How To Disable WordPress Theme, Plugin File Editing In One Minute

Being able to edit plugins and theme file is a real convenience, especially for people who know how to code. However, for people who don’t know how to code or don’t understand much about WordPress development, this is a possible risk.

By default, admin users in WordPress have file editing right. You can check if you have the edit right by hovering your cursor over Plugins or Appearance menu item in your dashboard (if you don’t see such options, chances are you don’t have the file editing right). If you see the last item in the sub menus say “plugin editor” or “theme editor”, you have the file editing right.

The need for disabling file editing right for admin users is even more urgent when you have other people working on the site. One missing semicolon may bring the whole site down.

So, how can you disable file editing completely on your site?

It’s easier than you might think.

How to disable file editing in the admin area

To accomplish this, you need to have access to your web server. Being an administrator on your site is not enough. You can either perform this task via FTP or ssh or cPanel. Please choose what suit you.

The only thing you need to do to disable file editing in the admin area is to put this line of code:

define('DISALLOW_FILE_EDIT', true);

right above the line:

/* That's all, stop editing! Happy publishing. */

in the file named wp-config.php

by default, this file is located at the root of  your website. It is at the same level with wp-content, wp-include, wp-admin.

Here is where the file on my site:

locate wp-config.php on server

After inserting the code, the content of my wp-config.php file would look like this:

inserting code to disable file editing in wordpress admin

Now, make sure you save the file and go back to your admin area. You should see the option to edit plugins and themes disappeared:

theme editor disabled

plugin edit disabled

Now, no one, even admins can accidentally edit plugins or themes files. This action alone has significantly improve your site’s security.

What if you want to insert code to your site?

Adding functionalities to your site by modifying the plugins’ or themes directly (except the case of child theme) is not recommended. If you want to insert Javascript or CSS code, you can easily achieve this task by using plugins like WP Coder. In case of editing .php file, the best method is via FTP or SSH. In the occasion that you make a mistake, you can quickly fix it and bring the site back online without suffering a white screen of death.

Conclusion

As a solo admin of my site and a developer, I’m quite confident editing files in my site’s dashboard. However, if your site is managed by other people (and they have admin rights), it’s best to disable the file editing ability in the admin area. It will prevent accidental edit of files that may bring your site down.

 

How To Prevent Other Sites From Using Your Images Without Permission

If you have a website that serves images, especially news site, there are chances that other people want to use your images. Polite people will ask for the right to display your images on their websites. Not so polite people may download the images to their computer and upload to their site. Worse, they can link directly to your images from their site. By doing so, they have images to show with you paying the bandwidth. This technique is called hotlinking.

You may wonder, is there any method to stop this?

Fortunately, the answer is yes. In this post, we are going to find out how to disable  hotlinking for both Apache and Nginx servers. Let’s get started.

First thing first, find out what server you are running

Finding what kind of server you are running is quite simple. Currently, nginx and apache are the most popular servers. This post cover settings for these two only.

Here are the steps to find out what server that your website is running on:

  1. Open your website on Chrome
  2. Right click anywhere on the website and select inspect and switch to the network tab.
  3. Reload your site and you’ll see something like this:

load site with network tab open

Let’s click on the line with your domain name. In my case, it’s www.binarycarpenter.com. There will be a new window opens on the right. Pay attention to the line start with the text “server”:

find the server technology that runs your site

As you can see, my site is running on an nginx server. You’d have no problem saying what kind of server you are running if the text is different.

How to prevent other sites from linking directly to your images on Apache

To disable hotlinking on Apache, you need to have access to your server, not WordPress admin since you are going to enter some code in a file called .htaccess. If you have no idea what the file .htaccess is, you may want to read a bit about it here.

Basically, it’s a file on your server that let you write directives for your web server to do various things such as URL rewrite, manage file access …

To understand how .htaccess work may take a long time. However, to disable image hotlinking takes only a few minutes.

Now, let’s copy the following code and paste to the end of your .htaccess file that located at the same level with files such as wp-config.php, wp-content… If you don’t have that file, simply create it.

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?your_site\.com [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]
</IfModule>

Make sure you replace your_site with your domain name (without extension) and com with your domain’s extension.

For example, your site is greatsite.org, the code would be:

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?greatsite\.org [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]
</IfModule>

After that, save the file and you restart your server. Now, try to link to your images from other site (you can try on your localhost) and you’ll see a 403 error.

 

How to prevent other sites from linking directly to your images on Nginx

Now it’s time to apply some configurations to your nginx server to disable hotlinking. To successfully achieve this, you need to identify your server block. In one nginx config file, there maybe many server blocks.

Here, within my server block (for this site), I put the following code:

location ~* \.(jpg|jpeg|png|gif|swf|webp)$ {
     valid_referers none blocked binarycarpenter.com *.binarycarpenter.com;
     if ($invalid_referer) {
         return   403;
     }

 }

Make sure you replace my domain name with your own domain name.

Now, save the file and restart nginx.

On my site, I still see my images loading properly. However, if I try to link from other places (not from my domain), I’ll get a 403 error on the image:

Prevent Other Sites From Using Your Images

Conclusion

As you can see, within a few minutes, you can prevent other from stealing your bandwidth. You may find this is difficult if you don’t know what .htaccess/apache/nginx are. If you need assistance, please leave a comment below.

How Get Notified About Available Updates In WordPress For Free

At the time of this writing, WordPress is the most popular blog platform on Earth and WooCommerce is the most popular e-commerce platform. That’s why they are the target of many malicious attacks. Keeping your WordPress (including themes and plugins) up to date is one of the most effective way to keep your site secure.

If you are like me, you’d probably have more than one website and there are sites that we visit more frequently than other. For sites that we visit the dashboard usually, we can update WordPress (including themes and plugins) very often. However, for sites that don’t get much attention, we may miss some updates, including important ones.

How to get notified when updates are available

You may wonder, since keeping WordPress up to date is vital, is there any way to keep us informed with the available updates? Fortunately, the answer is yes. Better yet, there is a plugin that does that job for free. Let’s learn how to install the plugin and configure it so you don’t miss any updates, especially critical ones.

Here is the step by step tutorial

Step 1. Install  and activate WP Update Notifier

First of all, you need to install a plugin called WP Update Notifier .

You can either download the .zip file following the link above or search for it in your site’s dashboard.

There is one small issue with the plugin is it hasn’t been updated for 3 years. While the main functionalities are working properly, there is a minor issue with deprecated function (function that no longer supported by WordPress). I’ve removed the line of code that caused the deprecated  notice and pack the plugin again here. You can download and install my version instead.

Download new version of the plugin

 

install update notifier from site dashboard

Step 2: Configure the plugin

After the plugin is activated, you can find its admin page under Settings->Update notifier

You’ll see this page appears:

The settings are straightforward and easy to understand. You can leave most of the settings to default. Here are the settings in details:

  1. Frequency to check: How often do you want the plugin to check for update? I usually set it Daily for my site but you can set it to Hourly or Monthly…
  2. Notify email to: by default, this is your admin email. This is the email you want to receive the update notification
  3. Notify email from: The email that appears in the from field of the notification email
  4. 4 and 5, check if you want to receive notifications about plugins and themes updates. I’d recommend you leave this enabled (yes)
  5. Hide core WP update nag… If you want to hide the WordPress core update notice from non-admin users (in case your site has other users with different roles) then select yes

Now, you can click on Save settings to save the options. If this is the first time you use the plugin, I’d recommend you click on the white button: Save settings with test email.

Troubleshooting

If your email setting is correct, you should have no problem getting update notifications to the email you specified above. However, some servers may not have the correct email sending function configured properly. If your site is hosted on such server, you may not get any email.

In that case, please check this guide here to fix the email sending function on your site.

Conclusion

Now you don’t need to worry about your site is not at risk because your WordPress core or themes or plugins are not up to date. With WP Update Notifier, you can act instantly once updates are available.