Disallow File Mods locks down all file-modification capabilities in WordPress. No plugin or theme installs, updates, or deletions from the dashboard. Use this on production sites where deployments happen exclusively through Git, CI/CD, or your hosting platform.
What this feature does
This setting writes the standard DISALLOW_FILE_MODS constant to wp-config.php. The constant is broader than DISALLOW_FILE_EDIT: it also disables installing or updating plugins and themes, deleting plugins and themes, and the auto-update system. The result is a fully read-only WordPress install from the dashboard’s perspective.
If a malicious actor compromises an administrator account on a site with this enabled, they cannot install a backdoor plugin, update an existing plugin to a tampered version, or modify code through the dashboard. They’re limited to whatever they can do through normal WordPress UI.
Disallow File Mods includes everything Disable File Edit does, plus the install/update/delete restrictions. You don’t need both on; this one is enough.
How to enable it
- Plan your deployment workflow first. With this on, you can’t install or update plugins from the dashboard. Make sure you have an alternative path: Git deployment, WP-CLI, your hosting platform’s file manager, or SFTP. If you don’t, this setting will block legitimate maintenance.
- Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
- Toggle Disallow file modifications on. Save settings.
- Verify. Visit Plugins › Add New. The install buttons should be disabled with a notice that file modifications are not allowed.
This includes core, plugin, and theme automatic updates. Your site will not auto-update with this on. You’re responsible for applying security updates through whatever deployment path you set up. For most teams, that’s a feature, not a bug. If you’re not deploying actively, leave this off and rely on auto-updates.
Settings reference
| Setting | What it does | Default |
|---|---|---|
| Disallow file modifications | Adds define('DISALLOW_FILE_MODS', true); to wp-config.php. |
Off |
What happens behind the scenes
AdminEase writes a managed block in wp-config.php:
define( 'DISALLOW_FILE_MODS', true );WordPress core checks this constant before any file-write operation triggered from the dashboard. The Theme File Editor and Plugin File Editor are removed (so this also covers Disable File Edit), the “Add New” plugin and theme screens are disabled, and the auto-update system pauses.
Troubleshooting
I need to install a plugin urgently
Either toggle this off temporarily and re-enable after the install, or upload the plugin’s ZIP via SFTP/SSH directly to wp-content/plugins/ and activate it from the dashboard (activation is allowed; it’s only file installs/updates/deletions that are blocked).
Auto-updates aren’t happening
Expected. DISALLOW_FILE_MODS blocks the auto-update mechanism. Either turn this off, or set up a deployment pipeline (or WP-CLI cron job) that handles updates outside the dashboard.
Plugin updates show as available but can’t be installed
Expected. The dashboard knows about updates because the version-check API still runs, but the install button is disabled. Update the plugins through your deployment workflow.
I want updates but no manual file edits
Use Disable File Edit instead. That blocks the file editors but leaves installs, updates, and deletions enabled.