Disabling file editing in your WordPress admin panel is a simple but effective way to minimize the effect of a security breach. 

WordPress has always prioritized giving site admins control over their site…including security. But, if you’re not a developer, you’ll need to do your research and create a WordPress security checklist that lists the different ways to protect your site. You’ll find a lot of advice (and opinions) on WordPress security, one of them being to disable file editors on your wp-admin panel. But is it good advice? If so, how do you do it? Do you need to find alternatives?

That’s where we come in. We’re experts in WordPress security and protect over 300,000 sites every day. We will walk you through a step-by-step guide to disabling file editors and answer all your questions. No technical jargon, no loopholes, just clear, detailed, and reliable information to ensure your WordPress site is as secure as possible.

TL;DR: You can either edit your wp-config.php file or use a WordPress plugin like Solid Security to disable the file editor on your site. Either way, make sure to take a full backup of your site before making changes to WordPress core files.

What are the security concerns of enabling file editors on your WordPress site?

Having the file editor feature enabled in your WordPress admin panel means that users with administrative access to your website can directly edit the code of your theme and plugin files from within the WordPress dashboard. While this can be handy for quick edits without needing to access the server files through an FTP client, it does come with risks:

1. Malware/hack-related effects: The primary concern when leaving the WordPress file editor enabled is the increased vulnerability to various aspects of malware and hacking attacks. Privilege escalation attacks, where a hacker gains unauthorized access to higher administrative abilities, are particularly risky. So, if a hacker gains access to your admin panel with privilege escalation, you’re at risk of:

• Code injections: This is when a hacker inserts malicious code into your site, usually to change its behavior. It might involve malware scripts that can spread across your site and even to your visitors, multiplying the damage.
• Server vulnerabilities: If a hacker can exploit the file editor, they could potentially gain access to your server. This could lead to unauthorized control over your entire server operations, giving them the ability to manipulate, delete, or add files at will.
• File and data manipulations: With access to the file editor, a hacker can modify essential theme and plugin files. This could lead to altered website content, broken functionalities, or even a total site blackout.

2. Damage to brand reputation: If your website is compromised, it can severely tarnish your brand’s reputation. Visitors may lose trust in your site if they find it hacked, defaced, or if their own data is compromised after interacting with your site.
3. Breaking the site by changing code directly: One risk of the file editors in the wp-admin section is that they allow direct editing of your theme and plugin files. Incorrect editing could lead to errors, or even worse, a total site crash. It’s worth noting that this risk also exists with correct, but improperly used, code. Even though newer versions of WordPress prevent incorrect code from being saved through these editors, correct code used improperly could lead to undesired effects.

How to check if your WordPress site has enabled file editing on your admin panel

The process differs based on the version of WordPress you have and what kind of editor you use: 

• WordPress Version 4.8 and earlier: You can access the theme editor by clicking Appearance and then Editor. For the plugin editor, click Plugins and then Editor.
• Newer versions: If you have the classic editor, click Appearance in the sidebar and Editor. If you have the block editor, go to Tools in the sidebar and choose either Plugin editor or Theme editor in the menu. 

Please bear in mind that seeing these options means that file editing is enabled on your site. If you don’t see them, the feature is likely disabled or hidden by a security plugin. 

How to disable file editors on the WordPress admin panel

Now that we’ve established why it’s dangerous, here are 2 ways to disable the file editing feature on your WordPress site:

Using a plugin

Using the SolidWP Security (formerly known as iThemes Security) plugin to disable the WordPress File Editor is straightforward. The feature to disable file editing is enabled by default once you install the plugin. But here are the steps to check if it is enabled or disabled: 

1. Install the plugin: From your WordPress dashboard, go to Plugins -> Add New. Search for SolidWP Security. Click Install Now next to the plugin and then Activate it. Once activated, you’ll find a new option named Security on your WordPress dashboard menu. You can go through the setup that they recommend. 

2. Find the Advanced Settings: Click on Security in the sidebar and then click Settings. Click Advanced in the menu. 

3. Disable file editor: Look for the WordPress Tweaks section. Tick the option to Disable File Editor within the WordPress Tweaks settings if it isn’t enabled. Click Save at the bottom. 

Other plugins like Sucuri also help you disable this feature. Go to Sucuri’s Hardening settings and click Apply Hardening in their Disable Plugin and Theme Editor. 

Edit the wp-config.php file

Editing core files is indeed a common method to disable file editing in web development. However, it comes with a considerable risk of crashing your website if not done correctly. Therefore, it is highly recommended to take a backup of your site before undertaking any modifications to the core files as a precautionary measure. This way, you can restore your site to its previous state in case anything goes wrong during the editing process.

1. Using an FTP client:

We have used FileZilla for this article, but you can download any FTP client and the process should be fairly similar to the following:

Connect to your server: Open the FileZilla application on your device. Connect to your server by filling in your host (server IP address or domain), username, password, and port details provided by your web hosting provider. Click the Quickconnect button.

Find the wp-config.php file: Once connected, navigate to the root directory of your WordPress installation. It’s often the ‘public_html’ directory or a subdirectory if you have installed WordPress on a subdomain. Within the WordPress root directory, locate the wp-config.php file. It is usually in the list of files on the right panel of FileZilla.

Edit the wp-config.php file: To edit the file, right-click wp-config.php and select View/Edit. This option will download a temporary copy of the file to your local machine. Your default text editor will open the file. Navigate to the bottom of the database settings and add the following line of code:

define('DISALLOW_FILE_EDIT', true);

The code needs to be added just above the following line:

/* That's all, stop editing! Happy blogging. */,

Once you’re done, save this change and go back to your admin panel to see if the editors are still visible.

2. Using cPanel

You can also use cPanel to edit your wp-config.php file and disable the file edit feature. Follow these steps:

1. Log into your cPanel account: To login to cPanel, first, you need to have your cPanel login credentials, which are typically provided by your web hosting provider. Once you have these credentials, open your web browser and type in the URL for cPanel. This is usually something like “yourdomain.com/cpanel” or “cpanel.yourdomain.com.” Press enter to load the cPanel login page. On the login page, enter your username and password. If you do not know your username and password, reach out to your hosting provider for assistance.

2. Find the wp-config.php file: Scroll down to the Files section and click on File Manager. This opens your website’s file directory. Navigate to the public_html or root directory or any specific subdirectory where WordPress is installed. Within the WordPress installation folder, locate and click on the wp-config.php file. 

3. Edit the file: Click on Edit in the top menu. A dialog box might appear asking for encoding. Just click Edit again. In the text editor, scroll down to the bottom and insert the following line of code:

define('DISALLOW_FILE_EDIT', true);

The code needs to be added just above the following line:

/* That's all, stop editing! Happy blogging. */,

4. Save changes: Once you’ve added the code, click Save Changes in the top-right corner of the screen to save the edited file. Now, close the text editor. You have now successfully disabled the file editor feature in your WordPress wp-admin using cPanel. 

3. Using SSH

If you’d prefer to use the terminal on your device, here are the steps to do so: 

1. Open your terminal: First, open your Terminal application (on Linux or macOS) or Command Prompt (on Windows) and log into your server via SSH. Use this command, replacing username with your actual username and your-server-ip with your server’s IP address. Enter your password when prompted.

ssh username@your-server-ip

2. Navigate to the root directory: Now, change to the directory where your WordPress files exist using the cd (change directory) command. Generally, this would be in the root folder:

cd /your-wordpress-root-directory

3. Find the wp-config.php: Open your wp-config.php file using a text editor, like nano. Enter the following command:

nano wp-config.php

4. Edit the wp-config.php file: You have now opened the wp-config.php in an editor. Above the code “/* That’s all, stop editing! Happy blogging. */,” add the following code:

define('DISALLOW_FILE_EDIT', true);

5. Exit the editor: After editing the file in nano, you need to save the changes and exit the editor. Type Ctrl+X. This is the command to exit the editor.

Pros and cons of disabling the file editor

Like most security measures, disabling the WordPress file editor comes with some pros and cons.

Pros

• Increased security: When the file editor is disabled, it minimizes the risk of a hacker modifying your files and injecting malicious code if they manage to gain access to your admin panel.
• Prevention of unintentional changes: Disabling the file editor can prevent well-intentioned but misinformed users from accidentally introducing errors or making changes that could break your website.
• Controlled environment: With the file editor disabled, changes are more likely to be made via controlled pathways such as SSH or SFTP, which are more secure, and typically only accessible by those with the necessary technical knowledge.

Cons

1. Inconvenience for developers: If you or your developer often use the file editor for quick edits, disabling it might slow things down as you have to use alternative methods—like an FTP client—to edit your files.
2. Potential for misconfiguration: While disabling the file editor can improve security, it requires altering the wp-config.php file—a core WordPress file. If not done properly, it could potentially cause other issues on your website.

Recommended methods for customizing code instead of file editors

The recommended way to edit site files for tasks such as adding custom code or modifying a theme is through a child theme or using Secure File Transfer Protocol (SFTP) with a Local Development Environment. Here’s a brief about each method:

1. Use a child theme: If you need to make modifications to your theme, the best way is to create a child theme. This ensures that your customizations won’t be overwritten when the main (parent) theme is updated. You can put your custom code into the child theme’s functions.php file, use the child theme’s style.css to add or override CSS, and even override parent theme templates.
2. Use an FTP/SFTP client: If you need to edit core files (not recommended unless absolutely essential), the protocol you should follow is to make these changes through an FTP/SFTP client, such as FileZilla or Cyberduck. This allows you to directly access your server files in a secure manner.
3. Always test on staging first: For extensive site modifications or development purposes, it’s best to use a staging site, or a local development environment like MAMP, XAMPP, or Local. You can test all your modifications without breaking your live site. Once everything is tested and working perfectly, you can then deploy these changes on your live site.
4. Custom code plugins: For simple PHP snippets, you may use custom code plugins such as Code Snippets. These allow you to introduce custom functions without modifying your theme or core files directly.
5. Use SSH and a command line editor: If you are comfortable with the command line, you could use SSH to connect to your server and a text editor such as nano or vim to edit your files.

Other measures to secure your WordPress site

Apart from disabling the file editor, there are several other necessary measures you should consider for enhancing the overall security of your WordPress site. 

1. Install a firewall: A web application firewall (WAF) can help filter out malicious traffic before it ever reaches your website. We recommend installing MalCare because it has the best firewall in the WordPress security market. 
2. Install a security plugin: Plugins like MalCare offer numerous features to protect your site, including malware scanning and malware removal. We’ve tested all the top security plugins and MalCare has come out on top for its effective but easy security.  
3. Implement good login security: Use strong, unique passwords and consider implementing two-factor or multi-factor authentication. Additionally, limit login attempts to prevent brute force attacks.
4. Prevent WordPress user enumeration: User enumeration is a type of attack where hackers can try to discover valid usernames. 
5. Disable directory browsing: Preventing directory browsing stops potential attackers from viewing the files in your site directories. This can be achieved by editing the .htaccess file or using a plugin.
6. WordPress monitoring: Keep an eye on your website’s security by utilizing services that offer WordPress monitoring. These services can alert you to any potential security threats, allowing you to act proactively.
7. WordPress hardening: Follow WordPress’s hardening measures recommended in WordPress Codex. This can include enforcing strong password policies, keeping all your plugins and themes up to date, regularly updating the WordPress core, and more. 

Final thoughts

Disabling file editing in WordPress rightly serves as a defensive line of action, aimed at mitigating the potential damage of a breach. Think of it as your final safety net when all other security measures have been bypassed. However, the goal should be to prevent such an intrusion in the first place. This is where installing a robust security solution like MalCare is crucial. Designed to actively protect WordPress sites against malicious threats, MalCare provides a fortified shield and constant monitoring. If your website is currently under attack, MalCare also has a one-click malware removal feature that you can deploy to clear out all malware.  

FAQs

Why can’t I find the file editor?

You may not find the file editor if it has been disabled on your WordPress site. This could be due to security reasons. Normally, it’s located under Appearance > Theme Editor, or under Plugins > Plugin Editor. If you still can’t find it, try contacting your website administrator.

How do I enable file editing in WordPress?

To enable file editing, you need to edit the wp-config.php file. Find the line that says, define(‘DISALLOW_FILE_EDIT’, true); and change it to define(‘DISALLOW_FILE_EDIT’, false);. Remember to save the file and upload it back to your server.

Does disabling file editing improve my website’s security?

Yes, disabling file editing can improve your website’s security. It prevents unauthorized access to the website’s core, plugin, and theme files. This measure can protect your website from being damaged by hackers.

What are the risks if I keep the file editor enabled?

Keeping the file editor enabled can pose security risks. It provides potential attackers with a powerful tool if they manage to gain access to your WordPress dashboard, potentially allowing them to inject malicious code into your website’s files.

Will disabling code editing affect my website’s functionality?

No, disabling code editing will not affect your website’s functionality. It only disables the ability to edit the core, plugin, and theme files from your WordPress admin panel. All of your content, plugins, themes, and settings will remain functional.

How can I edit my files if I disable the editing feature in the admin panel?

You can edit your files by accessing them directly through a File Transfer Protocol (FTP) client or through your web hosting control panel’s file manager. Make sure you have a backup of your files and are confident in the changes you are making, as incorrect edits can cause issues on your website.