Title here
Summary here
Disable File Editing
WordPress includes built-in editors for themes and plugins — right in the admin dashboard. Convenient? Maybe. Dangerous? Definitely. If an attacker gains admin access, these editors let them inject malicious code directly into your site files. If an inexperienced user makes a typo, they can break the entire site. This module removes the editors entirely.
Use Cases
- Prevent attackers from injecting malicious code through the dashboard
- Stop accidental code breakage by inexperienced administrators
- Enforce proper development workflows (edit locally, deploy properly)
- Meet security compliance requirements that prohibit in-dashboard editing
- Protect production sites from “quick fixes” that cause problems
How It Works
This is a toggle module — enable it and the file editors disappear. No configuration needed.
When enabled, the module defines the WordPress constant:
define('DISALLOW_FILE_EDIT', true);This removes:
- Appearance → Theme File Editor — Gone
- Plugins → Plugin File Editor — Gone
- Direct URL access to editor pages — Blocked
What Gets Removed
| Location | Status |
|---|---|
| Appearance → Theme File Editor | Menu removed |
| Plugins → Plugin File Editor | Menu removed |
/wp-admin/theme-editor.php | Access blocked |
/wp-admin/plugin-editor.php | Access blocked |
| Edit links on individual theme/plugin pages | Removed |
The Security Risk
The built-in editors are a favorite target for attackers because:
- No authentication beyond admin — If they’re in, they can edit
- Immediate effect — Changes are live instantly
- Persistent access — Injected code survives password changes
- Hard to detect — Malicious code hides in legitimate files
- Full server access — PHP code can do anything on your server
Common attack scenario:
- Attacker gets admin credentials (phishing, weak password, etc.)
- Logs into your WordPress admin
- Goes to Appearance → Theme File Editor
- Adds malicious code to
functions.php - Now they have a backdoor even after you change passwords
This module prevents step 3.
Verification
After enabling:
- Go to Appearance menu — “Theme File Editor” should be missing
- Go to Plugins menu — “Plugin File Editor” should be missing
- Try visiting
yoursite.com/wp-admin/theme-editor.phpdirectly - Should see “Sorry, you are not allowed to edit themes for this site.”
Still Need to Edit Files?
If you need to edit theme or plugin files, use proper methods:
| Method | Description |
|---|---|
| FTP/SFTP | Connect to your server and edit files directly |
| File Manager | Use your host’s control panel file manager |
| Local Development | Edit locally, deploy via Git or upload |
| Code Snippets Plugin | For small PHP additions without file editing |
| Child Theme | Override theme files safely |
These methods are:
- More secure (not accessible from WordPress admin)
- More traceable (FTP logs, Git history)
- Less prone to mistakes (proper editors with syntax highlighting)
The wp-config.php Alternative
You can also disable file editing by adding this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);This module does the same thing but:
- Can be toggled without editing
wp-config.php - Is part of your centralized Switchboard configuration
- Can be disabled if needed without server access
FAQ
Will this affect plugin/theme updates?
No. Updates are separate from file editing. This only disables the manual code editors. Automatic and manual updates still work (unless you also use the “Disable All Updates” module).Can I still install new plugins and themes?
Yes. Installation is separate from editing. You can still install, activate, and delete plugins and themes normally.What if I need to make a quick fix?
Use FTP, your host’s file manager, or SSH. The “quick fix in the dashboard” workflow is exactly what this module prevents — it’s too risky for production sites.Does this prevent all file changes?
No. It only disables the WordPress admin editors. Code can still be changed via FTP, SSH, cPanel, or any server-level access. For full file integrity monitoring, you’d need a security plugin like Wordfence.What about the Site Editor (Full Site Editing)?
The Site Editor for block themes (Appearance → Editor) is different from the file editors. It edits templates stored in the database, not PHP files. This module doesn’t affect Full Site Editing.I already have DISALLOW_FILE_EDIT in wp-config.php. Do I need this?
No. If it’s already defined inwp-config.php, this module respects that setting. Having both doesn’t hurt, but it’s redundant.Security Best Practices
Disabling file editing is just one part of WordPress security hardening:
| Practice | Why It Matters |
|---|---|
| Disable file editing | Prevent code injection via admin |
| Use strong passwords | Prevent admin access in the first place |
| Enable 2FA | Extra layer even if password is compromised |
| Regular backups | Recover if something does go wrong |
| Keep updated | Fix security vulnerabilities |
This is a “no-brainer” security setting. Almost no legitimate workflow requires editing code through the WordPress dashboard. Enable this module and forget about it.
This module defines DISALLOW_FILE_EDIT, not DISALLOW_FILE_MODS. File editing is disabled, but plugin/theme uploads and updates still work.
PRO
Upgrade to Pro
Get access to all 147 modules with a single license