As a web developer, I frequently encounter situations where I need to have access and modify files in the root directory or within the WordPress install and I don’t have FTP access. Often, I simply want to update some plugins but don’t want to do it without access to these, in case something goes wrong. Well now you can do that! And the benefit of my solution is that it will work even if WordPress goes down completely as it is independent of WP.
If you’ve already been looking around, I’m sure you’ve seen the suggestion to use the WP-FileManager plugin. And I would honestly say try that first, because I find that it does sometimes work, and if it does, you can save yourself some effort. Though this solution will likely not work if your backend is getting a fatal error after updates, in which case you are out of luck! So I still recommend using this other method. Let’s get to it!
WARNING: Editing theme files carries with it inherent risks. Always back up your database and files before making any changes to them. Proceed at your own risk.
ANOTHER WARNING: This method opens up some major security holes in your site while it is active; it’s really only for when you have no alternatives and you really need to have access to these areas of your site. It is critical that you remove everything when you are done, as per the instructions.
Overview
Basically what we are going to do is add a custom script to our theme’s functions.php file which will then allow us to upload a full-featured file-manager script to our site root. From there, we will get access to all of the files we need. We can rename, upload, delete, you name it! Let’s get started.
Setting Up Upload Page
We need to create a private page where we can have the file uploader. It’s not an elegant solution, but it’s not very hard, so let’s dig in!
1. From the WordPress backend, go to Pages -> Add New.
2. Name it whatever you want, set visibility on the right to “Private”, and then click “Publish”.
3. Look at the page URL from the edit screen, mine might look something like this: pagecrafter.com/wp-admin/post.php?post=123&action=edit. Take note of the bolded number, we will need that shortly.
Adding Custom Script to Theme
1. From the WordPress backend, go to Appearance -> Editor.
2. Locate functions.php on the right. It will probably be labeled “Theme Functions” and in parentheses underneath will say “functions.php”. Click it.
3. Add the following script to the end of your functions.php file. Replace “123” with your upload page’s ID from earlier and click “Update File”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
//Script to upload php file to root of website. Code retrieved at https://pagecrafter.com function bjd_add_file( $content ) { $postid = get_the_ID(); //Only display the form if we are on our upload page. Replace this value with your own page's ID if ($postid == '123') { //Upload HTML Form $html = <<<END <form action="" method="POST" enctype="multipart/form-data"> <input type="file" name="image" /> <input type="submit"/> </form> END; if(isset($_FILES['image'])){ $errors= array(); $file_name = $_FILES['image']['name']; $file_size =$_FILES['image']['size']; $file_tmp =$_FILES['image']['tmp_name']; $file_type=$_FILES['image']['type']; $file_ext=strtolower(end(explode('.',$_FILES['image']['name']))); $extensions = array("php"); if(in_array($file_ext,$extensions )=== false){ $errors[]="extension not allowed."; } if($file_size > 2097152){ $errors[]='File size must be less than 2 MB'; } if(empty($errors)==true){ move_uploaded_file($file_tmp,$file_name); echo "Success"; }else{ print_r($errors); } } $output = $content.$html; return $output; } //Return the page content as-is on all other pages else { return $content; } } //Insert function using a filter add_filter('the_content','bjd_add_file'); |
Uploading File Manager
Now we need to use our new tool to actually upload the file manager. We will be using a great tool called PHP File Manager, which you can download here.
1. Extract index.php from the PHP File Manager zip file to anywhere on your local machine.
2. Rename this file. This is critical: if we don’t rename it, it will be accessible easily by every visitor to your website, not to mention it will ruin your site. Make sure you rename it to something that isn’t already a file on your server, as we don’t want to overwrite what’s already there. Something like filemanager1234.php should work just fine.
3. Go to the file upload page we created earlier, on the frontend. Select your file, and click upload. The page will say “Success” if it went through properly.
Using the File Manager
All you need to do now is go the file manager, which can be found at, for my example, pagecrafter.com/filemanager1234.php. Obviously replace this URL with your own domain and whatever you named that file.
Cleanup IMPORTANT!
It is critical that you delete all of this when you are done, as it leaves some pretty glaring security holes open on your site. As mentioned earlier, this method should really only be used for brief periods when you have no other alternatives. Here’s how we remove it.
1. The file manager can actually delete itself. To do so, go to the file manager page, navigate to your site root, select the file manager file, and then select delete. This should remove it. Refresh the page and ensure that it now returns a 404 error.
2. To remove our file upload script, just go back to the editor and remove the section we added to functions.php, then click “Update File”.
3. You can remove the file upload page as well for good measure, even though it’s not really a security risk at this point. Just go to the page in the backend and click “Move to Trash”
Hope this helps! I’ve found myself in this situation many times and wish I would have known about this sooner. When you’ve been working on WordPress sites for a long time you learn a thing or two, and I’ve learned that you should never run WordPress updates without full access to all the files in case you need to fix something. It’s not worth it if there’s a chance you could put your client’s website offline indefinitely until you figure out where to get FTP access.
If you have any improvements to this as well, I’d love to hear them! I’d especially love to modify the script to not allow a file named “index.php” to be uploaded, and also to not overwrite existing files.
Credit to techstream.org for some of the file upload code.