Join Jeff Starr for an in-depth discussion in this video Disable file editing in the admin area, part of WordPress: Developing Secure Sites .
- [Instructor] By default, WordPress enables Admin level users to edit theme and plugin files from within the Admin Area. While this feature is indeed convenient, it can be an unnecessary risk. This video explains how to disable file editing to further secure your WordPress-powered site. Here on the "Edit Themes" page, we see WordPress' built-in file editor for themes. Here we can select and modify the files of any installed theme. For example, let's say that we want to change the version number of the 2016 theme.
After doing so, we click the "Update File" button to save our changes. Then we can verify this change by visiting the "Updates" page. We see that the version has been changed from the current version, which we had, to 1.1, which is the previous version. Indeed, anyone logged in as an Administrator can directly modify anything in any theme template. Likewise for plugin files, we can modify any installed plugin via the "Edit Plugins" page. For example, let's change the version number of the "Akismet" plugin.
After doing so, click "Update File" to save the changes. As before, we can verify the change by visiting the "Updates" page. Here we see that the plugin version has been changed. Again, a simple example that illustrates how Admin level users may directly modify code on the server. In fact, the file editors often are the first tool that an attacker will use after gaining access to the Admin area. Fortunately, WordPress provides a simple way to disable this functionality by adding a line of code to the WordPress configuration file.
To disable file editing, copy the line of code that is provided in the Exercise Files for this course, and then paste it into your site's WP Config file. Just above the line that says "That's all", stop editing. Then save, upload, and done. By adding this disallow constant to the WordPress configuration file, we effectively disable all users' ability to edit any files via the WordPress Admin Area.
As you can see here in the Appearance menu, WordPress no longer displays a link to the Edit Themes page because it's been disabled via the configuration file. And the same is true for the plugin editor. As you can see here, the Edit Plugins link is gone. So we're all set. Granted, if an attacker gains access to the Admin Area, they may cause damage even without access to the file editors. Even so, disabling file editing may help slow the progress of an attack and even mitigate certain types of exploits.
Further, disabling file editing prevents other admin users from making unauthorized changes to theme and plugin files. If later, down the road, you decide that the file editing feature is needed, simply remove the disallow constant from the configuration file and you're good to go. In this video, we further harden our WordPress site by disabling file editing in the WordPress Admin Area. This extra layer of security helps to stop certain types of attacks and prevents unauthorized changes to sensitive plugin and theme files.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security