Disable WordPress Admin File Changes

If for some rea­son you wish to lim­it the dam­age cus­tomiza­tions which may be done to a Word­Press instal­la­tion, you can quick­ly & eas­i­ly dis­able a vari­ety of pow­er­ful admin pan­el fea­tures by copy­ing these one-lin­ers into The­siscustom_functions.php file.

The one time my blog admin account was com­pro­mised, the crack­er used Word­Press’ built-in file edi­tors to insert spam links through­out my site. Dis­abling those edi­tors or the abil­i­ty to add/delete plu­g­ins and themes from with Word­Press is a great way to keep sites secure, whether you’re leav­ing yours unat­tend­ed for an extend­ed peri­od or you sim­ply want to pre­vent the blog­ger them­selves from break­ing something.

Disable Theme/Plugin Editors

define( 'DISALLOW_FILE_EDIT', true );

This snip­pet dis­al­lows the fol­low­ing capa­bil­i­ties: edit_files, edit_plugins, and edit_themes. (What do these capa­bil­i­ties con­trol?) The The­sis admin pan­el will also be disallowed.

Once you have your theme set up the way you want, you may find it to be a good idea to leave this snip­pet enabled all the time, for that added peace of mind. When enabled, mali­cious users would need to break into your host or your FTP account in order to mod­i­fy files.

Disable Update/Delete/Install Abilities

define( 'DISALLOW_FILE_MODS', true );

This snip­pet dis­al­lows the fol­low­ing capa­bil­i­ties: update_plugins, delete_plugins, install_plugins, update_themes, delete_themes, install_themes, update_core. (What do these capa­bil­i­ties con­trol?) The The­sis admin pan­el will also be disallowed.

Should you decide to leave this snip­pet active on your site, be sure to dis­able it at least once a week for a cou­ple hours to ensure that avail­able updates show up in your dashboard.






5 responses to “Disable WordPress Admin File Changes”

  1. Cat Scholz Avatar

    Do you know how to fix this problem:
    I added:
    define( ‘DISALLOW_FILE_EDIT’, true );
    to wp-config.php and then when I delet­ed it, the plu­g­ins did not come back.
    I tried chang­ing them to:
    but that did not work.
    Any clues? Thanks.

    1. Rick Beckman Avatar

      I’m not sure why that would be, Cat, as those lines of code don’t change any­thing per­ma­nent. So try these two things and let me know:

      First, try log­ging out and then back in, which may trig­ger a reset in your user­name’s capabilities.

      Sec­ond, if you’re using any caching plu­g­ins, flush the cache (or use FTP to delete every­thing in the /wp-content/cache/ direc­to­ry (or what­ev­er your par­tic­u­lar cache direc­to­ry may be named).

  2. Cat Scholz Avatar

    Thanks Rick -

    I’ve done the fol­low­ing and no suc­cess with being able to add plugins:

    - logged out and in
    — cleared my brows­er cache and cookies
    — added define(‘DISALLOW_FILE_MODS’,false); to wp-config.php, logged out and in

    Also, I see that there is no caching plu­g­in installed, no caching direc­tive in wp-config.php and no fold­er called /cache/ in wp-con­tent to clear.

    Dreamhost sup­port said I would prob­a­bly need to rein­tall Word­Press (ouch).

    Any oth­er ideas? Add a caching state­ment to wp-config.php?

    Thank you much!


    1. Rick Beckman Avatar

      Are you able to install (either through Word­Press or via file man­ag­er) & acti­vate plu­g­ins? If so, this plu­g­in has a fea­ture which resets capa­bil­i­ties to Word­Press’ default.

  3. Cat Scholz Avatar

    Thanks — No unfor­tu­nate­ly when I upload a plu­g­in to the plu­g­ins fold­er with FTP it does not show up in the list.

Join the Discussion

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Rick Beckman