Disabling file editing in the WordPress Dashboard can slightly help improve the security posture of your website. Odds are if you’ve landed here from a Google search, you already know why you should do this, so here’s the line you want to add:
I usually add a comment right above it indicating its purpose just for future reference. So my entire edit looks like this:
/*Turning off Editing from the WP Dashboard*/ define('DISALLOW_FILE_EDIT', true);
Now for the rest of you who landed here from some other place and were just curious enough to visit, here’s what this edit does and why it can help protect your site.
File Editing in WordPress
If you’ve been around WordPress, you’ve no doubt stumbled onto the file editor via one of the menu options under appearance or plugins. Take a look at the 2 screenshots below…
These options allow you to directly edit the files in your themes or plugins right from within the WordPress Dashboard. I’ve found that most WordPress administrators don’t use this feature very often. In fact, I almost never use it as I opt to make my edits via FTP or the CPanel built-in file manager.
In general, I feel it’s usually a good idea to remove features you don’t use or plan on using. It helps reduce bloat and clutter. However, there is another really good reason to disable it – yep, you guessed it: security.
The Security Argument for Disabling File Editing within the WordPress Dashboard
When a malicious attacker gains access to your WordPress website, one of the first things many of them do is go to the file editor and edit theme or plugin files to add backdoor scripts allowing them to continue the infection.
Disabling file editing via the wp-config.php file makes it a little bit harder for them to accomplish this task. While it might not stop a determined human hacker from accessing files, for automated attacks that make use of the feature, it could stop them dead in their tracks.
You can disable file editing within the WordPress Dashboard simply with a small line of code in your wp-config.php file. It’s easy enough to remove if you decide you want to re-enable it later, and in the meantime, it’ll help add yet another layer of security to your WordPress site.