File management for WordPress

The theme file is broken. Your FTP password is on the other laptop.

WP File Commander puts a file manager in the WordPress dashboard: browse, search, upload, download, edit, rename, copy, move, delete. Every path goes through a jail that rejects traversal, absolute paths and symlinks leaving the root.

FROM $49/YEAR · LIFETIME OPTION · 14-DAY GUARANTEE

Path jail on every read and every write wp-config.php blocked in both directions Editor refuses broken PHP before it saves Audit log of who touched what
“I installed a file manager plugin once. Then I read what it did to a path before opening it, and uninstalled it.”
— Anyone who has looked

Editing a live file from a browser is useful and it is dangerous, and most plugins in this category treat the second half as somebody else's problem. The security work here came first and the file manager was built on top of it. One function resolves every path, and the tests fail if a symlink to /etc can be read through it.

How it works

A file manager that assumes the worst.

Everything below runs behind the same gate: capability, role, then the path jail. The features are what you would expect from an FTP client. The difference is what happens to a path before it is used.

JAIL

One function decides where you can go

Every path from the browser is normalised, rejected if it holds a .. segment, then resolved with realpath() and tested against the configured root. Traversal strings, absolute paths and symlinks pointing outside the root fail identically, because the test runs after the filesystem has said where the path really lands. No other part of the plugin builds a path by joining strings.

ROOT

Choose how far it can see

Uploads only, wp-content, or the whole WordPress install. Uploads is the tightest and it is enough for most media fixes. wp-content covers themes and plugins, which is where the work usually is. The whole install is a Pro setting, because reaching that far should be a decision somebody made on purpose.

BLOCKS

The rules that hold by default

wp-config.php is blocked for reading and writing. wp-admin and wp-includes are browsable and read-only. The plugin refuses to modify its own files, which closes the route to switching off its own protections. Uploads refuse executable extensions such as .php, .phar and .sh.

EDITOR

It will not save broken PHP

The editor sits on a dark surface and lints PHP before writing. Save a file with a missing brace and you get the line number instead of a white screen, with the file on disk untouched. It cannot save you from valid PHP that misbehaves at runtime, so read what you paste.

FIND

Search by name, or by what is inside

Filename search covers everything below the folder you are standing in, and it is free. Searching inside file contents is Pro, and it is what you reach for when you know the injected string but not which of 900 theme files carries it. Both searches stop at the configured root.

BULK

Tick rows, act on all of them

Selecting rows raises a selection bar with the actions that apply to what you picked: copy, move, delete, download, zip. Permissions show as rwxr-xr-x alongside the octal, so you can read the mode at a glance and still type 644 when you change it.

ARCHIVE

Zip a selection, extract without trusting it (Pro)

Extraction reads every entry name and validates it before writing a single byte, so an archive carrying ../../wp-config.php is refused rather than half-unpacked. Zipping a selection is the fast way to take a backup of a folder you are about to change.

LOG

Who touched what, and whether it worked (Pro)

Every action lands in the log with the user, the path, the time, the IP and the outcome. Failed attempts are recorded as well as successful ones, so a probe at a blocked path leaves a trace. This is the answer to a client asking who changed the theme file on Tuesday.

ACCESS

Capability and role, not one or the other

A user needs manage_options and a role you added to the allow list. An editor granted a stray capability by another plugin stays out. So does an administrator you chose to leave off. On a client site the group who should reach the filesystem is smaller than the group holding the capability, and this is how you say so.

Who it's for

Anyone who has fixed a site over FTP at 11pm.

The white screen after an edit

A plugin update or a pasted snippet took the site down and the dashboard is gone with it. Reach the file, fix the line, watch the site come back, from any machine you happen to be sitting at.

The agency without credentials

The client's host details left with the last developer. WordPress admin is the one login you do have. That login is enough to reach wp-content, and the audit log records what you did while you were in there.

The hunt for an injected line

You know the string. You do not know which of 900 theme and plugin files holds it. Content search names the file and the line, and you fix it in the editor on the same screen.

The upload that will not upload

A font, a verification file, a PDF the media library refuses. Put it exactly where it needs to go, then set 644 on it and move on.

The folder you want a copy of first

Before changing a theme, zip it. One selection, one archive, sitting next to the original, and a rollback that takes a minute rather than a restore ticket.

The site you inherited

Unfamiliar plugins, a child theme somebody forked, files with dates that make no sense. Browse it before you quote on it, without asking anyone for SSH access.

The path jail

Anatomy of a refused path.

AThe root, and the bar above it

The path bar shows where you are relative to the root you configured. There is nothing above it to click, and typing a path that lands above it fails the same way as clicking would.

BThe traversal

A .. segment is rejected on sight, before realpath() runs. This is the cheap check, and it catches the string most attempts start with.

CThe symlink

The expensive check, and the one that matters. A link inside uploads pointing at /etc looks harmless until the filesystem resolves it. Testing the resolved path is why it fails. The test bench keeps a real symlink to /etc so this cannot quietly regress.

DThe refused save

PHP with a syntax error never reaches disk. You get the line number, and the site keeps running on the file it already had.

Honest comparison

How we compare to the alternatives.

The real options are an FTP or SFTP client, the host's file manager, the theme and plugin editor in WordPress, or another file manager plugin. Each one solves part of this.

WP File Commander (us)FTP / SFTP client
Works from the WordPress login you have✓ No host credentials needed✗ Needs an account on the server
Works from a phone or a borrowed laptop✓ It is a browser tab✗ Install a client, find the key
Refuses to save PHP with a syntax error✓ Line number, file left alone✗ Uploads the broken file happily
Scope limited to a chosen root✓ Uploads, wp-content or the install◐ Whatever the account can reach
wp-config.php blocked by default✓ Both directions✗ Fully readable and writable
Search inside file contents✓ Names the file and the line (Pro)✗ Download first, then grep
Record of who changed what✓ User, path, time, IP, outcome (Pro)◐ A server log, if you can read it
Safe archive extraction✓ Every entry name checked first (Pro)✗ No extraction at all
Shared account risk✓ Actions attributed to a WordPress user✗ One password, passed around
Speed of transferring 4 GB✗ Use FTP for that, honestly✓ What it was built for

An SFTP client is still the right tool for a bulk transfer or a full backup. This is for the other 90% of the job: one file, one fix, right now, from wherever you are. Full comparison →

Pricing

Simple prices. One is forever.

Every plan includes every Pro feature: the whole-install root, content search, permission changes, zip and unzip, and the audit log. You are only choosing how many sites.

10 Sites
$49/yr

Up to 10 sites

  • All features included
  • Updates & support for a year
  • 14-day guarantee
Choose 10 Sites
Agency
$99/yr

25 sites · for agencies

  • All features included
  • Updates & support for a year
  • 14-day guarantee
Choose Agency
100 Sites
$149/yr

Up to 100 sites

  • All features included
  • Updates & support for a year
  • 14-day guarantee
Choose 100 Sites
Lifetime
$599 once

Up to 100 sites, forever

  • All features, all future updates
  • Never renew, never re-buy
  • 14-day guarantee
Own it forever

Prices in USD. Licence keys are domain-based, with no accounts and no phoning home. Requires WordPress 6.0+ and PHP 7.4+. VAT invoices available.

Questions

Asked and answered.

Is a file manager plugin not a security risk by itself?

It is the risk you should ask about, so here is the answer in detail. Every path the browser sends goes through one function before anything reads or writes: it is normalised, rejected outright if it contains a .. segment, then resolved with realpath() and compared against the configured root. A traversal string, an absolute path such as /etc/passwd, and a symlink inside your uploads folder pointing at /etc all fail in the same way, because the check happens after the filesystem has told us where the path really lands. On the test bench there is a real symlink to /etc, and the test suite fails if it can be read. On top of that, no other class in the plugin builds a path by joining strings. They all come through that one function.

What stops an admin breaking the site from the editor?

The editor lints PHP before it saves. Paste a file with a missing brace and the save is refused with the line number, and the file on disk stays as it was. That covers the common way people brick a site from a browser. It does not stop you saving PHP that parses and then does something foolish at runtime, so the usual rule still applies: know what you are changing.

Can it touch wp-config.php?

No, and that is the default rather than a setting you have to find. wp-config.php is blocked for reading and for writing. wp-admin and wp-includes are browsable and read-only, so you can look at a core file without being able to overwrite it. The plugin also refuses to modify its own files, which closes the obvious route to disabling its own protections.

Who can use it once it is installed?

A user needs the manage_options capability and a role you have added to the allow list. Both, not either. An editor with a plugin-granted capability cannot get in, and neither can an administrator you left off the list. That combination is deliberate: on a client site the person who should reach the filesystem is a smaller group than the people with the capability.

What can a zip file do on the way in?

Nothing, because extraction reads every entry name and validates it before writing a single byte. An archive carrying ../../wp-config.php is rejected rather than partially extracted. Uploads refuse executable extensions such as .php, .phar and .sh outside Pro, and the extension check runs on the real filename rather than what the browser claimed the type was.

How far can it see?

You choose the root. Uploads only is the tightest setting and the right one for a site where you only ever need to fix a media file. wp-content covers themes, plugins and uploads, which is where most work happens. The whole WordPress install is a Pro setting, because that is the one that reaches wp-config.php's neighbours and it should be a considered choice rather than a default.

Does search look inside files?

Search by filename works everywhere below the folder you are in and it is in the free edition. Searching inside file contents is Pro, and it is the feature that finds the injected line in a theme file at midnight when you know the string but not the file. Both stay inside the configured root.

What does the audit log record?

Who, what path, when, from which IP, and whether the action succeeded. Failures are recorded as well as successes, so an attempt to reach a blocked path leaves a trace instead of disappearing. It is a Pro feature, and it is the thing you hand a client who asks who changed the theme file on Tuesday.

What is in the free edition, and what does Pro add?

Free gives you the wp-content and uploads roots, browsing, upload, download, the editor with its syntax check, rename, copy, move and delete, search by filename, the role and capability gate, and every one of the path-jail protections. The jail is never the paid part. Pro adds the whole-install root, search inside file contents, permission changes, zip and unzip, executable-extension uploads, and the audit log.

How is the licence delivered?

Order through the form and your licence key and invoice arrive by email, usually within the hour. Keys are long codes starting VPC1. so paste the whole thing into the licence box rather than typing it. Domain-based, no account, no phoning home, no lock-in.

What if it is not for me?

14-day money-back guarantee, no questions. Email us and we refund you.

Get started

The next white screen will not wait for your FTP details.

Order below and your licence key and invoice arrive by email, usually within the hour. Install it, set the root to wp-content, and the next broken theme file is a two-minute job from whatever machine is nearest.

14-DAY MONEY-BACK GUARANTEE · SUPPORT BY ACTUAL HUMANS

You'll receive an invoice by email, payable by card or bank transfer. Nothing is charged on this page.