Short answer: you have four realistic ways to manage files on a WordPress site without opening an FTP client – a file manager plugin (WP File Manager, File Manager Advanced), your hosting control panel’s built-in file manager, SFTP from a tool like FileZilla, or SSH from a terminal. The hosting-panel option is usually the best starting point: no plugin installed inside WordPress means no plugin attack surface, and no FTP client setup means no credentials to manage. Plugin-based file managers work but carry real security risk – WP File Manager has shipped critical RCE vulnerabilities affecting hundreds of thousands of sites.
This guide covers when to use each method, how to actually use them, and what the tradeoffs are.
Your four options for managing WordPress files#
| Method | Where it runs | Security risk | Best for |
|---|---|---|---|
| Hosting control panel file manager | In the hosting dashboard | Low (isolated from WordPress) | Quick edits, upload/download, most tasks |
| SFTP (FileZilla, WinSCP, Cyberduck) | On your computer | Low (encrypted, standard tool) | Bulk transfers, frequent edits, backups |
| SSH terminal | On your computer | Low (encrypted, auditable) | Developers, CLI operations, automation |
| WP File Manager plugin | Inside WordPress | Elevated (plugin attack surface) | Emergencies, clients without SFTP access |
Pick based on how often you need file access and who else can see the credentials.
Why people search for "WordPress file manager without FTP"#
There is a real demand behind this query. Common reasons:
- No SFTP credentials handy. The developer who set up the site is gone, the FTP password is not in the password manager, and the client needs a theme file edited today.
- Quick one-off edits. Adding a single line to
wp-config.php, replacing a favicon, uploading a file that a plugin expects in/wp-content/uploads/custom-folder/. - Cannot install FTP client. On a locked-down corporate machine, a school library, or a phone, installing FileZilla is not an option.
- Troubleshooting a locked-out site. Cannot access wp-admin, so “install a plugin through wp-admin” is not available – but the hosting control panel or SFTP still work.
Each of these points to a different “best” tool. “WordPress file manager” as a search usually means “a plugin I can install in wp-admin” – but for most of the jobs people want it for, the hosting control panel’s built-in file manager is faster, safer, and does not require installing anything.
Option 1: Your hosting control panel file manager (usually the right choice)#
Almost every managed WordPress host ships a file manager in the control panel. You log in to the host dashboard, click “File manager,” and get a full browser-based UI for uploading, downloading, editing, renaming, deleting, extracting archives, and setting permissions. No plugin inside WordPress. No FTP client on your machine. No credentials to manage.
This is usually the right first choice for three reasons:
- Nothing installed inside WordPress. A vulnerable plugin cannot leak files if the plugin does not exist. You remove an entire attack surface by not using a WordPress-layer file manager.
- Authentication is the hosting account. You already protect your hosting login with a strong password and (hopefully) 2FA. The file manager inherits that – no separate credential set.
- Works when wp-admin is broken. If your site is down, white-screened, or locked out, the hosting control panel still works. This is exactly when you need file access most.
Typical control panel file manager features
Good hosting file managers include:
- Browse the entire home directory (not just
wp-content) - Upload (drag-and-drop for single files and folders)
- Download (single files or zipped folders)
- Built-in code editor with syntax highlighting for PHP, JS, CSS, HTML
- Delete with confirmation
- Rename
- Create new files and folders
- Change permissions (chmod)
- Extract zip/tar archives in place (useful for uploading themes and plugins)
- Search
When the control panel file manager is not enough
The control panel approach has limits. Bulk operations on hundreds of files are slow in a browser. Automation is impossible (no scripting). Developers working across multiple sites simultaneously will outgrow it fast. For those cases, SFTP or SSH is the right tool.
Option 2: SFTP (the default for anyone working with WordPress regularly)#
SFTP is the encrypted, modern version of FTP. It runs over SSH on port 22, which means the connection is encrypted end-to-end and the credentials are not sent in plaintext. Every reputable host supports it. See SFTP vs FTP vs FTPS: which should you use for the full comparison.
Setting up SFTP (FileZilla, five minutes)
- Install FileZilla (free, Windows/Mac/Linux)
- In your hosting control panel, find your SFTP credentials (hostname, username, password or key)
- In FileZilla: File > Site Manager > New Site
- Protocol: SFTP – SSH File Transfer Protocol
- Host: your server hostname, Port: 22
- Logon Type: Normal (password) or Key file (recommended)
- Click Connect
You now see your server’s files on the right, your computer’s files on the left. Drag between them to transfer.
Why SFTP beats WP File Manager plugins for recurring work
- Credentials are separate from WordPress – a compromised WordPress install does not reveal SFTP credentials
- Key-based authentication eliminates password theft as an attack vector
- Full filesystem access, not just wp-content
- Works when WordPress is broken
- Bulk transfers are fast
- Standard tool that a second developer can pick up instantly
The tradeoff is setup time. If you need to edit one file right now and have never used FileZilla, the hosting control panel is faster.
Option 3: SSH (for developers and command-line workflows)#
SSH gives you a terminal on the server. Everything SFTP does, plus the ability to run commands – grep across files, tail logs, restart services (if permitted), run WP-CLI,
rsync
backups.
If you are comfortable with a terminal, SSH is the most powerful option. See how to run commands over SSH for the basics and how to transfer files over SSH using scp for the file-transfer angle specifically.
Common SSH operations you cannot do through any file manager:
# Find every file that mentions a specific string
grep -r "old-domain.com" /home/user/public_html/
# Tail the PHP error log while you reproduce an issue
tail -f /home/user/logs/error.log
# Run a WP-CLI command to clear a stuck update
wp option delete core_updater.lock
# Rsync a backup to a remote location
rsync -avz /home/user/public_html/ backup@backup-server:/backups/sitename/The learning curve is steeper than SFTP but pays off for anyone managing more than one site.
Option 4: WP File Manager plugins (use with caution)#
The most popular plugin in this category is WP File Manager by mndpsingh287 (10M+ installs). There is also File Manager Advanced by ModalWeb, File Manager by bit-file-manager, and a handful of smaller alternatives.
They all do roughly the same thing: add a “File manager” item to the WordPress admin sidebar, open a file-browser UI inside wp-admin, let you upload/download/edit/delete files without leaving the dashboard.
The security warning you need to read
WP File Manager specifically has had serious security incidents:
- CVE-2020-25213: an unauthenticated RCE (remote code execution) vulnerability in WP File Manager 6.0-6.8 that was actively exploited in the wild. Attackers could upload and execute arbitrary PHP with no authentication at all. It affected over 600,000 installs before it was patched.
- Multiple follow-up advisories for improper access controls, authenticated LFI, and arbitrary file operations across 2021-2024.
The problem is structural. A plugin that exposes a full file manager inside WordPress is one authentication bypass away from disaster. The file manager has to do powerful things (write to any file, execute PHP) to be useful, and one coding mistake in how it validates requests turns it into an attack primitive.
This does not mean you cannot use WP File Manager. It means:
- Keep it updated. Install updates the same day they are released.
- Remove it when you are not actively using it. Install, do your task, uninstall. Do not leave it installed “in case you need it later.”
- Never install it on a site that gets public traffic and matters. If the site is production e-commerce or a client project you are responsible for, pick a different tool.
- Check its WPScan entry before installing (wpscan.com/plugin/wp-file-manager) to see the current vulnerability status.
For most WordPress users, the control panel file manager or SFTP is a strictly better choice. Plugin-based file managers are mostly useful when you have no other option – for example, giving a client temporary file access when they do not have SFTP credentials and you do not want to give them the hosting account login.
How to use WP File Manager safely if you must
- Install the plugin from Plugins > Add New
- Do the task you needed to do
- Immediately go to Plugins > Installed Plugins, deactivate, and delete it
Every day it stays installed is another day it is part of your attack surface.
Better plugin alternatives
If you specifically need a plugin-based file manager because the hosting control panel is not accessible, File Manager Advanced by Modalweb has a smaller install base but a better security track record in recent years. Still applies the same hygiene – install, use, remove.
When to use each method#
| Scenario | Best tool |
|---|---|
| One-off edit, occasional user | Hosting control panel |
| Daily development work on a single site | SFTP |
| Managing multiple sites as an agency | SSH + SFTP |
| Site is locked out and wp-admin is inaccessible | Hosting control panel or SFTP |
| Client needs temporary file access, no SFTP/SSH available | WP File Manager plugin (install, use, remove) |
| Bulk find-and-replace across files | SSH |
| Uploading a 50MB theme zip | Hosting control panel (drag-drop) or SFTP |
Editing
wp-config.php
in an emergency | Hosting control panel (fastest) |
| Automating file operations | SSH + scripts |
Common WordPress file management tasks#
Edit wp-config.php
Your hosting control panel file manager. Navigate to your site root, open
wp-config.php
, edit, save. Takes 30 seconds. You can also SFTP into the root and edit with a local text editor – same result.
Upload a theme or plugin manually
Download the .zip. In the control panel file manager, upload to
/wp-content/themes/
(for a theme) or
/wp-content/plugins/
(for a plugin). Right-click the zip and choose Extract. Delete the zip after extraction.
Alternatively: Appearance > Themes > Add New > Upload Theme, if wp-admin is working.
Delete orphaned files
SSH is better for this.
find /home/user/public_html/wp-content/uploads/ -name "*.tmp" -delete
cleans up tmp files in one command. Doing the same in a file manager is dozens of clicks.
Check file permissions
Most well-configured WordPress sites need 755 on directories and 644 on files. If you see permission-denied errors or “failed to open stream” messages, the file manager’s permissions view or
ls -la
over SSH shows you what is wrong. See Linux file permissions for the full picture.
Download a backup of the whole site
Hosting control panel file managers usually let you select the whole
public_html
(or equivalent), right-click, and Compress into a zip, then download. For large sites this times out in the browser – SFTP or SSH (
rsync
or
scp
) is better.
Restore a deleted file
If the site backs up to the host, use the host’s snapshot restore. If not, pull it from your most recent local working copy via SFTP. If neither exists, the file is gone.
How long does this take to learn#
| Method | Time to first successful edit |
|---|---|
| Hosting control panel | Under 2 minutes (log in, click File Manager, edit) |
| SFTP (FileZilla) | 10-15 minutes (install, configure credentials, connect) |
| SSH | 30 minutes for first edit, hours to be comfortable |
| WP File Manager plugin | 5 minutes (install, open, edit) – plus security mental overhead |
For occasional users, the control panel wins on learning curve. For anyone doing WordPress work weekly or more, spending an afternoon to learn SFTP and SSH pays off many times over.
Symptom-to-tool quick lookup#
| What you need to do | Try this first |
|---|---|
| Edit a single file and get out | Hosting control panel |
| Upload a file larger than wp-admin allows | SFTP or control panel |
| Edit files while site is down | Control panel (wp-admin is not needed) |
| Recover a file a plugin deleted | Host’s backup/snapshot, then SFTP |
| Change file permissions | Control panel or SSH |
| Run a command across many files | SSH only |
| Give temporary file access to a non-technical user | WP File Manager plugin (install/use/remove) or delegated hosting sub-account |
| Transfer 10GB of media between servers | SSH with rsync |
How Hostney handles file management#
Hostney includes a full-featured file manager directly in the control panel. You get:
- Full-home-directory browsing – not just
wp-content, the whole account - Drag-and-drop upload – single files and folders
- Download – single files or as zip archives for folders
- Built-in code editor with syntax highlighting for PHP, JavaScript, CSS, HTML, JSON, and more
- In-place archive extraction – upload a theme zip, right-click, extract
- Rename, delete, create files and folders
- Chmod permission editor – visual 755/644 selector, no mental arithmetic on octal values
- Authentication via your Hostney login – if you have 2FA on your account, the file manager is protected by 2FA
You also get SFTP and SSH access on every account. Create SFTP users under FTP users, or set up SSH keys under SSH keys. Both work against the same underlying files as the control panel file manager, so you can switch between them depending on the task.
This combination means the WP File Manager plugin is almost never the right choice on Hostney. The control panel handles quick one-off tasks. SFTP and SSH handle recurring development work. There is no scenario where installing a file-manager plugin inside WordPress is safer or more convenient than the tools already included with the account.
Summary#
“Managing WordPress files without FTP” has four realistic solutions. In order of recommendation for most users:
- Your hosting control panel file manager – safest, fastest for one-off tasks, works when wp-admin is broken
- SFTP – the right tool for anyone working with WordPress regularly
- SSH – the right tool for developers, automation, and bulk operations
- WP File Manager plugins – a distant fourth choice; carries real security risk, use only when nothing else is available and remove immediately after
If you are here because of a specific emergency (locked out of wp-admin, need to edit wp-config.php, cannot install SFTP), the control panel file manager is almost certainly what you want. If you are planning your normal WordPress workflow, learn SFTP as your daily driver and reach for the control panel when you need the fastest possible one-off edit.
For related file-access topics: SFTP vs FTP vs FTPS explains the protocol differences, how to transfer files over SSH using SCP covers terminal file transfers, and Linux file permissions covers chmod and ownership if you run into “permission denied” errors.