WordPress DISALLOW_FILE_MODS Security Directive

📋 Overview

The DISALLOW_FILE_MODS directive is a powerful WordPress security feature that prevents file modifications through the WordPress dashboard. This measure protects against unauthorized or malicious code changes, file injection attacks, and unauthorized modifications to critical WordPress files.

⚠️ Important Considerations

Enabling DISALLOW_FILE_MODS will have a drastic impact on WordPress functionality:

Plugin installations and updates from the dashboard will be disabled
Theme installations and updates from the dashboard will be disabled
Plugin and theme deletions will be blocked
All file modifications must be done via FTP/SSH access

🔒 Security Benefits

🛡️ File Injection Protection

Prevents malicious actors from injecting harmful code into WordPress core, plugin, or theme files.

🔐 Unauthorized Access Prevention

Blocks unauthorized changes to critical files, even if dashboard access is compromised.

✅ Compliance Ready

Meets security requirements for regulated industries requiring strict file integrity controls.

🎯 Targeted Protection

Provides an additional layer of security for production environments.

📊 Functional Impact Diagram

WordPress Dashboard Functionality: Before vs After

Feature	Without DISALLOW_FILE_MODS	With DISALLOW_FILE_MODS
Install New Plugins	✅ Enabled	❌ Disabled
Update Plugins	✅ Enabled	❌ Disabled
Delete Plugins	✅ Enabled	❌ Disabled
Activate/Deactivate Plugins	✅ Enabled	✅ Enabled
Configure Plugin Settings	✅ Enabled	✅ Enabled
Install New Themes	✅ Enabled	❌ Disabled
Update Themes	✅ Enabled	❌ Disabled
Delete Themes	✅ Enabled	❌ Disabled
Customize Themes (Site Editor)	✅ Enabled	✅ Enabled
Edit PHP Files (functions.php)	❌ Restricted	❌ Restricted

🔧 Implementation Guide

1Navigate to Document Root

First, ensure you are located in the document root of your WordPress site. In this example, the path is /var/www/example.com/public_html.

COMMAND

cd /var/www/example.com/public_html

2Open wp-config.php File

Open the WordPress configuration file using the nano text editor with sudo privileges.

COMMAND

sudo nano wp-config.php

3Add the DISALLOW_FILE_MODS Directive

Scroll down to the section of wp-config.php that allows you to add custom directives. Look for the area underneath the define('AUTOMATIC_UPDATER_DISABLED', true); line or in the custom configuration section.

💡 Best Practice

Add a comment above the directive to document its purpose. This helps with future maintenance and troubleshooting.

Add the following lines to your wp-config.php file:

WP-CONFIG.PHP DIRECTIVE

// Disallow file modifications for security
define('DISALLOW_FILE_MODS', true);

4Save and Exit

Close nano and save your changes to the wp-config.php file:

Press CTRL + X to exit
Press Y to confirm saving changes
Press Enter to confirm the filename

5Reload PHP-FPM Process

After making changes to wp-config.php, it's recommended to reload the PHP-FPM process to clear the PHP OPcache. This ensures the new configuration is immediately active.

COMMAND

sudo systemctl reload php8.3-fpm

📝 Note

Replace php8.3-fpm with your specific PHP-FPM version if different (e.g., php8.2-fpm, php8.1-fpm).

🧪 Testing the Configuration

Step 1: Access WordPress Dashboard

Step 2: Navigate to Plugins

Click on "Plugins" in the left sidebar

Step 3: Verify Installation Disabled

The "Add New" button should be missing or disabled

Step 4: Check Plugin Management

Activate/deactivate and settings should still work

Step 5: Test Themes Section

Navigate to Appearance → Themes

Step 6: Verify Theme Restrictions

Theme installation and deletion options should be disabled

Expected Behavior After Enabling

✅ What Still Works

Plugin Management: You can still activate and deactivate plugins
Plugin Settings: All plugin configuration pages remain accessible
Theme Selection: Themes can be selected and customized
Site Editor: The WordPress site editor remains functional for customizing themes
Template Editing: You can edit template files like style.css, header.php, and footer.php through the site editor

❌ What Gets Disabled

Plugin Installation: No option to add new plugins from the dashboard
Plugin Updates: Cannot update plugins through the dashboard
Plugin Deletion: Cannot remove plugins via the dashboard
Theme Installation: No option to add new themes
Theme Updates: Cannot update themes through the dashboard
Theme Deletion: Cannot remove themes via the dashboard

🔍 Understanding the Site Editor vs File Editor

Important Distinction

The Site Editor available under Appearance → Editor is NOT the same as the file editor that gets disabled with DISALLOW_FILE_MODS.

Site Editor Capabilities

The site editor allows administrators to edit theme template files such as:

style.css - Theme stylesheet
header.php - Header template file
footer.php - Footer template file
Other template files containing HTML, CSS, and some PHP code

Security Restrictions on PHP Files

WordPress restricts the editing of core PHP files like functions.php through the site editor for security reasons. This is a built-in WordPress security feature that exists regardless of DISALLOW_FILE_MODS.

Allowing direct editing of core PHP files from the WordPress dashboard poses significant security risks because it provides an avenue for malicious users to inject harmful code into the site. The site editor only permits editing of template files, which typically contain a mix of HTML, CSS, and limited PHP for template logic.

🔄 Disabling DISALLOW_FILE_MODS

If you need to restore full dashboard functionality (for example, to install or update plugins/themes), you can disable the directive by following these steps:

1Open wp-config.php

COMMAND

sudo nano /var/www/example.com/public_html/wp-config.php

2Remove or Comment Out the Directive

Either delete the line completely or comment it out:

WP-CONFIG.PHP - OPTION 1: DELETE

// Remove this line entirely:
// define('DISALLOW_FILE_MODS', true);

WP-CONFIG.PHP - OPTION 2: COMMENT OUT

// Temporarily disabled for maintenance
// define('DISALLOW_FILE_MODS', true);

3Save and Reload PHP-FPM

Save the file and reload the PHP-FPM process to clear the OPcache:

COMMAND

sudo systemctl reload php8.3-fpm

🎯 Use Cases and Best Practices

When to Enable DISALLOW_FILE_MODS

Production Environments: Especially for high-value or high-traffic sites
After Site Launch: Once all initial development and plugin/theme selection is complete
Regulated Industries: When compliance requires strict file integrity controls
Shared Hosting Environments: To prevent compromised accounts from affecting your site
Client Sites: To prevent accidental or unauthorized changes by clients
Security Incidents: After detecting suspicious activity or during security audits

When to Temporarily Disable

Installing or updating plugins that require dashboard access
Installing or updating themes
Performing major site updates or migrations
Testing new functionality that requires plugin installations

Important: Always re-enable the directive after completing maintenance tasks.

Recommended Workflow

Development Phase

DISALLOW_FILE_MODS = OFF
Full dashboard functionality available

Testing Phase

DISALLOW_FILE_MODS = ON
Test with production-like security settings

Production Deployment

DISALLOW_FILE_MODS = ON
Enable for maximum security

Maintenance Window

DISALLOW_FILE_MODS = OFF (temporarily)
Perform updates via SSH/FTP or dashboard

Post-Maintenance

DISALLOW_FILE_MODS = ON
Re-enable security directive

📚 Additional Security Recommendations

🔐 File Permissions

Set appropriate file permissions: 755 for directories, 644 for files, and 600 for wp-config.php

🛡️ Web Application Firewall

Implement a WAF like the nginx 8G firewall ruleset (included in your configuration)

🔄 Regular Backups

Maintain regular automated backups of both files and database

📊 Security Monitoring

Monitor logs regularly for suspicious activity and failed login attempts

📝 Command Reference Summary

Action	Command
Navigate to document root	`cd /var/www/example.com/public_html`
Edit wp-config.php	`sudo nano wp-config.php`
Reload PHP-FPM (PHP 8.3)	`sudo systemctl reload php8.3-fpm`
Restart PHP-FPM (if needed)	`sudo systemctl restart php8.3-fpm`
Check PHP-FPM status	`sudo systemctl status php8.3-fpm`

🔗 Related Configuration

The DISALLOW_FILE_MODS directive works in conjunction with other security measures from your configuration:

Nginx Security Directives: Prevent PHP execution in uploads, plugins, and themes directories
PHP-FPM Pool Configuration: User isolation and resource limits
File Permissions: Hardened ownership and permission settings
SSL/TLS Configuration: Encrypted communications with A+ SSL Labs rating
Rate Limiting: Protection against brute force attacks on wp-login.php

💡 Pro Tip

For maximum security in production environments, combine DISALLOW_FILE_MODS with:

SSH/SFTP-only file access (disable FTP)
Two-factor authentication for WordPress admin
Regular security audits and vulnerability scanning
Automated backup verification

🆘 Troubleshooting

Changes Not Taking Effect

If the directive doesn't seem to work after adding it:

Verify the syntax is correct: define('DISALLOW_FILE_MODS', true);
Ensure there are no duplicate definitions in wp-config.php
Reload PHP-FPM: sudo systemctl reload php8.3-fpm
Clear WordPress cache if using a caching plugin
Clear browser cache and cookies
Check PHP error logs: sudo tail -f /var/log/fpm-php.example.com.log

Need to Temporarily Disable

If you urgently need to install a plugin or theme:

Comment out the directive in wp-config.php
Reload PHP-FPM
Perform your maintenance tasks
Uncomment the directive immediately after
Reload PHP-FPM again

⚠️ Security Warning

Never leave DISALLOW_FILE_MODS disabled longer than necessary. Set a reminder to re-enable it immediately after completing maintenance tasks.

✅ Conclusion

The DISALLOW_FILE_MODS directive is a powerful security tool that significantly hardens your WordPress installation by preventing unauthorized file modifications through the dashboard. While it does restrict some convenience features, the security benefits make it an essential configuration for production websites, especially those handling sensitive data or operating in regulated industries.

By following this guide, you can confidently implement this security measure while understanding its implications and managing it effectively throughout your site's lifecycle.

🎉 Key Takeaways

DISALLOW_FILE_MODS prevents file modifications through the WordPress dashboard
It protects against file injection and unauthorized code changes
Plugin/theme installations must be done via SSH/SFTP when enabled
Plugin activation and settings remain functional
The site editor for theme customization continues to work
Always reload PHP-FPM after modifying wp-config.php
Use strategically in production environments for maximum security