Protecting WordPress from Dangerous Clients

Protecting WordPress from Dangerous Clients

One of the scariest things a developer can hear from a new client is the infamous claim: “I know just enough to be dangerous.” Translation: I don’t really know much but I sure love to tinker with things! This always puts up a little red flag in my mind. However, a seemingly harmless bit of tinkering can have disastrous consequences on a live website.

Unfortunately, there are some clients out there who feel more confident about tinkering after they’ve hired a developer to assist with their site. Something gets broken and then the burden of fixing the website is on you. Want to prevent this scenario from happening? Here’s a quick fix:

Disable the Plugin and Theme Editor

Access to plugin and theme code is readily available in the WordPress dashboard. One thing you can do to protect the site from tinkering is to disable both of these editors. You can do this in under a minute. Open your wp-config.php file and add the following constant:


Now, when you’re in the dashboard it is impossible to access the theme or plugin editor, even with the admin account.

Want to take it one step further? The WordPress codex has another gem for your wp-config.php file:

Disable Plugin and Theme Update and Installation

If you really want to lock things down, you can block users from installing/updating themes and plugins through the dashboard. Add this quick snippet to your wp-config.php file:


I installed 75 new plugins yesterday and now my site is broken. Ooopsie!

Not only will it prevent users from installing and updating themes and plugins, but it will also automatically disable theme and plugin editing in the dashboard. This constant essentially kills two birds with one stone and saves you from having to mop up a mess later on after your client decides to tinker around with this and that.

For example, let’s say your client decides to start installing plugins like a mad man, but one of them is poorly written, loads an extra copy of jQuery, and breaks a bunch of Javascript on the site. Or maybe your client decides to upgrade WordPress before any of his critical plugins or themes have been updated. He ends up with a bunch of broken functionality. These are the types of troubleshooting scenarios we hope to avoid. The solution is to prevent it from happening in the first place by disabling theme and plugin updates.

One note of caution – You should only use these particular constants if you are your client’s sole developer with an agreement to maintain that site. Otherwise, you could be locking your client out of the freedoms that he needs to maintain his own site, should he choose a new developer. In most cases, these healthy boundaries will help to keep your client safe from his predisposition to ill-advised and uninformed tinkering.

Have you ever had clients that have damaged or messed up a site and you've had to fix it? Let us know your experience in the comments!

Sarah Gooding

Sarah Gooding Sarah enjoys staying on top of the latest WordPress and BuddyPress news. Get in touch with Sarah on Twitter @pollyplummer.