Disable WordPress Admin File Changes

If for some reason you wish to limit the ~~damage~~ customizations which may be done to a WordPress installation, you can quickly & easily disable a variety of powerful admin panel features by copying these one-liners into Thesis’ custom_functions.php file.

The one time my blog admin account was compromised, the cracker used WordPress’ built-in file editors to insert spam links throughout my site. Disabling those editors or the ability to add/delete plugins and themes from with WordPress is a great way to keep sites secure, whether you’re leaving yours unattended for an extended period or you simply want to prevent the blogger themselves from breaking something.

Disable Theme/Plugin Editors

define( 'DISALLOW_FILE_EDIT', true );

This snippet disallows the following capabilities: edit_files, edit_plugins, and edit_themes. (What do these capabilities control?) The Thesis admin panel will also be disallowed.

Once you have your theme set up the way you want, you may find it to be a good idea to leave this snippet enabled all the time, for that added peace of mind. When enabled, malicious users would need to break into your host or your FTP account in order to modify files.

Disable Update/Delete/Install Abilities

define( 'DISALLOW_FILE_MODS', true );

This snippet disallows the following capabilities: update_plugins, delete_plugins, install_plugins, update_themes, delete_themes, install_themes, update_core. (What do these capabilities control?) The Thesis admin panel will also be disallowed.

Should you decide to leave this snippet active on your site, be sure to disable it at least once a week for a couple hours to ensure that available updates show up in your dashboard.

Posted

August 31, 2011

The Vault

Rick Beckman

Tags:

Comments

5 responses to “Disable WordPress Admin File Changes”

Cat Scholz

March 5, 2013

Do you know how to fix this problem:
I added:
define(‘DISALLOW_FILE_MODS’,true);
define( ‘DISALLOW_FILE_EDIT’, true );
to wp-config.php and then when I deleted it, the plugins did not come back.
I tried changing them to:
define(‘DISALLOW_FILE_MODS’,false);
define(‘DISALLOW_FILE_EDIT’,false);
but that did not work.
Any clues? Thanks.

Error happened.

Reply
1. Rick Beckman
  
  March 6, 2013
  
  I’m not sure why that would be, Cat, as those lines of code don’t change anything permanent. So try these two things and let me know:
  
  First, try logging out and then back in, which may trigger a reset in your username’s capabilities.
  
  Second, if you’re using any caching plugins, flush the cache (or use FTP to delete everything in the /wp-content/cache/ directory (or whatever your particular cache directory may be named).
  
  Error happened.
  
  Reply
Cat Scholz

March 6, 2013

Thanks Rick -

I’ve done the following and no success with being able to add plugins:

- logged out and in
— cleared my browser cache and cookies
— added define(‘DISALLOW_FILE_MODS’,false); to wp-config.php, logged out and in

Also, I see that there is no caching plugin installed, no caching directive in wp-config.php and no folder called /cache/ in wp-content to clear.

Dreamhost support said I would probably need to reintall WordPress (ouch).

Any other ideas? Add a caching statement to wp-config.php?

Thank you much!

-Cat

Error happened.

Reply
1. Rick Beckman
  
  March 6, 2013
  
  Are you able to install (either through WordPress or via file manager) & activate plugins? If so, this plugin has a feature which resets capabilities to WordPress’ default.
  
  Error happened.
  
  Reply
Cat Scholz

March 7, 2013

Thanks — No unfortunately when I upload a plugin to the plugins folder with FTP it does not show up in the list.

Error happened.

Reply

Disable WordPress Admin File Changes

Disable Theme/Plugin Editors

Disable Update/Delete/Install Abilities

Comments

5 responses to “Disable WordPress Admin File Changes”

Join the Discussion Cancel reply