Last updated on July 7th, 2024 at 10:49 am
The file editing feature allows users to edit files directly from the WordPress dashboard. But for security purposes, this isn't a great idea. Here's how to disable file editing in the WordPress dashboard.
This post may contain affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
If you disable file editing in the WordPress Dashboard, you can slightly help improve the security posture of your website. Odds are if you’ve landed here from a Google search, you already know why you should do this, so here’s the line you want to add:
define('DISALLOW_FILE_EDIT', true);
I usually add a comment right above it indicating its purpose just for future reference. So my entire edit looks like this:
/*Turning off Editing from the WP Dashboard*/
define('DISALLOW_FILE_EDIT', true);
Now for the rest of you who landed here from some other place and were just curious enough to visit, here’s what this edit does and why it can help protect your site.
File Editing in WordPress
If you’ve been around WordPress, you’ve no doubt stumbled onto the file editor via one of the menu options under appearance or plugins. Take a look at the 2 screenshots below…
These options allow you to directly edit the files in your themes or plugins right from within the WordPress Dashboard. I’ve found that most WordPress administrators don’t use this feature very often. In fact, I almost never use it as I opt to make my edits via FTP or the CPanel built-in file manager.
In general, I feel it’s usually a good idea to remove features you don’t use or plan on using. It helps reduce bloat and clutter. However, there is another really good reason to disable it – yep, you guessed it: security.
The Security Argument for Disabling File Editing within the WordPress Dashboard
When a malicious attacker gains access to your WordPress website, one of the first things many of them do is go to the file editor and edit theme or plugin files to add backdoor scripts allowing them to continue the infection.
Disabling file editing via the wp-config.php file makes it a little bit harder for them to accomplish this task. While it might not stop a determined human hacker from accessing files, for automated attacks that make use of the feature, it could stop them dead in their tracks.
Final Thoughts
You can disable file editing within the WordPress Dashboard simply with a small line of code in your wp-config.php file. It’s easy enough to remove if you decide you want to re-enable it later, and in the meantime, it’ll help add yet another layer of security to your WordPress site.
Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.
Pingback: Is My Website Vulnerable? Securing Your WordPress Website Against Vulnerabilities - Website Design Baltimore | SEO Baltimore | CGS Computers