By default, when you log in to the WordPress Dashboard, you have the ability to edit any theme and plugin file using the Theme Editor (found by clicking the Appearance link on the Editor menu) and the Plugin Editor (found by clicking the Plugins link on the Editor menu).

The idea makes a lot of sense; it gives you the ability to do everything within your Admin panel without having to worry about logging into your server via FTP to edit files.

Unfortunately, having the theme and plugin editors available also provides any attacker that gains access to the Dashboard full rights to modify any theme or plugin file, which is very dangerous because even just one embedded within any file can grant an attacker remote access to your environment without ever having to touch your Dashboard.

You can completely avoid this by disabling the Theme Editor and Plugin Editor by adding a WordPress constant (or rule) to the WordPress configuration file (wp-config.php) found in the installation folder on your web server. Download the wp-config.php via FTP and open the file in a text editor, such as Notepad (PC) or TextMate (Mac). Look for the following line of code:

define('DB_COLLATE', '');

Add the following constant (rule) on the line directly beneath the previous line:


Although the addition of this constant won’t prevent an attack, it will help you when it comes to reducing the impact of a compromise. You can find more information on other constants you can add in the wp-config.php file on the website.

You can also disable the automatic updates in WordPress (the system by which you are allowed to automatically update WordPress core and WordPress plugins), to include the administrator. This means you’d have to do everything, manually, via FTP. To do this you would use the following constant in your wp-config.php file: