Ultimate Security Guide Part 4/9: Disable File Editing via the WordPress Dashboard & Eliminate PHP Error Reporting

Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.

This is Part 4: Disable File Editing via the WordPress Dashboard & Eliminate PHP Error Reporting

You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.

Here are a few things you’ll need to prepare before starting:

  • WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
  • Your WordPress administrative username
  • Your Password

Today I’m going to show you how to secure your WordPress website by disabling file editing from the WordPress dashboard and eliminate PHP error reporting.

For this, you will need an FTP program. If you do not have a FTP program, we recommend using Filezilla. It’s free and it supports Windows, Linux and Mac. Head over to filezilla-project.org or type Filezilla (Godzilla) in Google and it should be your first result. Download your free copy and install it.

You will also need your FTP information as you will be editing code. If you are uncomfortable in modifying code, I would recommend you ask a developer to help you with this, or you can request a support ticket from us.

Now that you have Filezilla open, you need to put in the host information, username and password to your FTP account. If you don’t have this, check with your web hosting provider, they should be able to provide this for you. Hit Connect.

Left side is local folder, and the right side is to the server you connected with. Typically you would navigate to public_html folder as this is where majority of web hosts store your website files.

So why do we disable file editing?

Well, in a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:

Let’s download the WP-config file using the FTP program first. Now, we edit the wp-config file with just a simple text editor like Notepad.

At the very bottom, you can put in this code:
define( ‘DISALLOW_FILE_EDIT’, true );

Next, beefing up your site’s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.

Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether.

This is another code snippet to be added to wp-config.php.

/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);

// Enable Debug logging to the /wp-content/debug.log file
define('WP_DEBUG_LOG', false);

// Disable display of errors and warnings
define('WP_DEBUG_DISPLAY', false);
@ini_set('display_errors', 0);

Thanks for watching this video.

Bookmark this page, subscribe or save it somewhere so you can check back when we publish Part 5/9 next week!

Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?

If you got any questions or comments, please comment below.