How Allow to Upload Forbidden File Types

WordPress does not allow to upload to the library any type of file you want - there are limitations. Files of non-standard (not allowed, forbidden) types cannot be uploaded because WP has a list of valid file formats, i.e. a whitelist of files mime types.

Sometimes such protection is hindered, and despite the potential danger, it is still necessary to be able to upload files with not allowed types.

Below I show you how to add a file type to the WordPress uploads whitelist.

This is what the error looks like if, for example, you try to upload a file with an .svg extension:

Allow or Deny file types for upload in WordPress

There are several hooks to manage the whitelist of file extensions:

• upload_mimes - from get_allowed_mime_types().

• wp_check_filetype_and_ext - from wp_check_filetype_and_ext().

The example below shows how to allow uploading of some file types (.svg, .doc, .djvu) and how to prohibit (remove from the whitelist) others (.mp4a).

add_filter( 'upload_mimes', 'upload_allow_types' );
function upload_allow_types( $mimes ) {
	// allow new types
	$mimes['svg']  = 'image/svg+xml';
	$mimes['doc']  = 'application/msword';
	$mimes['woff'] = 'font/woff';
	$mimes['psd']  = 'image/vnd.adobe.photoshop';
	$mimes['djv']  = 'image/vnd.djvu';
	$mimes['djvu'] = 'image/vnd.djvu';

	// disable existing
	// unset( $mimes['mp4a'] );

	return $mimes;
}

image/svg+xml - it is a MIME type of svg file.

By analogy, you can allow or deny any other file types, a list of MIME types that are needed for the whitelist can be found at: list of MIME file types.

The process of uploading a file and checking its type

• Click on "upload", chose a file to upload, WP sends a request to wp-admin/async-upload.php file.

• Then WordPress checks MIME type of the file by the following chain:
  1. wp-admin/async-upload.php
  2. media_handle_upload()
  3. wp_handle_upload()
  4. _wp_handle_upload()
  5. wp_check_filetype_and_ext()
  6. wp_check_filetype()

Activate unfiltered_html capability

The unfiltered_html capability allows users (roles) to upload any files without checking their type. But this rule is disabled by default (obviously) for security reasons. Let's figure out what it does:

Only editor, admin and super admin roles have this capability by default. But regardless of that, those roles will always return false for if( current_user_can('unfiltered_html') ).

To make the unfiltered_html capability work as expected, you need to «activate» ALLOW_UNFILTERED_UPLOADS constant in wp-config.php:

define( 'ALLOW_UNFILTERED_UPLOADS', true );