Contents
Being able to edit plugins and theme file is a real convenience, especially for people who know how to code. However, for people who don’t know how to code or don’t understand much about WordPress development, this is a possible risk.
By default, admin users in WordPress have file editing right. You can check if you have the edit right by hovering your cursor over Plugins or Appearance menu item in your dashboard (if you don’t see such options, chances are you don’t have the file editing right). If you see the last item in the sub menus say “plugin editor” or “theme editor”, you have the file editing right.
The need for disabling file editing right for admin users is even more urgent when you have other people working on the site. One missing semicolon may bring the whole site down.
So, how can you disable file editing completely on your site?
It’s easier than you might think.
How to disable file editing in the admin area
To accomplish this, you need to have access to your web server. Being an administrator on your site is not enough. You can either perform this task via FTP or ssh or cPanel. Please choose what suit you.
The only thing you need to do to disable file editing in the admin area is to put this line of code:
define('DISALLOW_FILE_EDIT', true);
right above the line:
/* That's all, stop editing! Happy publishing. */
in the file named wp-config.php
by default, this file is located at the root of your website. It is at the same level with wp-content, wp-include, wp-admin.
Here is where the file on my site:
After inserting the code, the content of my wp-config.php file would look like this:
Now, make sure you save the file and go back to your admin area. You should see the option to edit plugins and themes disappeared:
Now, no one, even admins can accidentally edit plugins or themes files. This action alone has significantly improve your site’s security.
What if you want to insert code to your site?
Adding functionalities to your site by modifying the plugins’ or themes directly (except the case of child theme) is not recommended. If you want to insert Javascript or CSS code, you can easily achieve this task by using plugins like WP Coder. In case of editing .php file, the best method is via FTP or SSH. In the occasion that you make a mistake, you can quickly fix it and bring the site back online without suffering a white screen of death.
Conclusion
As a solo admin of my site and a developer, I’m quite confident editing files in my site’s dashboard. However, if your site is managed by other people (and they have admin rights), it’s best to disable the file editing ability in the admin area. It will prevent accidental edit of files that may bring your site down.