This is a common question I get from folks in the WordPress community. How can I “lock things down” and prevent any changes to plugins, themes, and WordPress core files. For example, how to prevent any themes and/or plugins from being updated or deleted, and how to prevent any new plugins from being installed. This is useful for certain projects where it’s necessary to lock a website to a static version. Fortunately, WordPress makes this super easy with a couple of PHP constants. Let’s take a quick look..
Contents
Prevent Changes via File Editor
Did you know that WordPress provides a Plugin File Editor and Theme File Editor in the WP Admin Area. You can find them:
- Under the Appearance menu ▸ Theme File Editor
- Under the Plugins menu ▸ Plugin File Editor
These tools enable admins to make changes to any plugin or theme files. Huge convenience for those that need it. For those that don’t, you can disable any changes via the file editors by adding the following line to your site’s wp-config.php file, which resides in the root WordPress directory:
// disable file changes via plugin and theme editors
define('DISALLOW_FILE_EDIT', true);Once this line is included in the site’s configuration file, all file-editing via the Admin Area will be disabled. No menu items, no editing, nada. It’s another layer of security that effectively minimizes your site’s attack surface, so sensitive files cannot be modified by any user, including admins. This helps to protect against any changes that could compromise or crash your site.
DISALLOW_FILE_EDIT constant may affect any plugins that check for sufficient capabilities using current_user_can('edit_plugins'). Plugins should check if the constant is set, and if so display an appropriate error message.Prevent All Changes via Admin Area
While the previous technique disables changes to plugins and themes via the file editors, this next technique prevents all changes to any files from inside the Admin Area. This includes:
- Updating, deleting, installing plugins
- Updating, deleting, installing themes
- Updating the WordPress core files
It also includes changes made via the plugin and theme file editors. Basically this technique staticizes a site to its current version. So if that sounds like you, here is the magic code to lock it down:
// disable all changes to all files via admin area
define('DISALLOW_FILE_MODS', true);Once this line is included in the site’s configuration file, all changes (installing, updating, deleting) to plugins and themes will be disabled. Note that the above line also disables updates to the WordPress core files, so trying to update WordPress via Dashboard ▸ Updates will not work.
Of course, it always is possible for changes to be made directly on the server via SFTP or similar method. But any file changes from within the Admin Area will be disabled completely.
DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT. Just including DISALLOW_FILE_MODS takes care of everything.DISALLOW_FILE_MODS to your site’s wp-config.php file. WordPress needs to be able to make changes in order to keep plugins, themes, and core files current via updates. So only disable changes if you are 100% certain that you don’t want any updates on your WordPress site.Related Posts
If you encounter the WordPress 403 Forbidden error, you might not be able to log in to the back end of your site or access a specific page. This can be frustrating and prevent you from getting important work done. 
Without a doubt, WordPress remains the most popular content management platform in the world, powering over 43% of websites worldwide. Given its immense popularity and the number of businesses running on the WP platform, it’s no surprise that a WP website is a common target for cyberattacks. Have you done everything in your power to […]
You’ve seen it pop up while browsing or building a website. You know it enables some sort of security. It’s those “HTTPS” letters at the beginning of a webpage URL. But what does HTTPS do, exactly? 
Even if you are confident in the security of your WordPress site, you should still take precautions. A security breach can wreak irreparable damage to your online business. Hackers frequently use bots to saturate your website with spam, which can get out of hand quickly. Fortunately, spammers and bots may be kept out of your […]
You’ve probably heard the term “cyber threat” used more than once in the context of cybersecurity. What you may not know, however, is that the term “threat” is often mistakenly used to refer to other risks to cybersecurity, such as vulnerabilities. Although these three terms may seem to mean the same thing, they each have […]
When it comes to cyber security, what you don’t know can hurt you. This is exactly the case with zero-day vulnerabilities and zero-day attacks. The repercussions of not taking your security seriously can be devastating to you and your business. Fortunately, the best weapon you have in your arsenal against malicious hackers and security threats […]
Google announced that it would no longer support third-party cookies and has now come out with its own alternative ad tracking technology: FloC. In the wake of third-party cookies, a type of tracker that reports consumer activity across websites to create personalized ads and improve user experiences, there is significant interest in creating alternative tracking […]
It takes a lot of work to set up an eye-catching and user-friendly website, so it can be disheartening to see it fall into the wrong hands because of a failure to provide proper security measures. The first sign of trouble may be when you get multiple alerts that someone is trying to access your […]
Did you search for your WordPress website on Google and found a bizarre pharma title appended to it in the search results? Yes? Then your WordPress website is a victim of the WordPress Pharma Hack! Over 40% of all sites available on the Internet run on WordPress CMS. Its popularity has attracted many hackers and […]
While surfing the web, you might have observed a google warning message as “Deceptive site ahead”. Whenever google recognizes a website for exposing personal user information it flags that website as “Deceptive”. Deceptive site warning creates a lot of negative impact on the website. It may even lead to a sudden loss of user traffic, […]
Even the smallest of vulnerabilities on your WordPress site can be easily exploited by hackers and used to hijack your entire website. This can cause severe damage through the actions of stealing data, sending spam, or even defacing pages. That’s also not to mention that you risk having your site blacklisted by Google if it’s […]