WP File Commander puts a file manager in the WordPress dashboard: browse, search, upload, download, edit, rename, copy, move, delete. Every path goes through a jail that rejects traversal, absolute paths and symlinks leaving the root.
FROM $49/YEAR · LIFETIME OPTION · 14-DAY GUARANTEE
“I installed a file manager plugin once. Then I read what it did to a path before opening it, and uninstalled it.”— Anyone who has looked
Editing a live file from a browser is useful and it is dangerous, and most plugins in this category treat the second half as somebody else's problem. The security work here came first and the file manager was built on top of it. One function resolves every path, and the tests fail if a symlink to /etc can be read through it.
Everything below runs behind the same gate: capability, role, then the path jail. The features are what you would expect from an FTP client. The difference is what happens to a path before it is used.
Every path from the browser is normalised, rejected if it holds a .. segment, then resolved with realpath() and tested against the configured root. Traversal strings, absolute paths and symlinks pointing outside the root fail identically, because the test runs after the filesystem has said where the path really lands. No other part of the plugin builds a path by joining strings.
Uploads only, wp-content, or the whole WordPress install. Uploads is the tightest and it is enough for most media fixes. wp-content covers themes and plugins, which is where the work usually is. The whole install is a Pro setting, because reaching that far should be a decision somebody made on purpose.
wp-config.php is blocked for reading and writing. wp-admin and wp-includes are browsable and read-only. The plugin refuses to modify its own files, which closes the route to switching off its own protections. Uploads refuse executable extensions such as .php, .phar and .sh.
The editor sits on a dark surface and lints PHP before writing. Save a file with a missing brace and you get the line number instead of a white screen, with the file on disk untouched. It cannot save you from valid PHP that misbehaves at runtime, so read what you paste.
Filename search covers everything below the folder you are standing in, and it is free. Searching inside file contents is Pro, and it is what you reach for when you know the injected string but not which of 900 theme files carries it. Both searches stop at the configured root.
Selecting rows raises a selection bar with the actions that apply to what you picked: copy, move, delete, download, zip. Permissions show as rwxr-xr-x alongside the octal, so you can read the mode at a glance and still type 644 when you change it.
Extraction reads every entry name and validates it before writing a single byte, so an archive carrying ../../wp-config.php is refused rather than half-unpacked. Zipping a selection is the fast way to take a backup of a folder you are about to change.
Every action lands in the log with the user, the path, the time, the IP and the outcome. Failed attempts are recorded as well as successful ones, so a probe at a blocked path leaves a trace. This is the answer to a client asking who changed the theme file on Tuesday.
A user needs manage_options and a role you added to the allow list. An editor granted a stray capability by another plugin stays out. So does an administrator you chose to leave off. On a client site the group who should reach the filesystem is smaller than the group holding the capability, and this is how you say so.
A plugin update or a pasted snippet took the site down and the dashboard is gone with it. Reach the file, fix the line, watch the site come back, from any machine you happen to be sitting at.
The client's host details left with the last developer. WordPress admin is the one login you do have. That login is enough to reach wp-content, and the audit log records what you did while you were in there.
You know the string. You do not know which of 900 theme and plugin files holds it. Content search names the file and the line, and you fix it in the editor on the same screen.
A font, a verification file, a PDF the media library refuses. Put it exactly where it needs to go, then set 644 on it and move on.
Before changing a theme, zip it. One selection, one archive, sitting next to the original, and a rollback that takes a minute rather than a restore ticket.
Unfamiliar plugins, a child theme somebody forked, files with dates that make no sense. Browse it before you quote on it, without asking anyone for SSH access.
The path bar shows where you are relative to the root you configured. There is nothing above it to click, and typing a path that lands above it fails the same way as clicking would.
A .. segment is rejected on sight, before realpath() runs. This is the cheap check, and it catches the string most attempts start with.
The expensive check, and the one that matters. A link inside uploads pointing at /etc looks harmless until the filesystem resolves it. Testing the resolved path is why it fails. The test bench keeps a real symlink to /etc so this cannot quietly regress.
PHP with a syntax error never reaches disk. You get the line number, and the site keeps running on the file it already had.
The real options are an FTP or SFTP client, the host's file manager, the theme and plugin editor in WordPress, or another file manager plugin. Each one solves part of this.
| WP File Commander (us) | FTP / SFTP client | |
|---|---|---|
| Works from the WordPress login you have | ✓ No host credentials needed | ✗ Needs an account on the server |
| Works from a phone or a borrowed laptop | ✓ It is a browser tab | ✗ Install a client, find the key |
| Refuses to save PHP with a syntax error | ✓ Line number, file left alone | ✗ Uploads the broken file happily |
| Scope limited to a chosen root | ✓ Uploads, wp-content or the install | ◐ Whatever the account can reach |
| wp-config.php blocked by default | ✓ Both directions | ✗ Fully readable and writable |
| Search inside file contents | ✓ Names the file and the line (Pro) | ✗ Download first, then grep |
| Record of who changed what | ✓ User, path, time, IP, outcome (Pro) | ◐ A server log, if you can read it |
| Safe archive extraction | ✓ Every entry name checked first (Pro) | ✗ No extraction at all |
| Shared account risk | ✓ Actions attributed to a WordPress user | ✗ One password, passed around |
| Speed of transferring 4 GB | ✗ Use FTP for that, honestly | ✓ What it was built for |
An SFTP client is still the right tool for a bulk transfer or a full backup. This is for the other 90% of the job: one file, one fix, right now, from wherever you are. Full comparison →
Every plan includes every Pro feature: the whole-install root, content search, permission changes, zip and unzip, and the audit log. You are only choosing how many sites.
Up to 10 sites
25 sites · for agencies
Up to 100 sites
Up to 100 sites, forever
Prices in USD. Licence keys are domain-based, with no accounts and no phoning home. Requires WordPress 6.0+ and PHP 7.4+. VAT invoices available.
It is the risk you should ask about, so here is the answer in detail. Every path the browser sends goes through one function before anything reads or writes: it is normalised, rejected outright if it contains a .. segment, then resolved with realpath() and compared against the configured root. A traversal string, an absolute path such as /etc/passwd, and a symlink inside your uploads folder pointing at /etc all fail in the same way, because the check happens after the filesystem has told us where the path really lands. On the test bench there is a real symlink to /etc, and the test suite fails if it can be read. On top of that, no other class in the plugin builds a path by joining strings. They all come through that one function.
The editor lints PHP before it saves. Paste a file with a missing brace and the save is refused with the line number, and the file on disk stays as it was. That covers the common way people brick a site from a browser. It does not stop you saving PHP that parses and then does something foolish at runtime, so the usual rule still applies: know what you are changing.
No, and that is the default rather than a setting you have to find. wp-config.php is blocked for reading and for writing. wp-admin and wp-includes are browsable and read-only, so you can look at a core file without being able to overwrite it. The plugin also refuses to modify its own files, which closes the obvious route to disabling its own protections.
A user needs the manage_options capability and a role you have added to the allow list. Both, not either. An editor with a plugin-granted capability cannot get in, and neither can an administrator you left off the list. That combination is deliberate: on a client site the person who should reach the filesystem is a smaller group than the people with the capability.
Nothing, because extraction reads every entry name and validates it before writing a single byte. An archive carrying ../../wp-config.php is rejected rather than partially extracted. Uploads refuse executable extensions such as .php, .phar and .sh outside Pro, and the extension check runs on the real filename rather than what the browser claimed the type was.
You choose the root. Uploads only is the tightest setting and the right one for a site where you only ever need to fix a media file. wp-content covers themes, plugins and uploads, which is where most work happens. The whole WordPress install is a Pro setting, because that is the one that reaches wp-config.php's neighbours and it should be a considered choice rather than a default.
Search by filename works everywhere below the folder you are in and it is in the free edition. Searching inside file contents is Pro, and it is the feature that finds the injected line in a theme file at midnight when you know the string but not the file. Both stay inside the configured root.
Who, what path, when, from which IP, and whether the action succeeded. Failures are recorded as well as successes, so an attempt to reach a blocked path leaves a trace instead of disappearing. It is a Pro feature, and it is the thing you hand a client who asks who changed the theme file on Tuesday.
Free gives you the wp-content and uploads roots, browsing, upload, download, the editor with its syntax check, rename, copy, move and delete, search by filename, the role and capability gate, and every one of the path-jail protections. The jail is never the paid part. Pro adds the whole-install root, search inside file contents, permission changes, zip and unzip, executable-extension uploads, and the audit log.
Order through the form and your licence key and invoice arrive by email, usually within the hour. Keys are long codes starting VPC1. so paste the whole thing into the licence box rather than typing it. Domain-based, no account, no phoning home, no lock-in.
14-day money-back guarantee, no questions. Email us and we refund you.
Order below and your licence key and invoice arrive by email, usually within the hour. Install it, set the root to wp-content, and the next broken theme file is a two-minute job from whatever machine is nearest.
14-DAY MONEY-BACK GUARANTEE · SUPPORT BY ACTUAL HUMANS