This article describes the allowed file types of WordPress File Upload plugin.

After update of WordPress File Upload plugin to version 3.9.0, or newer, many users are getting an error “Upload failed! File not allowed.” which did not occur before.

screenshot102

This is caused by the new security policy of WordPress File Plugin, which affected the file types allowed to be uploaded. The change of policy occurred so that websites are better protected against hacking attempts, such as arbitrary file uploads.

According to the new policy, the default value *.* in Allowed File Extensions option of the plugin will not allow all file types to be uploaded, but only specific ones. As a best practice, administrators are strongly encouraged to define specific lists of allowed file types (whitelists) instead of leaving the generic *.* option.

screenshot103

However, even if administrators define a specific list of file extensions, it is not certain that all will be allowed. This is because the plugin keeps a list of forbidden file extensions (blacklist) and will check first if any of the specified extensions is in the blacklist and if yes it will reject them.

To find out if a specific file extension is allowed by default, or needs to be explicitly defined through Allowed File Extensions option or it is forbidden, type it in the textbox below and press Check button.



 

Allowed File Types of WordPress File Upload Plugin

38 thoughts on “Allowed File Types of WordPress File Upload Plugin

  • Hi,

    I’m using the free version and considering pro version I have this issue:

    I can’t modify the allowed types. If I try for example: “*.*,*.png” or even: “*.png”. It still gives me error.

    Also the “CHECK” button on this page doesn’t do anything.

    Kind regards

    B

    1. Hi, first of all there is no need to declare *.png, because it is included in the allowed file extensions already (the *.* pattern). So, the problem is somewhere else. Do the files you are trying to upload contain more than one dot (.) in their filenames?

      Regards

      Nickolas

  • Thanks for the fantastic plugin!

    Managed to get most of my files to work once added to the whitelist, but having trouble with *.ld files (lower case “L”). These are files spooled by race telemetry applications and sensors. We can upload them in .rar format but any particular reason these are natively prevented?

    1. Hi, .ld files are included in the blacklist, because they may contain executable code. Nevertheless there is a way to add an exclusion. Please do the following:

      1. Go to Dashboard / Settings / WordPress File Upload / Hooks and add a new Hook.
      2. Give it any title you want.
      3. Put the following code in the Code box:

      global $wfu_extension_blacklist;
      if ( isset($wfu_extension_blacklist["ld"]) ) unset($wfu_extension_blacklist["ld"]);

      4. Set Status to Active and Save.
      5. Add extension *.ld to the list of Allowed File Extensions of the shortcode.

      You are done.

      Regards

      Nickolas

      1. Is Hooks and add new a new Hook only availble in the PRO?
        I’d like to gain access to the blacklist on my server.

        I’m trying to add a .ino file or a .py file

        Thanks

        1. Yes Hooks is a feature of the Pro version, however you can gain access to the blacklist and customize it by adding the following code at the end of functions.php file of your theme:

          global $wfu_extension_blacklist;
          if ( isset($wfu_extension_blacklist["ino"]) ) unset($wfu_extension_blacklist["ino"]);
          if ( isset($wfu_extension_blacklist["py"]) ) unset($wfu_extension_blacklist["py"]);

          Regards

          Nickolas

          1. I tried adding to the end of functions.php of my theme, and also at the wfu_functions.php. But still the upload of exe and zip files comes back with “not allowed”.

            What am I missing (free version of the plugin)

            global $wfu_extension_blacklist;
            if ( isset($wfu_extension_blacklist[“exe”]) ) unset($wfu_extension_blacklist[“exe”]);
            if ( isset($wfu_extension_blacklist[“zip”]) ) unset($wfu_extension_blacklist[“zip”]);

          2. Sorry, I forgot to mention, you also need to set Allowed File Extensions in the shortcode accordingly, e.g. it should be *.*, *.exe, *.zip

            Nickolas

      2. I get “Hook has been saved but cannot be activated because the code contains errors. Please check its syntax.” error when adding this into a new hook. What gives?

        1. Go to Settings and activate option “ModSecurity Restrictions”. Then go back to the hook and activate it. Maybe this will fix the problem.

          Nickolas

      1. Hi, go to Advanced tab in plugin’s area in Dashboard, locate option Wildcard Asterisk Mode and set it to loose. This will allow files with many dots.

        Regards

        Nickolas

  • The issue I’m having is that file types that have a “-” in them or a “_” or a space or don’t have a file extension are all not allowed. This is a problem because smartphones automatically add many of those characters. e.g.” file-name.jpg”, “file_name.jpeg”, “file name.jpg” or “filename” all do not work for me.

  • Is there a wildcard for numbers? We want files that have revisions extensions at the end of the file names that are numbers. Do I need to add *.1,*.2,*.3,*.4,*.5 etc to the allowed file extensions? I would need to do this up into the hundreds.

    1. Hi, this is a bit more complicated, it cannot be done with allowed file extensions only, it requires a hook. I have answered to your email directly about this.

      Regards

      Nickolas

    1. Do you files have dots (.) in their filenames? If yes, then you need to go to Advanced tab in Dashboard area of the plugin, locate option Wildcard Asterisk Mode and set it to loose.

      Regards

      Nickolas

    1. Can you please send me the shortcode you use? I managed to upload .jpg files, so the upload form works, however .eps failed.

      Nickolas

  • I used this shortcode in my form builder:
    [wordpress_file_upload]

    I then used this in the hook and theme function:

    global $wfu_extension_blacklist;
    if ( isset($wfu_extension_blacklist[“*.*,*.eps”]) ) unset($wfu_extension_blacklist[“*.*,*.eps”]);
    if ( isset($wfu_extension_blacklist[“py”]) ) unset($wfu_extension_blacklist[“py”]);

    1. eps extension is not blacklisted, so you need to remove if ( isset($wfu_extension_blacklist[“*.*,*.eps”]) ) unset($wfu_extension_blacklist[“*.*,*.eps”]);.
      You need to open the shortcode using the visual editor of the plugin and set *.*,*.eps in Allowed File Extensions, or put it manually inside the shortcode [wordpress_file_upload uploadpatterns="*.*,*.eps"]

      Nickolas

  • Hi there

    I would like to purchase the pro version but i have some problem using the free version:

    1. i want to upload .stl and .obj file, but your plugin have forbidden due to security issue, please advise.

    2. I setup my upload path as “uploads/users/%username%” and enabled “Create Upload Path”, however when i test try to upload a .doc file, the file goes to /uplaods/2017/10. Please advise.

    3. Continuing from question 2, after i successfully uploaded the .doc file, no successfully message pop-up.

    4. I added drop down in the “additional fields”, so after my visitors successfully uploaded their files, where does the “additional fields” information be shown?

    5. I have chosen upload roles as all users except guest. When i surf my web as a guest, there is no upload area be showing on the page. Can the plugin be adjusted to give notice to the visitors to sign in instead of hiding the upload area?

    Thanks
    Patrick

    1. Hi, here are answers:

      1. Indeed stl and obj extensions are forbidden. You can override this restriction by adding a Hook (this is a Pro version feature). You can also do it in Free version by adding some lines of code in functions.php file of your theme as follows:
      global $wfu_extension_blacklist;
      if ( isset($wfu_extension_blacklist["obj"]) ) unset($wfu_extension_blacklist["obj"]);
      if ( isset($wfu_extension_blacklist["stl"]) ) unset($wfu_extension_blacklist["stl"]);

      2. Have you enabled “Add Uploaded Files to Media” or “Attach Uploaded Files to Post” options? These will force the plugin to override uploadpath and upload the files to the default upload folder of WordPress.
      3. Have you made any changes to placements attribute? There is a ‘message’ block that displays information about the upload.
      4. It is shown in View Log and File Browser in plugin’s area in Dashboard and it can also be added to the notification email. The Pro version also includes file viewers for normal users (not admins), where you can also include this info.
      5. Good point! I hadn’t thought of this. It can be done, though it is not so straightforward and requires some code tweaks and Hooks of the Pro version. Nevertheless, I will mention it to include an easy way to do it in the next version.

      Regards

      Nickolas

Leave a Reply

Your email address will not be published. Required fields are marked *