Disable File Edit removes WordPress’s built-in code editor for plugin and theme files. With this on, an attacker who compromises an admin account still can’t inject PHP through the dashboard.
What this feature does
WordPress ships with a built-in editor at Appearance › Theme File Editor and Plugins › Plugin File Editor that lets administrators edit theme and plugin PHP files directly from the dashboard. It’s convenient for quick fixes but is one of the most-abused entry points after a credential compromise: an attacker with admin access can paste malicious PHP into functions.php in seconds.
This setting writes the standard WordPress DISALLOW_FILE_EDIT constant to wp-config.php. The editor screens disappear from the menu, and the underlying file-write capability is removed at the WordPress core level.
If your team uses Git, SFTP, or a deployment pipeline to deploy code (most professional setups), the in-dashboard editor is unnecessary. Turning it off has no downside and removes a real attack surface.
How to enable it
- Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
-
Toggle Disable file edit on.
Save settings. AdminEase writes the constant to
wp-config.phpimmediately. - Verify. Refresh the WordPress admin and check the Appearance and Plugins menus. The Theme File Editor and Plugin File Editor entries should be gone.
Settings reference
| Setting | What it does | Default |
|---|---|---|
| Disable file edit | Adds define('DISALLOW_FILE_EDIT', true); to wp-config.php. |
Off |
What happens behind the scenes
AdminEase uses its file handler to write a managed block in wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );The constant is read by WordPress core, which removes the file-editor screens and rejects any direct write attempts. Anything outside the AdminEase-managed block in wp-config.php is preserved untouched.
Troubleshooting
The file editors are still visible after enabling
Confirm AdminEase has write access to wp-config.php. On hardened hosts the file is sometimes locked. Without write access, AdminEase’s toggle has no effect because the constant is never written. Check your host’s file-permission settings or temporarily relax permissions on wp-config.php.
I need to edit a theme file in an emergency
Toggle this off, save, make your edit through the dashboard, then toggle it back on. Or better, use SFTP/SSH so you don’t have to re-open the attack surface even briefly.
Disable file edit is on, but I see Disallow File Mods is also available
They’re related but not the same. Disallow File Mods is broader: it also prevents installing, updating, and deleting plugins and themes from the dashboard. Use Disable File Edit when you still want to install plugins from the dashboard but not edit code; use Disallow File Mods when you want a fully read-only WordPress install.