back on for yourself temporarily – using the WordPress plugin approach lets you do this, and it also means you don’t edit any WordPress core files.
The WordPress Shield Security plugin has an option to turn off file editing. This can be found under the Lockdown module and is easy to turn on and off.
See the screenshot (right):
It should be understood that if anyone gains any unauthorized administrator access they too will be able to change this setting.
However, this security plugin comes with the added protection of locking down the security plugin options. This protection should also be enforced – click here to learn more about the Security Admin feature.
Options 3: Use iControlWP WordPress Management
iControlWP offers a huge range of WordPress management tools and one such is security. You can simply click to turn off file editing for a site under the site’s security options.
Unlike the previous option, there is no user interface available on the WordPress site to let someone “undo” the setting – it must be set from within the iControlWP dashboard.
If you don’t have an account with iControlWP, you can try it out for free today.