Disable File Editing in WordPress Dashboard
Posted: Sat Jan 04, 2025 4:09 am
Many WordPress sites have multiple users and administrators, which can make WordPress security difficult. It’s a very bad practice to give authors or contributors admin access , but unfortunately, this happens all the time. It’s important to give users the right roles and permissions so they don’t break anything. In this regard, it can be helpful advertising database to simply disable the “Appearance Editor” in WordPress. Most of you have probably been in this situation at one time or another. You’re quickly editing something in the Appearance Editor and suddenly you’re faced with the white screen of death. It’s much better to edit the file locally and upload it via FTP. And of course, as a best practice, you should test things like this on a developer site first.
WordPress appearance editor
Additionally, if your WordPress site is hacked, the first thing they might do is try to edit a PHP file or theme via the appearance editor . This is a quick way to execute malicious code on your site. If they don't have access to this from the dashboard, this can help prevent attacks. Place the following code in the file wp-config.php, to remove the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities for all users.
WordPress appearance editor
Additionally, if your WordPress site is hacked, the first thing they might do is try to edit a PHP file or theme via the appearance editor . This is a quick way to execute malicious code on your site. If they don't have access to this from the dashboard, this can help prevent attacks. Place the following code in the file wp-config.php, to remove the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities for all users.