You can disable File Editing in the WordPress admin area by adding the following line of code into the wp-config.php file.
define( 'DISALLOW_FILE_EDIT', true );
If you find this answer too little, I will show you how to disable file editing in this short step-by-step tutorial.
What is File Editing in WordPress?
WordPress dashboard comes with a theme and plugin code editor.
On the left navigation panel, you will find Themes and Plugin options. They consist of a plain code editor to edit the theme and plugin files directly from the WordPress dashboard.
If you click on the Plugin Editor, you will see a warning box.
Warning Box pops up only for first-time visitors. The box shows warnings about code editing in the WordPress files. If not done properly, it may break the website, or you may lose access to it.
Once in, you will see the plain code editor.
On the top right corner, you can see I have selected the Cloudflare plugin to edit. You can find all the plugins installed on the website in the list and directly edit their functionality.
The same goes with the themes editor (Appearance >> Theme Editor).
You can select any theme and edit any file of the theme from here.
Must Read: Automatically Log out Idle Users in WordPress
Why disable File Editing in WordPress Admin Area?
Editing files directly from the WordPress admin dashboard may seem helpful, but it is a potential security hazard.
Till WordPress version 4.8, you could have entered any line of code; it would have parsed it. Thus breaking the website if the code is wrong. Though WordPress version 4.9 upgraded the theme and plugin editor. The editor can now catch the fatal errors and will not parse until you solve them.
But again, it is only a precautionary method, and things can slip through and cause damage to the WordPress website.
Another problem with file editors is that If someone somehow gets access to the admin area, they can use the file editor to insert the code to gain complete access to the website.
Though the person is already admin, accessibility to code is something different. He can access the plugin accounts, theme accounts, create vulnerabilities to exploit in the future, launch DDoS attacks and transfer malware to visitors’ devices to scale the attacks using your business website.
As a WordPress hosting, we suggest you remove the built-in file editors. People who need to make changes could do it by using FTP, which is more secure and faster.
Must Read: How to Disable Directory Browsing in WordPress?
How to Disable File Editing?
As I said, you can disable File Editing in the WordPress admin area by adding the following line of code into the wp-config.php file.
define( 'DISALLOW_FILE_EDIT', true );
But let’s see the step-by-step process.
Step 1: Log in to Hosting to open File Manager
All the popular hosting services provide panels to manage web hosting. It could be a custom-made panel, cPanel, Plesk, or any open-source hosting panel.
You have to log in to the panel and find the File Manager.
Step 2:
File Manager contains many folders. You have to open public_html or often known as the root directory. Public_html includes the WordPress website files.
Step 3: Locate the wp-config.php file
You will find the wp-config.php file in the public_html.
If there is no wp-config.php, go to the setting and tick the ‘Show Hidden Files. Some hosting providers keep it hidden to protect it from accidents.
Click on edit, and it will load the inbuilt code editor.
You can also download the file and edit it locally. Then you have to upload it back and delete the old wp-config.php.
Whichever way you go, you have to add a line of code into it.
Step 4: Add a line of code to wp-config.php
Wp-config.php file would not be empty. There would be a bunch of coding, but don’t worry. You only have to add the following line at the bottom of all the code.
define( 'DISALLOW_FILE_EDIT', true );
Click on the save changes to save the file.
That’s it.
Login to the website to not find the theme and plugin editor at the WordPress admin dashboard.
Wrap Up
Securing the admin panel is critical for WordPress security. You can secure a login page by creating hard passwords, adding security questions, limiting login attempts, or using login security plugins.
Cleaning the code of a hacked website could be time-consuming and difficult.
By disabling file editing, you prevent any code injection to the site even if the hacker gets into the website.
In this quick tutorial, I showed you how to disable file editing in the WordPress admin area.
Got questions? Please leave them in the comment section.