WordPress includes a built-in file editor that let administrators change theme and plugin files directly from the dashboard.
You’ll find it under:
- Appearance → Theme Editor
- Plugins → Plugin Editor
This sounds useful — but in reality, it’s one of the first places hackers target when they gain admin access.
Here’s why: If a hacker compromises your WordPress admin account, they can open the editor and inject malware, backdoors, or redirect code directly into your theme or plugin files without needing FTP access.
Effects of Keeping File Editing Enabled
|
Risk |
Potential Impact |
|
File injection |
Hackers inject malware or spam links |
|
Site redirects |
Visitors get redirected to phishing or scam sites |
|
Backdoor access |
Attackers install persistent hidden access |
|
Complete site loss |
File damage could crash your theme or plugins |
Even if your admin account is protected, it’s best to remove unnecessary access point.
The Fix: Disable File Editing with One Click
You can manually add the following code to wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
But if you don’t want to deal with editing sensitive files (and risking a broken site), there’s a safer way.
How to Disable File Editing via WordPress Manager
STEP 1: Log in to your cPanel.
There are three methods to log into your cPanel.
- Method 1: Log in to your cPanel directly.
- Method 2: Log in to your cPanel through your Customer Portal.
Through your Customer Portal;
- Log in to your Customer Portal.
- Click on "Log in to cPanel".
- Method 3: Log in using the details sent to your Email.
Through your Email;
- When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.
STEP 2: Locate the Software section and click on Softaculous Apps Installer.
STEP 3: Click the box for Installations.
An alternative is to select the “All Installations” icon from the menu in the upper-right corner.
STEP 4: Click the WordPress icon next to the installation you want to manage.
STEP 5: In WordPress Manager, select the website you want to secure.
STEP 6: Tap on the Security Measures section.
STEP 7: Checkmark the box for “Disable file editing in WordPress”, and click Apply.
This adds the right directive to your configuration file automatically — no coding, no risk.
What Changes After Disabling?
- The Theme Editor and Plugin Editor options will disappear from the dashboard.
- Your site’s functionality remains unaffected.
- You can still edit files through FTP or File Manager if needed.
- It adds a strong layer of protection against admin-level threats.
Frequently Asked Questions (FAQs)
Q: Can I re-enable file editing later?
Yes, simply undo the setting in WordPress Manager or remove the line from your wp-config.php.
Q: Do I need this if I’m the only admin?
Yes. Even if you’re the only admin, disabling file editing reduces the chances of accidental edits, and protects you in case your account is ever hacked.
Q: Will this break my plugins or themes?
Not at all. It only hides the editing interface, it doesn’t affect plugin/theme behavior.
If you need help, kindly reach out to LyteHosting support.
