Disable WordPress Admin File Changes

If for some reason you wish to limit the damage customizations which may be done to a WordPress installation, you can quickly & easily disable a variety of powerful admin panel features by copying these one-liners into Thesiscustom_functions.php file.

The one time my blog admin account was compromised, the cracker used WordPress’ built-in file editors to insert spam links throughout my site. Disabling those editors or the ability to add/delete plugins and themes from with WordPress is a great way to keep sites secure, whether you’re leaving yours unattended for an extended period or you simply want to prevent the blogger themselves from breaking something.

Disable Theme/Plugin Editors

define( 'DISALLOW_FILE_EDIT', true );

This snippet disallows the following capabilities: edit_files, edit_plugins, and edit_themes. (What do these capabilities control?) The Thesis admin panel will also be disallowed.

Once you have your theme set up the way you want, you may find it to be a good idea to leave this snippet enabled all the time, for that added peace of mind. When enabled, malicious users would need to break into your host or your FTP account in order to modify files.

Disable Update/Delete/Install Abilities

define( 'DISALLOW_FILE_MODS', true );

This snippet disallows the following capabilities: update_plugins, delete_plugins, install_plugins, update_themes, delete_themes, install_themes, update_core. (What do these capabilities control?) The Thesis admin panel will also be disallowed.

Should you decide to leave this snippet active on your site, be sure to disable it at least once a week for a couple hours to ensure that available updates show up in your dashboard.

5 thoughts on “Disable WordPress Admin File Changes”

  1. Do you know how to fix this problem:
    I added:
    define(‘DISALLOW_FILE_MODS’,true);
    define( ‘DISALLOW_FILE_EDIT’, true );
    to wp-config.php and then when I deleted it, the plugins did not come back.
    I tried changing them to:
    define(‘DISALLOW_FILE_MODS’,false);
    define(‘DISALLOW_FILE_EDIT’,false);
    but that did not work.
    Any clues? Thanks.

    1. I’m not sure why that would be, Cat, as those lines of code don’t change anything permanent. So try these two things and let me know:

      First, try logging out and then back in, which may trigger a reset in your username’s capabilities.

      Second, if you’re using any caching plugins, flush the cache (or use FTP to delete everything in the /wp-content/cache/ directory (or whatever your particular cache directory may be named).

  2. Thanks Rick –

    I’ve done the following and no success with being able to add plugins:

    – logged out and in
    – cleared my browser cache and cookies
    – added define(‘DISALLOW_FILE_MODS’,false); to wp-config.php, logged out and in

    Also, I see that there is no caching plugin installed, no caching directive in wp-config.php and no folder called /cache/ in wp-content to clear.

    Dreamhost support said I would probably need to reintall WordPress (ouch).

    Any other ideas? Add a caching statement to wp-config.php?

    Thank you much!

    -Cat

Leave a Reply to Rick Beckman Cancel Reply

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

the Rick Beckman archive
Scroll to Top