In our last 2 articles on WordPress security, we’ve shown you how you can quickly and easily take steps to improve your WordPress security.
Here, I’m going to tell you of a WordPress configuration setting that will prevent editing any files from within your WordPress admin area, by users with unauthorized access.
This is a simple WordPress configuration setting and is easy to implement.
By the end of this article you will know what this setting is, why you would use it, and how to set it.
Dissallow File Editing setting within the WordPress admin dashboard
WordPress, by default, allows you the ability edit theme and plugin files directly from within the WordPress control panel.
Useful, but potentially high risk.
Let’s say that someone has gained admin access to your WordPress site. If they want to add code to your WordPress site, all they need to do is open the file editors and add any code they want.
This means they don’t need FTP access or anything like that – WordPress provides them all the access they need to modify files.
If you never change files directly on your WordPress site, there’s no need to have this feature available to you or your administrators.
How to disallow file editing within WordPress – the easy way
In iControlWP, we’ve provided an interface to configuring many WordPress security settings across all your websites.
Disallow File Edit in WordPress using iControlWP
This is just one of them.
To disallow file editing from within iControlWP, simply browse to the ‘Security’ tab for your site, and click the toggle switch to turn it on and off. Within a few moments, iControlWP will configure this setting for you on your website.
It’s easy, and you don’t need to worry about editing your wp-config.php, or FTP etc. It’s all done automatically for you.
You will know that the setting has worked if you log into your WordPress site and you can no longer open the WordPress file editor.
Disallow File Edit – No WordPress Editor Menu Item
How to disallow file editing within WordPress – the hard way
When you use iControlWP to set this setting, you can turn it on and off quickly.
This is useful if 99% of the time you don’t use the editor, but sometimes you want to just quickly make an edit. iControlWP can let you turn off the setting, and then re-enable it as soon as you’re done.
But, if you want to do it manually, it’s easy. Here’s how:
1. Make a backup of your wp-config.php file.
If you’re using a WordPress backup system like WorpDrive, just fire off a backup, wait until it’s completed and continue on.
2. Open up your wp-config.php file for editing.
Download your wp-config.php from your website and open it up in your favourite text editor
3. Find the setting DISALLOW_FILE_EDIT in your wp-config.php and change it to true
By default, this setting isn’t specified in the WordPress wp-config.php. If you’ve never set it before, it wont be there, and you’ll have to add it yourself.
But you need to be careful where you add new configuration settings – you cannot add them to the end of the file.
A good place to do it is to look for WP_DEBUG and add it immediately after this line.
To enable this security setting, add the following line to your wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
4. Replace your wp-config.php
Save your wp-config.php file with the new line added, and upload it back to your WordPress site.
You’ll know it’s worked as outlined in the previous section.
Get the iControlWP Advantage Today – Free
This setting is also not a difficult security tasks, but made much easier when using iControlWP if you have many websites to manage and maintain.
iControlWP lets you manage your plugins, themes, and security (and much more) across all your WordPress websites from one convenient, secure, dashboard.And it’s free to signup. No commitments, no credit cards.
Just good WordPress management.
