How to Upload Banned File Types to WordPress Media Library

When working with WordPress, most users find that the media library is one of the most helpful features they could ask for. From sorting pictures and videos with helpful, searchable descriptions, to storing files in your own personal cloud, the WordPress media manager is useful is a variety of ways, limited only by one’s needs – and the outright ban on uploading some file types.

In order to help to keep you safe from malicious uploads, WordPress prevents some file types from being added to the media library right out of the box; even more to the point, WordPress allows the uploading of only a very few file types. They are:

[adsense_id=”1″]
  • .jpg/.jpeg (images)
  • .png (images)
  • .gif (images)
  • .pdf (documents)
  • .doc/.docx/.odt (documents)
  • .ppt/.pptx/.pps/.ppsx (presentations)
  • .xls/.xlsx (spreadsheets)
  • .mp3/.m4a/.ogg/.wav (audio)
  • .mp4/.m4v/.mov/.wmv/.avi/.mpg/.ogv/.3gp/.3g2 (video)

A through list where files that can be strictly considered media are concerned, but obviously leaving out hundreds of other file types that we work with on a daily basis.

In my case, I wanted to upload a few premium fonts (in .ttf format) that I had purchased, just to be sure that they were available to me any time, from anywhere – it’s my cloud, after all! Unfortunately, when I attempted to upload my .ttf files, I received the error shown in the picture above: “Sorry, this file type is not permitted for security reasons.”

Now, while I most definitely appreciate WordPress’ attempt to keep me safe – many file types can contain malicious code, viruses, and other threats, after all – I immediately knew that I’d need to find a workaround for this problem if I wanted to be able to store any non-media files in my WordPress media manager.

How to Upload Banned File Types to WordPress Media Library

Thankfully, like most things relating to WordPress, a short investigation lead me to a simple, easy to implement solution that would allow me to manually add any file type of my choosing to WordPress’ “allowed” list. Here’s how it works:

  1. Open your theme’s functions.php file.
  2. Add the following code, changing the file extension and MIME type to suit your particular purposes:

add_filter(‘upload_mimes’, ‘add_custom_upload_mimes’);
function add_custom_upload_mimes($existing_mimes) {
$existing_mimes[‘csv’] = ‘application/octet-stream’;
$existing_mimes[‘xml’] = ‘application/atom+xml’;
return $existing_mimes;
}

A Short Note on MIME Types

Given that it isn’t a term used often by most web developers, you may be asking just what exactly a MIME type is; while you can get a full run-down on Wikipedia, this brief overview should be all that you need:

A MIME type, sometimes called an “Internet media type,” is a value assigned to files accessed via web protocols in order to identify their type. Each MIME type value follows the same “general/specific” format – for example, the MIME type for MP3 files is “audio/mpeg”.

You will need to include the appropriate MIME type for whatever file type you’d like WordPress to allow you to upload – click here for a full list of MIME types for you to peruse, courtesy of Wikipedia.

A Short Note on Security

Keeping the safety of your website and hosting account in mind, you need to take extra precautions to be sure that your fiddling around with allowed file types does not open you up to trouble. In my case, I was uploading files to a private WordPress installation that cannot be accessed by the public, so I was safe from the start. Assuming you’re working with a public website here, you’ll need to be sure that you:

  • Continue to disallow file types such as .exe and .php that are particularly prone to containing malicious code.
  • Ensure that anyone below the level of admin has no upload rights, helping you to be sure that you, the admin, are the only one able to add potentially dangerous file types to the media library.

Comments

  1. Salvatore Dibendetto says:

    Hi this post is great but please fix your code: that is not working.

    Here how I fixed it :

    add_filter(‘upload_mimes’, ‘add_custom_upload_mimes’);
    function add_custom_upload_mimes($existing_mimes){
    $existing_mimes[‘csv’] = ‘application/octet-stream';
    $existing_mimes[‘xml’] = ‘application/atom+xml';
    return $existing_mimes;
    }

  2. Salvatore, you are correct. The above code is not correct.

    Here is a working example

    add_filter(‘upload_mimes’, ‘i3d_custom_upload_mimes’);
    function i3d_custom_upload_mimes ( $existing_mimes=array() ) {
    $existing_mimes[‘svg’] = ‘image/svg+xml';
    return $existing_mimes;
    }

  3. Tuyen Nguyen says:

    Thank you, it works for me.

Leave a Reply to Salvatore Dibendetto Cancel reply

*