WordPress Disable File Editor


The file editor that ships with WordPress is a security risk. If an attacker gains admin access to your WordPress website they will be easily able to insert malicious code into theme and plugin files. It is also a risk with clients who don't know what they're doing. Once misplaced colon in the file editor can break a site and make it inaccessible from the browser.

In your WordPress wp-config.php file, disable the file editor by adding the following line of code.

define( 'DISALLOW_FILE_EDIT', true );

That line will have the desired effect when added to your theme's functions.php file too but it is better to add to wp-config.php.

If you are using WordPress CLI to install WordPress you can use the following command to create a wp-config.php file with file editing disabled.

/* declare variables beforehand or substitute strings in */
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU --extra-php <<PHP
define( 'DISALLOW_FILE_EDIT', true );

This method is useful if you install WordPress with a script.