Protecting WordPress from Dangerous Clients

“I know just enough to be dangerous.”

One of the scariest things a developer can hear from a new client is the infamous claim: “I know just enough to be dangerous.” Translation: I don’t really know much but I sure love to tinker with things! This always puts up a little red flag in my mind. However, a seemingly harmless bit of tinkering can have disastrous consequences on a live website.

Unfortunately, there are some clients out there who feel more confident about tinkering after they’ve hired a developer to assist with their site. Something gets broken and then the burden of fixing the website is on you. Want to prevent this scenario from happening? Here’s a quick fix:

Disable the Plugin and Theme Editor

Access to plugin and theme code is readily available in the WordPress dashboard. One thing you can do to protect the site from tinkering is to disable the both of these editors. You can do this in under a minute. Open your wp-config.php file and add the following constant:

1
define('DISALLOW_FILE_EDIT',true);

Now, when you’re in the dashboard it is impossible to access the theme or plugin editor, even with the admin account.

Want to take it one step further? The WordPress codex has another gem for your wp-config.php file:

Disable Plugin and Theme Update and Installation

If you really want to lock things down, you can block users from installing/updating themes and plugins through the dashboard. Add this quick snippet to your wp-config.php file:

1
define('DISALLOW_FILE_MODS',true);
I installed 75 new plugins yesterday and now my site is broken. Ooopsie!

Not only will it prevent users from installing and updating themes and plugins, but it will also automatically disable theme and plugin editing in the dashboard. This constant essentially kills two birds with one stone and saves you from having to mop up a mess later on after your client decides to tinker around with this and that.

For example, let’s say your client decides to start installing plugins like a mad man, but one of them is poorly written, loads an extra copy of jQuery and breaks a bunch of Javascript on the site. Or maybe your client decides to upgrade WordPress before any of his critical plugins or theme have been updated. He ends up with a bunch of broken functionality. These are the types of troubleshooting scenarios we hope to avoid. The solution is to prevent it from happening in the first place by disabling theme and plugin updates.

One note of caution – You should only use these particular constants if you are your client’s sole developer with an agreement to maintain that site. Otherwise, you could be locking your client out of the freedoms that he needs to maintain his own site, should he choose a new developer. In most cases these healthy boundaries will help to keep your client safe from his predisposition to ill-advised and uninformed tinkering.

photo credit: Alex E. Proimos via photopin cc

Comments (3)

  1. Good tip, except for the occasional client who insists on full permissions and access to everything. In that case, since I charge by the hour for maintenance, I say “Tinker away! I’ll be happy to fix whatever you break…” :)

Participate