How to Disable File Editing in WordPress (DISALLOW_FILE_EDIT)

Being able to access your WordPress files directly within your dashboard is handy. You can jump in, tweak code, and save changes instantly. However, this convenience has a downside: If a hacker ever gains admin access, the file editor becomes an easy way for them to inject malicious code.

This is why many site owners choose to turn off file editing altogether.

In this guide, you’ll learn how to disable file editing in WordPress, why it’s crucial for protecting your site, and what to check afterward to keep everything running smoothly.

Why WordPress file editing is a security risk

WordPress includes two built-in editors that let administrators open and edit PHP files right from the dashboard. Depending on the type of theme you’re using, you’ll find them in slightly different places:

Classic Editor:

• Appearance → Theme File Editor
• Plugins → Plugin File Editor

Block themes ( Site Editor):

• Tools → Theme File Editor
• Tools → Plugin File Editor

At first glance, this seems convenient — you can tweak code without leaving your site. But here’s the catch: the same power is available to anyone with administrator access. If an attacker breaks into an admin account, they can inject malicious code, create backdoors, or even take the site offline.

Disabling the editors doesn’t mean you lose the ability to make changes. You (or your developer) can still access all theme and plugin files directly through your web server, SFTP, or hosting control panel. All you’re doing is removing an unnecessary shortcut that poses a significant security risk.

Method 1: Disable file editing via wp-config.php

The wp-config.php file stores settings that control how WordPress runs. Any changes you make here will remain in place, even after WordPress updates. Plus, if you ever need to restore the in-dashboard editors, you can simply remove the code you added.

To edit this file, you’ll need access to your WordPress root folder using SFTP, SSH, or your host’s file manager. This folder is usually named public_html, or it may be a subfolder inside. If you’re unsure where your installation is, check your hosting dashboard or ask your web host.

Here’s how to turn off file editing:

1. Locate the file called wp-config.php in your site’s root folder.
2. Open it and look for the line that says: /* That’s all, stop editing! Happy blogging. */
3. Just above that line, add: define(‘DISALLOW_FILE_EDIT’, true);
4. Save the file (and re-upload it if you used SFTP).

That’s it! You’ve disabled file editing from the WordPress dashboard.

Method 2: Using the DISALLOW_FILE_MODS constant

If you want an even stricter setup, WordPress also supports DISALLOW_FILE_MODS. This setting is handy for high-security production sites where stability is more important than convenience.

This constant goes beyond removing file editing from your dashboard. Once added, it blocks the installation and updating of plugins, themes, and WordPress core from the admin dashboard.

Add this line to your wp-config.php file instead:

define('DISALLOW_FILE_MODS', true);

As with the DISALLOW_FILE_EDIT constant, you can still update everything manually via SFTP or your hosting control panel. These settings give you complete control while protecting your site from accidental or unauthorized changes.

How to check if file editing is disabled

After adding the code to your wp-config.php file, log in to your WordPress dashboard and check the location of the Theme File Editor and Plugin File Editor, depending on your theme (see above.)

If both links are gone, your changes were successful.

If the editors are still visible, try these troubleshooting steps:

• Clear your browser and site cache.
• Make sure you edited the correct file.
• Double-check your syntax — a missing semicolon or incorrect quote can break the code.

Once everything is correct, you won’t be able to access these editors from the WordPress dashboard.

How to re-enable WordPress file editing

One advantage of removing file editing with the wp-config.php file is the ease of re-enabling it. If you ever need to restore file editing, you can simply remove your constants. 

Instead of deleting the line, consider commenting it out. This way, you can easily disable file editing again by simply removing the forward slashes (//), which helps maintain your site’s security. To do this:

1. Open your wp-config.php file.
2. Delete or comment out the line you added: // define(‘DISALLOW_FILE_EDIT’, true);
3. Save the file and reload your WordPress dashboard.

Once saved, the editor links will reappear, allowing you to make necessary changes. 

Other ways to protect your site

Hardening your WordPress site with multiple layers of protection makes it more difficult for hackers to breach it. Disabling file editing is a good start, but it should be just one part of a broader security strategy.

Here are some simple steps that can make a big difference:

• Use strong passwords: Make them long and unique — consider using a password manager to help you remember.
• Enable two-factor authentication (2FA): A second verification step makes logins much safer.
• Keep everything updated: This includes themes, plugins, and WordPress core.
• Limit admin access: Only give administrator privileges to users who truly need them.
• Use a security plugin: Scan for malware, monitor activity, and block suspicious logins.
• Back up your site regularly: This allows you to restore quickly if something goes wrong.

Combined with disabling file editing, these steps give your WordPress site a strong defense.

How to take your site’s security to the next level

Turning off file editing is just one part of keeping your site safe. To protect your WordPress site comprehensively, you need tools that detect problems early, fix them quickly, and safeguard your data.

That’s where Jetpack Security comes in. It’s a bundle of tools built specifically for WordPress that strengthens your site across the board.

Jetpack Security includes:

• Jetpack VaultPress Backup, which backs up your site in real time. If something goes wrong, you can restore everything with a single click.
• Jetpack Scan, which monitors your site for malware, security issues, and suspicious changes. It sends automatic alerts so you can take action before visitors encounter problems.
• Akismet, which blocks spam in comments and contact forms. Attackers often use spam to inject harmful links or scripts, and Akismet filters it out without slowing your site down.
• A website application firewall, which blocks suspicious traffic from reaching your site.

These tools run quietly in the background, and you can access them all through the Jetpack dashboard. This lets you handle backups, security scans, and spam protection without juggling multiple accounts or plugins.

If you want a reliable, full-featured security setup that protects your site daily, Jetpack Security brings everything together in one package. It works smoothly with most themes and plugins and gives you peace of mind with minimal effort.

Frequently asked questions

Can I remove the theme editing and leave the plugin editing?

There’s no built-in way to block one while keeping the other. WordPress doesn’t separate the theme and plugin editors. When you use DISALLOW_FILE_EDIT, both editors disappear. 

Can I control this based on user roles?

While possible, it can get complicated. You could create a custom role that removes file editing capabilities using a plugin, but WordPress doesn’t have a capability specifically for file editing.

The editor relies on general permissions like edit_themes or edit_plugins, and removing those may break other admin functions. Disabling file editing via the wp-config.php file is the easiest and safest approach for most sites.

Can I still edit files another way?

Yes. Disabling the dashboard editor doesn’t prevent you from editing files through SFTP clients like FileZilla or Cyberduck, your web host’s file manager, Git deployments, or local development environments. You’re removing a feature that could pose a risk if a malicious actor gains access to an admin login.