You must control the files that users upload in your WordPress site for both security and simplicity. This feature ensures you can stop programs that may be unsafe, lower the risks and maintain full site compatibility. This guide explains a simple way to manage and control the types of files uploaded to your site.
Why Limit File Uploads?
It’s necessary to first understand why limiting the files that can be uploaded in WordPress is very important. By default, WordPress is set up to allow images, document files, audio files and video files to be uploaded. Although this flexibility is convenient, it might lead to risks if it isn’t handled correctly.
Key Reasons to Limit File Upload Types:
- Security: Unrestricted file uploads open doors for hackers by letting them upload and use dangerous files, like .php and .exe examples. Setting limits on what files can be uploaded to your site helps secure it and all its information.
- Performance: Uploading unnecessary or unsupported file types can strain your server's resources, leading to slower site speeds and higher hosting costs. Limiting file types ensures your site runs more efficiently by reducing server load.
- User Experience: Uploading the wrong file types can create issues for your users, such as unsupported files that won't display or function properly. By restricting uploads to specific formats, you ensure a smoother experience for both administrators and visitors.
- Content Consistency: If your site has a specific purpose or branding, you might only want certain types of content uploaded—such as specific image formats or professional documents. Limiting file types helps maintain consistency and prevents clutter or irrelevant content from being introduced.
Default WordPress Allowed File Types
By default, WordPress allows the following file types:
- Images: .jpg, .jpeg, .png, .gif, .ico
- Documents: .pdf, .doc, .docx, .ppt, .pptx, .pps, .ppsx, .odt, .xls, .xlsx
- Audio: .mp3, .m4a, .ogg, .wav
- Video: .mp4, .m4v, .mov, .wmv, .avi, .mpg, .ogv, .3gp, .3g2
If your website doesn’t require some of these, restricting them is a good idea.
Step-by-Step Guide to Restrict File Upload Types in WordPress
There are multiple methods to restrict file types. Each comes with its own use case, depending on your technical expertise and project requirements.
Step 1: Back Up Your Website
Always create a full backup before making any changes to your WordPress site—especially when altering core behavior or installing new features. Backups protect your data and ensure you can restore your site if anything goes wrong. Use a reliable plugin like:
- UpdraftPlus
- Jetpack Backup
- Duplicator
This ensures that if something goes wrong, you can restore your site quickly.
Step 2: Decide What File Types You Want to Allow
Make a list of the file types you want users to upload. This could vary depending on your site type:
- Blog: Likely just images (.jpg, .png, .gif)
- Portfolio: Might include PDFs or video files
- E-commerce: May need product images and brochures
Having this list ready will make your configurations clearer and more focused.
Step 3: Use the upload_mimes Filter in functions.php
The most direct way to limit file types is by using the upload_mimes filter in your theme’s functions.php file.
How to do it:
- Navigate to Appearance > Theme File Editor.
- Open functions.php.
What this does:
It overrides the default list of allowed file types and sets a custom list.
Step 4: Use a Plugin (for Non-Developers)
If you are not comfortable editing theme files, plugins provide an easier method. Some popular choices include:
1. WP Extra File Types
- Go to Plugins > Add New
- Search for “WP Extra File Types”
- Install and activate
- Go to Settings > Extra File Types
- Check or uncheck file types based on your preference
- Save changes
2. File Upload Types by WPForms
- Another intuitive plugin that offers similar functionality
- Especially useful if you already use WPForms for form handling
Step 5: Restrict Upload Types by User Role (Optional)
In some cases, you might want to allow certain file types for admins while restricting them for contributors or subscribers. This approach ensures that sensitive or potentially risky formats, such as executable files or scripts, are kept away from general users who may not have the technical knowledge to handle them safely.
At the same time, it allows admins to retain the flexibility needed to upload and manage these file types when necessary, ensuring smoother workflows and better control over the system. This balance between security and functionality is crucial for maintaining an efficient and safe environment.
Step 6: Use .htaccess for Server-Level Restrictions
In Apache-based servers, you can use the .htaccess file to add an extra layer of restriction:
apache
CopyEdit
<FilesMatch "\.(exe|php|sh|bat|pl)$">
Order Deny,Allow
Deny from all
</FilesMatch>
This prevents potentially dangerous file types from being accessed even if they’re uploaded.
Step 7: Test Your Configuration
After setting restrictions:
- Go to the WordPress media uploader
- Try uploading both allowed and disallowed file types
- Verify that disallowed files are blocked
Testing ensures that your site functions as expected and that users are limited to your defined rules.
Tips for File Upload Security
1. Enable File Scanning Plugins
Plugins like Wordfence or Sucuri Security can scan uploaded files for malware or anomalies.
2. Limit File Size
Use the following in php.ini or .htaccess to control file sizes:
ini
CopyEdit
upload_max_filesize = 2M
post_max_size = 3M
3. Rename Files Automatically
To prevent file conflicts or potential attacks, use plugins that rename files upon upload, like “Media File Renamer.”
4. Avoid Allowing Executables
Never allow scripts or executables (e.g., .php, .exe) to be uploaded—even by admins.
Conclusion:
While file uploading can be a simple and convenient feature for users, it is important to also prioritize security measures to prevent any potential issues. By following the steps outlined in this guide, you can effectively restrict file uploads and handle common issues that may arise. Additionally, staying up to date with software updates and regularly reviewing your website's security settings can further ensure the safety of your site and its users. Thank you for reading our guide on restricting file uploads in WordPress. We hope it has been helpful in managing your website's security.
