How to Allow Additional File Types for Upload in WordPress (2024 Guide)
As a website owner, you may find yourself needing to allow visitors to upload file types that aren‘t included in the default WordPress set. While WordPress allows most common image, document, audio and video formats out of the box, it blocks potentially risky files like SVGs, XML, JSON and more.
There are good reasons WordPress limits the allowed file types – it helps protect your site from malicious files that could wreak havoc if uploaded and executed. However, the default list is quite restrictive. If you‘re running a design portfolio, online course, or other site where you need to accept a wider variety of submissions, you‘ll quickly run into limitations.
Fortunately, it‘s relatively straightforward to add support for extra file types in WordPress. In this guide, we‘ll walk through multiple methods for allowing additional file uploads on your site. We‘ll also discuss important security considerations to keep in mind, and some troubleshooting tips if you run into issues.
Why You Might Need to Accept More File Types
First, let‘s look at some common scenarios where a WordPress site may need to allow file types beyond the defaults:
- A graphic design portfolio website that needs to showcase AI, EPS, PSD, SVG and other design file formats
- An online learning platform with course materials in MOBI, EPUB, IBA and other ebook formats
- A 3D printing forum where users share STL, OBJ, FBX, GCODE and 3MF files
- A web development blog that provides code snippets in XML, JSON, SQL and TXT formats
- A photography site offering RAW images or PSD templates for download
- A musician‘s site with GarageBand, Logic Pro or Ableton project files
If any of these ring true for you, rest assured you‘re not alone in needing to allow additional file types in WordPress. With 40% of the web running on WordPress, there‘s a huge diversity of sites out there, many with niche upload requirements.
Method 1: Using a Plugin to Allow Extra File Types
The simplest way to add support for more file types is by installing a dedicated WordPress plugin. Here are the steps:
Install and activate the free File Upload Types by WPForms plugin. You can find it by searching the WordPress plugin directory, or by going to Plugins → Add New in your WordPress admin area and searching for "file upload types".
Once activated, navigate to Settings → File Upload Types. You‘ll see a list of file types organized into Categories. Each has a checkbox to easily enable or disable it.
Simply check the boxes next to the file types you want to allow. The plugin includes an extensive list of types, so there‘s a good chance the formats you need are built-in.
If you don‘t see a particular file type, you can add it as a custom type at the bottom of the page. Click "Add New Custom File Type" and specify:
- Name: A user-friendly name for the file type
- MIME Type: The content type that identifies the file format
- File Extension: The suffix at the end of the file name, including the dot (like .ai or .json)
You can look up a file type‘s MIME type with a tool like the one at http://mimetype.io/. For example, YAML files have the MIME type application/x-yaml and the extension .yml.
- When you‘ve selected all the file types to allow, click the Save Settings button. You‘re all set! You and your visitors will now be able to upload the file types you enabled.
The File Upload Types plugin is a good choice because:
- It includes an extensive preset list, so most users won‘t need to manually add file types
- It‘s easy to use – just check a box to enable a file type
- It‘s developed by WPForms, a reputable WordPress company, and gets regular updates
However, there are other plugin options available, like:
- Filester – Supports 77 file extensions out of the box, with the ability to add custom types
- WP Extra File Types – Lets you add file types from the media library without editing code
- Unfiltered MU – Allows complete control over which file types to enable/block
One advantage of using a plugin is you can easily turn allowed file types on and off. If you suspect a particular file type is causing issues, you can quickly disable it rather than removing code snippets.
Best Practices for Enabling Extra File Types Safely
As we touched on earlier, WordPress restricts certain file types because they could potentially be used to compromise your site. A malicious user could craft a file that looks innocent but actually contains scripts that execute when uploaded.
Some risky file types include:
- SVG – Can contain JavaScript that runs in the browser
- HTML – Could be used for cross-site scripting attacks
- PHP – May execute unauthorized code on the server
- EXE – Could deliver malware to you or your visitors
- ZIP – Archives can hide malicious files inside
That‘s not to say you should never allow these file types, but you need to be aware of the risks and take precautions:
- Only enable file types you absolutely need. Avoid allowing a file type "just in case" someone might need it someday.
- If possible, only allow uploads from trusted users, like your own team or registered members you‘ve vetted. Avoid allowing public uploads of risky file types.
- Scan uploaded files with antivirus/antimalware tools to check for threats. Some WordPress security plugins can do this automatically.
- Regularly backup your WordPress site so you can restore it if something goes wrong. Store backups offsite on a remote server or cloud service.
- Keep your WordPress core, plugins and themes updated, as updates often include security fixes. New vulnerabilities are always being discovered.
- Consider password-protecting sensitive files so only authorized users can access them.
By following these best practices, you can reduce the risk of allowing additional file types while still getting the functionality you need.
What About Maximum File Size?
In addition to file type restrictions, WordPress also limits the maximum size of uploaded files. The default maximum is 2 MB, which is quite low. If you‘re allowing additional file types, you may also need to increase the allowed file size.
You can see your current upload size limit by going to Media → Add New in the WordPress admin. The Max Upload Size will be listed in the bottom right, under the upload progress bar.
There are a few ways to increase the upload size limit:
In your WordPress dashboard, go to Settings → Media and increase the "Maximum upload file size". This only works if your server allows a higher limit than what you currently have set.
Edit your site‘s .htaccess file (or php.ini file if available) to add the following lines:
php_value upload_max_filesize 64M
php_value post_max_size 64M
Replace 64M with the desired maximum file size in megabytes.
- Contact your hosting provider and ask them to increase the upload limit for your account. Some hosts have an option to do this in the hosting control panel as well.
Again, increasing the upload size limit does come with some added risk, as it allows users to upload larger files that could potentially contain more malicious code or content. Make sure to enforce the security best practices we outlined above.
Troubleshooting File Upload Issues
If you‘ve enabled additional file types but are still seeing error messages when trying to upload them, here are some things to check:
- Make sure you clicked "Save Settings" after enabling the new file types in your plugin settings.
- Clear your browser cache and reload the page, as the changes may not take effect immediately.
- Check that the file extension is spelled correctly in your plugin settings, including the dot (like .ai not ai).
- Ensure the MIME type is correct for the file format. You can look it up with a MIME type checker tool.
- If you added the file type with custom code in functions.php or .htaccess, double-check that the snippet is formatted correctly.
- Try temporarily disabling other plugins and switching to a default theme. A plugin or theme conflict could be blocking the new file types.
- Ask your hosting provider if they restrict certain file types at the server level. They may need to whitelist the types you want to allow.
- Check your WordPress error log (under Tools → Site Health → Info in your dashboard) for clues about what‘s going wrong.
If you‘re still having trouble, you may want to post in the plugin‘s support forum or the WordPress.org support forums for further guidance. The WordPress community is generally very helpful in troubleshooting issues.
Conclusion
Allowing additional file types for upload in WordPress is often necessary to run a site the way you need it to. Whether you want to share PSD mockups with design clients, offer CAD models for 3D printing enthusiasts, or embed custom JSON data, being able to upload a wide variety of file formats is crucial.
The good news is that expanding WordPress‘s default upload capabilities is fairly straightforward. Using a plugin is often the easiest method, but you can also modify your functions.php and .htaccess files if you‘re comfortable with code.
Just remember that with great power comes great responsibility. Whenever you allow a new file type, you‘re potentially opening up a new attack vector for bad actors. Be thoughtful about which types you enable, scan all uploads for malware, and keep regular backups so you can restore your site if needed.
By following the steps and best practices outlined in this guide, you‘ll be able to accept the file types you need while still maintaining a secure WordPress site. Happy uploading!
