Published on Aug 6, 2025 4 min read

Restricting File Uploads in WordPress for Enhanced Security

You must control the files that users upload to your WordPress site for both security and simplicity. Controlling uploads helps stop unsafe programs, reduce risks, and maintain site compatibility. This guide provides a straightforward way to manage and control file types uploaded to your site.

Why Limit File Uploads?

Understanding the importance of limiting file uploads in WordPress is crucial. By default, WordPress allows images, document files, audio files, and video files to be uploaded. Although convenient, this flexibility might pose risks if not managed correctly.

Key Reasons to Limit File Upload Types:

• Security: Unrestricted file uploads can allow hackers to upload harmful files, such as .php and .exe. Limiting file types helps secure your site and its data.
• Performance: Unnecessary or unsupported file types can strain server resources, slowing site speeds and increasing hosting costs. Limiting file types enhances efficiency by reducing server load.
• User Experience: Incorrect file types can cause issues, like unsupported files that don’t display properly. Restricting uploads ensures a smoother experience for both admins and visitors.
• Content Consistency: If your site has specific branding, you may want only certain content types, such as specific image formats or professional documents. Limiting file types maintains consistency, preventing clutter or irrelevant content.

Default WordPress Allowed File Types

By default, WordPress supports these file types:

• Images: .jpg, .jpeg, .png, .gif, .ico
• Documents: .pdf, .doc, .docx, .ppt, .pptx, .pps, .ppsx, .odt, .xls, .xlsx
• Audio: .mp3, .m4a, .ogg, .wav
• Video: .mp4, .m4v, .mov, .wmv, .avi, .mpg, .ogv, .3gp, .3g2

If your website doesn’t need some of these, consider restricting them.

Step-by-Step Guide to Restrict File Upload Types in WordPress

There are several methods to restrict file types, depending on your technical expertise and project needs.

Step 1: Back Up Your Website

Always create a full backup before making any changes to your WordPress site—especially when altering core behavior or installing new features. Backups protect your data and ensure you can restore your site if anything goes wrong. Consider using plugins like:

• UpdraftPlus
• Jetpack Backup
• Duplicator

Step 2: Decide What File Types You Want to Allow

List the file types you want users to upload, which may vary by site type:

• Blog: Likely just images (.jpg, .png, .gif)
• Portfolio: Might include PDFs or video files
• E-commerce: May need product images and brochures

Having this list ready makes configurations clearer and more focused.

Step 3: Use the upload_mimes Filter in functions.php

The most direct way to limit file types is by using the upload_mimes filter in your theme’s functions.php file.

How to do it:

1. Navigate to Appearance > Theme File Editor.
2. Open functions.php.

What this does:
Overrides the default list of allowed file types and sets a custom list.

Step 4: Use a Plugin (for Non-Developers)

If you’re not comfortable editing theme files, plugins offer an easier method. Popular choices include:

1. WP Extra File Types

1. Go to Plugins > Add New.
2. Search for “WP Extra File Types”.
3. Install and activate.
4. Go to Settings > Extra File Types.
5. Check or uncheck file types based on preference.
6. Save changes.

2. File Upload Types by WPForms

• Another intuitive plugin offering similar functionality.
• Especially useful if you already use WPForms for form handling.

Step 5: Restrict Upload Types by User Role (Optional)

You might allow certain file types for admins while restricting them for contributors or subscribers. This ensures sensitive or risky formats, like executable files, are kept away from general users. Meanwhile, it allows admins to manage these file types as needed, balancing security and functionality.

Step 6: Use .htaccess for Server-Level Restrictions

On Apache-based servers, the .htaccess file can add an extra restriction layer:

<FilesMatch "\.(exe|php|sh|bat|pl)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

This prevents access to potentially dangerous file types, even if they’re uploaded.

Step 7: Test Your Configuration

After setting restrictions:

• Use the WordPress media uploader.
• Try uploading both allowed and disallowed file types.
• Verify that disallowed files are blocked.

Testing ensures your site functions as expected with user-defined rules.

Tips for File Upload Security

1. Enable File Scanning Plugins

Plugins like Wordfence or Sucuri Security can scan uploads for malware or anomalies.

2. Limit File Size

Control file sizes using php.ini or .htaccess:

upload_max_filesize = 2M
post_max_size = 3M

3. Rename Files Automatically

Prevent file conflicts or attacks using plugins like “Media File Renamer” to rename files upon upload.

4. Avoid Allowing Executables

Never allow scripts or executables (e.g., .php, .exe) to be uploaded—even by admins.

Conclusion

File uploads can be convenient, but prioritizing security is essential to avoid issues. By following this guide, you can restrict file uploads effectively and address common concerns. Keeping your software updated and reviewing your site’s security settings regularly will further secure your website and its users. Thank you for reading our guide on restricting file uploads in WordPress. We hope it helps you manage your website’s security effectively.