WordPress ships with a built-in code editor accessible from Appearance → Theme File Editor and Plugins → Plugin File Editor. Any administrator account can use these editors to modify PHP files directly on the server, no FTP or SSH access required. This is a significant risk: if an admin account is compromised through a phishing attack, credential stuffing, or a weak password, an attacker gains the ability to inject malicious PHP into your theme or plugins in seconds, without ever touching the server directly.
Disabling the file editors removes this attack path entirely. It has no effect on WordPress’s core functionality, themes and plugins continue to work normally, updates still apply, and the admin dashboard remains fully operational. The only thing that changes is the removal of the two editor menu items.
The Code
This is best defined in wp-config.php rather than functions.php, because wp-config.php loads earlier in the WordPress bootstrap and the constant needs to be set before the admin menu is built. However, defining it in functions.php also works in practice since the admin menu is built after plugins and themes load.
The if ( ! defined( ... ) ) wrapper prevents a fatal error if the constant is already defined elsewhere, for example, if your hosting provider or a security plugin has already set it in wp-config.php.
DISALLOW_FILE_EDIT vs DISALLOW_FILE_MODS
DISALLOW_FILE_EDIT removes only the code editors. WordPress can still install plugins, apply theme updates, and run core updates normally.
DISALLOW_FILE_MODS, shown commented out in the snippet, goes further, it prevents WordPress from writing any files to disk at all. This means no automatic updates, no plugin installs from the admin, and no manual updates through the dashboard. It’s appropriate for high-security environments where all deployments happen through version control and CLI tools like WP-CLI, but unsuitable for sites where clients manage their own updates.
For most sites, DISALLOW_FILE_EDIT alone is the right choice. It removes the most dangerous attack surface while keeping the admin fully usable for non-technical users.
Recommended Placement
Add this directly to wp-config.php just above the line that reads /* That's all, stop editing! */:
If you’re adding it to functions.php instead, it will still work but note that any plugin that loads before your theme and checks for the constant might not see it in time. For the file editor specifically this isn’t a practical issue, but placing it in wp-config.php is the more robust approach.
Verifying It Works
After adding the constant, log into your WordPress admin and check the Appearance and Plugins menus. The “Theme File Editor” and “Plugin File Editor” items should no longer appear. If they do, confirm the constant is being defined before the admin menu loads by temporarily adding var_dump( defined('DISALLOW_FILE_EDIT') ) to a template file.
// Disable the theme and plugin file editors
if ( ! defined( 'DISALLOW_FILE_EDIT' ) ) {
define( 'DISALLOW_FILE_EDIT', true );
}
// Also disable file modifications entirely (installs, updates)
// Uncomment the line below only if you manage updates via CLI or manually
// define( 'DISALLOW_FILE_MODS', true );