How Allow to Upload Forbidden File Types

WordPress does not allow uploading just anything to the media library—it protects itself. Files of non-standard (not allowed) types cannot be uploaded because WP has a list of permissible file formats, i.e., a whitelist of mime types.

Sometimes this protection gets in the way, and despite the potential danger, we still need the ability to upload files of the types we need.

Below we will look at how to add a file type to the whitelist.

Here is what the error looks like if, for example, you try to upload a file with the .svg extension:

Contents:

File Upload Process and Type Check

Allowing/Disallowing File Types for Upload

See also the question “Uploading ttf files”

To manage the whitelist of file extensions, there are two hooks:

The example below shows how to allow the upload of certain file types (.doc, .djvu) and how to disallow others (.mp4a) - remove from the whitelist.

add_filter( 'upload_mimes', 'upload_allow_types' );
function upload_allow_types( $mimes ) {

	// allow new types
	$mimes['doc']  = 'application/msword';
	//$mimes['woff'] = 'font/woff';
	$mimes['psd']  = 'image/vnd.adobe.photoshop';
	$mimes['djv']  = 'image/vnd.djvu';
	$mimes['djvu'] = 'image/vnd.djvu';
	$mimes['webp'] = 'image/webp';
	//$mimes['fb2']  = 'text/xml';
	//$mimes['epub'] = 'application/epub+zip';

	// disallow (disable) existing
	// unset( $mimes['mp4a'] );

	return $mimes;
}

Similarly, you can allow or disallow any other file types. See List of MIME types.

How to Upload SVG Files

The type of SVG file can vary depending on the file, so it's not that simple. For more details, see the separate article.

There you can also see what non-standard situations may arise when allowing the upload of prohibited file types and how to resolve them.

Uploading Images with Incorrect Extensions

WP has a mechanism for correcting the file extension when it is specified incorrectly. For example, we upload an image img.png whose actual format is JPG. In this case, the check for the correspondence of the actual MIME type of the file and its extension fails, and WP, based on a list of such correspondences, tries to establish the correct extension and pass the check again (see: wp_check_filetype_and_ext()). If the check passes, the file name is changed to the correct one.

The mechanism described above has been working for a long time, and many are even unaware of it. However, it needs to be taken into account when we add new image formats for upload.

For example, if we added the WEBP format to the upload_mimes filter, we also need to consider this mechanism for checking the correspondence of the extension and mime type; otherwise, we simply won't be able to upload an image in WEBP format if its name has an extension other than .webp.

This can be done using the filter getimagesize_mimes_to_exts, for more details on how this works, read the description of the filter.

# Adding correspondence of mime type and extension
add_filter( 'getimagesize_mimes_to_exts', 'more_mimes_to_exts' );
function more_mimes_to_exts( $mime_to_ext ){
	$mime_to_ext['image/webp'] = 'webp';

	return $mime_to_ext;
}

After this hook, you will be able to upload images in WEBP format, even if their name has a different extension, for example, image.jpg.

Enabling the unfiltered_upload Right

The right unfiltered_upload allows users (roles) to upload any files without checking their type.

This right is by default available to the roles:

  • Administrator.
  • Super Administrator (in multisite mode).

However, this right is by default blocked, i.e., the specified roles will not pass the check if( current_user_can('unfiltered_upload') ), despite having such a right.

To make the unfiltered_upload right work as expected, you need to "enable" the constant in the wp-config.php file:

define( 'ALLOW_UNFILTERED_UPLOADS', true );