Never leave a File Manager plugin on your WordPress website in the first place!

A File Manager plugin can be a very useful tool when you need it, but you can say the same thing about a stick of dynamite! It’s not something you want to leave in the kitchen junk drawer in case you need it later!
David Innes, owner of RealBasics.com
The ultra-tech website Ars Technica reported a serious problem with an already crazy-risky WordPress plugin. Let me quickly explain how to fix it:
Delete the $%# plugin File Manager plugin if it’s installed on your website!
Done? Good. Now let’s talk about why you really, really don’t want or need the WP File Manager, an FTP client plugin, or any other kind of tunnel-into-your-server plugins on your live WordPress website. (Or any other kind of website for that matter!)
Even if the plugin didn’t have coding vulnerabilities, if you can just breeze into your server configuration from your website then… so can anyone else who can get into your site! In other words, even if the code was 100% secure the feature would still be an intrinsic vulnerability.
It’s always going to be 100% safer, more secure, and probably more efficient to use your hosting company’s control panel or a secure SFTP/FTP tool to access, manage, and edit files on your server. It’ll be a separate login for one thing. For another, hosting companies tend to be waaaay more security conscious and attentive than anyone who might randomly access your website’s dashboard — with or without your permission.
Question: do I think the developers who create plugins like File Manager are bad, wrong, wicked, irresponsible, or dumb for creating inherently insecure tools like a File Manager?
No! Not at all! There are certain cases where you really might have no other way to access your file system:
- you’re locked out of your server, for instance.
- your hosting plan is so old and obsolete that their control panel is basically unworkable
- you’re a contract developer trying to debug a particular issue for a client where you don’t have access to their hosting account and you’ve determined that the problem is with a file or directory that can’t be managed any other way.
Those are all really great reasons! But! They’re all really great reasons to install and activate the plugin, and then deactivate and uninstall the plugin the minute you’ve done what needs to be done.
Want to know the real reason 700,000 WordPress websites have the FileManager plugin installed on their website?
- Because they thought they might need it later
- They (or their developer) added it because they needed it while they were setting up the website but then never got around to removing it
Those are really bad reasons. A File Manager plugin can be a very useful tool when you need it, but you can say the same thing about a stick of dynamite! It’s not something you want to leave in the kitchen junk drawer in case you need it later!
Oh yeah, and on the offhand chance you’re actually using the File Manager plugin and you don’t want to delete it? Log in to your site and update it — the update at least appears to have fixed the code vulnerability. (If not the inherent vulnerability.)