For security purposes, WordPress only allows uploading common file types such as images, videos, and documents. But sometimes you need to upload a file with an extension that WordPress blocks by default – like SVG, PSD, or a custom format.
In this guide, you’ll learn how to allow additional file types, how to block specific types, and the security implications of each approach.
WordPress determines allowed file types based on MIME types. A MIME type is a label like
image/pngorapplication/pdfthat identifies the format of a file. WordPress maintains an internal allowlist of MIME types, and any file that doesn’t match is rejected during upload.
Default Allowed File Types
WordPress allows most common file types out of the box, including:
- Images: JPG, JPEG, PNG, GIF, ICO, WEBP (since WP 5.8), AVIF (since WP 6.5)
- Documents: PDF, DOC, DOCX, PPT, PPTX, XLS, XLSX, ODT, PPS
- Audio: MP3, M4A, OGG, WAV
- Video: MP4, MOV, AVI, WMV, MPEG, OGV, 3GP, WebM
The full list is defined in the wp_get_mime_types() function in WordPress core. For a complete reference, see the official documentation.
How to Allow Additional File Types
To allow additional file types, use the upload_mimes filter. Add this code to your child theme’s functions.php file:
add_filter( 'upload_mimes', function( $mime_types ) {
$mime_types['svg'] = 'image/svg+xml';
$mime_types['psd'] = 'image/vnd.adobe.photoshop';
$mime_types['ai'] = 'application/postscript';
$mime_types['eps'] = 'application/postscript';
return $mime_types;
} );Each line adds a file extension mapped to its MIME type. To find the correct MIME type for a format, search for it on the IANA Media Types registry.
Here are some commonly requested MIME types:
| Extension | MIME Type | Description |
|---|---|---|
| .svg | image/svg+xml | Scalable Vector Graphics |
| .psd | image/vnd.adobe.photoshop | Adobe Photoshop |
| .ai / .eps | application/postscript | Adobe Illustrator / PostScript |
| .json | application/json | JSON data files |
| .woff / .woff2 | font/woff / font/woff2 | Web fonts |
SVG Security Warning: SVG files are XML-based and can contain embedded JavaScript, making them a potential XSS (cross-site scripting) attack vector. If you allow SVG uploads, only grant upload permissions to trusted users, or use a plugin like Safe SVG that sanitizes files on upload.
Allow All File Types (Not Recommended)
Another approach is to remove all file type restrictions by adding this constant to your wp-config.php file:
define( 'ALLOW_UNFILTERED_UPLOADS', true );Security Risk: This allows any file type to be uploaded, including executable files like .php, .exe, or .sh. A malicious user with upload access could upload a PHP shell and take full control of your server. Only use this in development environments, never on a production site.
How to Block a Specific File Type
If you want to prevent a specific file type from being uploaded, use the same upload_mimes filter with unset():
add_filter( 'upload_mimes', function( $mimes ) {
unset( $mimes['gif'] );
return $mimes;
} );This removes GIF from the allowed types. You can unset any key from the $mimes array to block that format.
Plugin Alternatives
If you prefer not to edit code, several plugins handle this:
- WP Extra File Types – Adds a settings page where you can check/uncheck allowed file types without writing code
- Safe SVG – Specifically enables SVG uploads while sanitizing the files to remove potentially malicious code
- WP Add Mime Types – Lets you add custom MIME types from the WordPress admin
Troubleshooting Upload Errors
If you’ve added a file type but uploads still fail, check these common causes:
- File size limit: Your server’s
upload_max_filesizeandpost_max_sizePHP settings may be too low - Multisite restrictions: On WordPress Multisite, only Super Admins can upload unfiltered files. The network settings also have a separate allowed file types list under Network Admin > Settings
- Server-level blocking: Your web server (Apache/Nginx) or a security plugin like Wordfence may block certain file types regardless of WordPress settings
- File validation: Since WordPress 4.7.1, uploaded files are validated against their actual content, not just their extension. A file with a mismatched extension and content will be rejected
For more image-specific upload issues, see the guide on troubleshooting WordPress image upload errors.
FAQs
Common questions about WordPress file uploads:
file --mime-type filename in the terminal. Common examples include image/svg+xml for SVG, application/json for JSON, and font/woff2 for WOFF2 web fonts.ALLOW_UNFILTERED_UPLOADS removes all file type restrictions, allowing any file - including PHP scripts and executables - to be uploaded. This is a critical security risk. Instead, use the upload_mimes filter to selectively allow only the specific file types you need. Reserve ALLOW_UNFILTERED_UPLOADS for local development environments only.Summary
WordPress restricts file uploads to a safe list of MIME types for security. To allow additional types, use the upload_mimes filter in your child theme’s functions.php to add specific extensions.
Avoid using ALLOW_UNFILTERED_UPLOADS on production sites, as it removes all restrictions and creates a serious security vulnerability. For SVG files specifically, use a sanitization plugin like Safe SVG to prevent XSS attacks.
Modern WordPress versions support WEBP (since 5.8) and AVIF (since 6.5) natively – no custom code needed for these formats.
I added define( ‘ALLOW_UNFILTERED_UPLOADS’, true ); to the wpconfig file and it is still blocking me
maybe its an issue with the type quotes you’ve used? try to copy and paste this: