Learn how to safely disable theme and plugin file editing inside the WordPress dashboard so clients can update content without risking site-breaking code changes.
Why Disable File Editing in the WordPress Admin?
By default, WordPress allows administrators to edit theme and plugin files directly from the dashboard under Appearance ? Theme File Editor and Plugins ? Plugin File Editor. While convenient for developers, this is risky on production sites:
- A single typo in PHP can cause a fatal error and bring the site down.
- Malicious users who gain admin access can easily inject malware.
- Clients may accidentally edit core template files instead of using Elementor or the block editor.
WordPress provides a built-in constant, DISALLOW_FILE_EDIT, that cleanly disables these editors without affecting normal content editing or updates.Source
What This Change Does (and Does Not) Do
What will be blocked
- Theme File Editor in the dashboard
- Plugin File Editor in the dashboard
- Any direct editing of PHP, CSS, or JS files via those editors
What will still work normally
- Editing pages and posts with Gutenberg or Elementor
- Installing and updating themes and plugins (unless you also disable modifications)
- Uploading media files
- Managing menus, widgets, and customizer settings
This makes it a safe hardening step recommended in many WordPress security guides.Source
Before You Start: Safety Checklist
Any time you edit wp-config.php, you should take basic precautions:
- Confirm you have a recent backup of your site files and database.
- Verify SFTP or file manager access to your hosting account in case you need to undo a change.
- Locate the correct
wp-config.phpfile in the root of your WordPress installation (usually the same folder aswp-adminandwp-content). - Use a plain-text code editor (not Word or Pages) to avoid adding hidden characters.
Step-by-Step: Disable File Editing in wp-config.php
Step 1 – Access your site files
You can use either your hosting file manager or an SFTP client:
- Log in to your hosting control panel and open the file manager, or
- Connect via SFTP using credentials from your host.
Step 2 – Locate wp-config.php
In your site’s root directory, look for a file named wp-config.php. If you see folders like wp-admin, wp-content, and wp-includes, you are in the right place.
Step 3 – Download and back up the file
- Download a copy of
wp-config.phpto your computer. - Rename that copy to something like
wp-config-backup-before-file-editing.phpand store it safely.
If anything goes wrong, you can upload this backup to restore the previous state.
Step 4 – Open wp-config.php in a code editor
Use a plain-text code editor (VS Code, Sublime Text, Notepad++, etc.). Do not use a word processor.
Step 5 – Add the DISALLOW_FILE_EDIT constant
Scroll near the bottom of the file and look for a line that says:
/* That's all, stop editing! Happy publishing. */Just above that line, add:
define( 'DISALLOW_FILE_EDIT', true );Make sure you:
- Use straight quotes
', not smart quotes. - End the line with a semicolon
;. - Do not add this line after the closing PHP tag
?>(most modern wp-config files omit that tag, which is good).
Step 6 – Save and upload the file
- Save your edited
wp-config.phpfile. - Upload it back to your server, overwriting the existing file.
What You Should See
After uploading the updated wp-config.php:
- Log in to your WordPress dashboard.
- Go to Appearance. The Theme File Editor menu item should no longer appear.
- Go to Plugins. The Plugin File Editor menu item should also be gone.
- Try editing a page with Elementor or the block editor. Content editing should still work normally.
If the site loads and you can edit content but no longer see the editors, your configuration is correct.
If Something Goes Wrong
If you see a white screen, error message, or cannot access the dashboard after saving:
- Use SFTP or your file manager to rename the edited
wp-config.phpto something likewp-config-broken.php. - Upload your backup copy and rename it back to
wp-config.php. - Reload your website. It should return to its previous state.
Common causes of errors include missing semicolons, extra characters, or placing the constant in the wrong part of the file.Source
Optional: Also Block File Modifications (Advanced)
For higher security, some site owners also disable file modifications (installing/updating themes and plugins) from the dashboard using DISALLOW_FILE_MODS.Source
Warning: This is more restrictive and not recommended unless you have a clear maintenance plan and are comfortable managing updates via other methods.
If you decide to use it, you would add:
define( 'DISALLOW_FILE_MODS', true );above the same “Happy publishing” line. This will:
- Prevent installing new plugins and themes from the dashboard.
- Prevent updating plugins, themes, and WordPress core via the dashboard.
Only use this if you or your technical team handle updates through other tools (for example, managed hosting or deployment pipelines).
How This Fits Into Your Overall Security Strategy
Disabling file editing is one small but important part of hardening your WordPress site. Other complementary steps include:
- Using strong, unique passwords and enabling two-factor authentication for admin accounts.
- Keeping WordPress core, themes, and plugins updated.
- Limiting the number of administrator-level users.
- Using the principle of least privilege when assigning user roles.
- Running a reputable security plugin for firewall and malware scanning.
Industry security organizations also recommend minimizing the ability to modify executable code directly on production systems, which is exactly what disabling file editing helps accomplish.Source
Quick Recap
- WordPress’s built-in file editors are convenient but risky on live sites.
- You can safely disable them by adding
define( 'DISALLOW_FILE_EDIT', true );towp-config.phpabove the “Happy publishing” line. - This does not affect normal content editing with Gutenberg or Elementor.
- Always back up
wp-config.phpbefore editing and be prepared to restore it if needed. - Consider this one layer in a broader, ongoing security and maintenance plan.
