Chances are pretty high that you landed here because you are having trouble trying to upload some files to your WordPress – Media Library.

You likely have run into one of the following error messages when attempting the upload:”Sorry, this file type is not permitted for security reasons.”

OR“Sorry, you are not allowed to upload this file type.”

Well you are in luck! Because this is exactly where you need to be to understand and fix these errors. In this guide, we will cover the causes and solutions for WordPress file type related error messages like these.

Feel free to take a look at our table of contents and take advantage of its quick access jump links to get to the subsection of this article that is most appropriate to your needs.

What causes File/MIME Type errors in WordPress?

The short answer is simple, security. It’s part of web application coding best practices to restrict what file types your uploader will process. This practice mitigates intrusion risks in your codebase by limiting the influence of unrecognized data streams. This way allows for an easy stopgap to maintain application security. Closing the door to the risk factors associated with unknown file types is a must have in the modern day and this policy is designed toward keeping the application and your site’s precious user data safe.

It’s unfortunate that the “sorry this file type is not permitted for security reasons” error couldn’t be a bit more specific about what “security reasons” means…

Why restrict certain file types for upload to WordPress?

Owning the greater portion of the CMS marketplace paints a massive target on your back for would be abusers.

Hackers have a vested interest in probing the internal security practices that govern widely adopted software, like WordPress, as it provides them with a much bigger pool of known source code with potential exploitable attack vectors. Knowing exactly what source code is running on the target system is a basic starting point of intrusion efforts. Unknown file types are routinely blocked by WordPress, as with many other web applications, to mitigate the risks they represent. It’s no small task to write code that understands the intricacies of a file type’s structure and potential security pitfalls. So disallowing any extensions that are not within the specific subset of file types your application understand is security 101 best practices.

File uploads in any web-based software are often limited and for good reason. This extends beyond WordPress alone and into the realm of general web application coding best practices. Accepting just any file data that is presented to your software by end-users is akin to the Trojan Horse story of Greek Myth. You never really know what might be hiding inside of an unknown file structure . Especially when that file’s internal structures are not understood by that software or those file types have not been properly vetted and mitigated security risks.

As annoying as it may be to have to deal with error messages like “sorry this file type is not permitted for security reasons”, we can take solace in knowing that random user uploads of potential malware is restricted and users cannot upload code indiscriminately on your site because of these types of limitations. This fundamental principle in code design is already at work around the globe protecting millions of sites from would be intruders who attempt to force uploads of malicious payloads round the clock.

How To Fix “Sorry, this file type is not permitted for security reasons.”

The everyday heroics of our SirsteveHQ support team have found a number of workarounds to get custom extensions past this protective barrier. We can introduce new MIME types via direct code, new plugins, or even customized themes. So lets go through just how to apply these solutions to a common problem so you may be able to expand the functionality of your WordPress environment beyond its core functionality.

We’re assuming that you know your plugin or file is safe and you would like to proceed with uploading it anyway despite the “sorry this file type is not permitted for security reasons.” error.

Doublecheck File Selection And File Extension Spelling

First things first, doublecheck the file extension of the file you are attempting to upload. If you had mistakenly selected the wrong file or happened to misspell its file extension, solving your problem would be as simple as fixing the selection or spelling mistake.

How To Bypass File Upload Restrictions In WordPress

This section will cover the different methods of bypassing file upload restrictions in WordPress. As with most things, there are a few different potential solutions to this problem and this section will go over them.

Stop & Consider – Do I Really Need This File Type?

As discussed in our opening, there is good reason why WordPress limits uploads to a specific subset of file extensions. The point to consider here is whether the change you want to impose on your site is necessary and worth the potential additional security risks involved with enabling the unknown file types you might require.

We will go over the methods for allowing specific, or in some cases all, file types, but we should definitely first take time to stop and consider the pros/cons of adding any new MIME types to the list of supported file extensions.

Stick To Known WordPress MIME Types

The following are the list of known file types that WordPress as a platform supports inherently. These files types are the proven internet standard assets and pose little risk on their own. Sticking to these will not cause any additional potential risks with your site and require no special plugins or compatible themes to make work properly.

Audio Files

• m4a
• mp3
• ogg
• wav

Documents

• csv
• doc
• docx
• key
• odt
• pdf
• pps
• ppsx
• ppt
• pptx
• txt
• xls
• xlsx

Images

• gif
• heic
• jpeg
• jpg
• png

Videos

• 3g2
• 3gp
• avi
• m4v
• mov
• mp4
• mpg
• ogv
• vtt
• wmv

Note: You can always find a complete list of supported file types on the WordPress Support page for Accepted File Types. Since these defaults could change over time, it’s a good idea to check with the authoritative source. The button below will take you there.

WordPress Support – Accepted File Types

COMMON UNSUPPORTED FILE TYPES

The hero in me wanted to make solving your file types issue easier. So to that end, I have scoured around online to locate some of the more common unsupported extensions that people typically enable in WordPress. The table below provides both the extension, and document type string needed for WordPress plugins to properly recognize how to use these file types. This is by no means an exhaustive list, but while digging around, I did come across a few good resources for looking up the MIME/Type information you may need.

Common Unsupported WordPress File Types

mimetype.io

developer.mozilla.org

A WORD OF CAUTION ABOUT VIDEO UPLOADS: it’s generally best to use a reliable third-party video streaming service instead of uploading videos directly into the Media Library. There are many video related plugins that make integration with these platforms simple and seamless.

Convert Files To A Supported WordPress MIME Type

In many ways, uploading unsupported file types has little place within the WordPress file manager. Adding an SVG file to your file manager will not automatically make that file type understood by WordPress. You need a special plugin or compatible theme that can make use of this type of file. Lacking one of these components means that there is no benefit to forcing this type of file upload on your site and you should consider another format.

In most cases, there is an acceptable supported format you can use instead. So unless you have a very specific need for adding those custom .tiff or .woff fonts, plus the plugins/theme necessary to support them, then it’s probably better to convert the file to a already supported MIME Type. Below are a selection of three sites out of the uncountable number of online tools available that can help perform file format conversion.

Cloudconvert

Convertio

Online-convert

Disable File Upload Restrictions In WordPress

It’s actually rather simple to get around the default upload restrictions by enabling unfiltered uploads in your WordPress config file. Caution should be taken with this solution as it opens up the website to many potential attack vectors that come with unfiltered uploads.

How To Disable File Upload Restrictions In WordPress

NOT RECOMMENDED: This solution as it opens your site up to the various risk factors associated with processing out-of-scope data streams. Please consider an alternate solution from this article before resorting to such a heavy-handed approach.

• Locate your WordPress config file and open it in your preferred editor.

• WordPress Installation Root
  • wp-content

• On the first line, find the PHP start tag, and add a new line after it.

<?php

/** 
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,

• Input the following snippet on your newly added line:

define('ALLOW_UNFILTERED_UPLOADS', true);

Example:

<?php
    define('ALLOW_UNFILTERED_UPLOADS', true);
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,

• Save your file changes and retry your upload.

Note: you may need to logout of your WordPress Admin and login again.

Add New File Types To Your Theme (Advanced Users)

The following instructions walk through the process of modifying your theme’s functions file to add a new custom function that updates the global mime_types array where WordPress stores the list of allowed file extensions/MIME types.

Note: Since this solution requires a basic understanding of PHP syntax, we classified this as a solution for advanced users.

How To Add New File Types To Your Theme

• Locate your theme’s functions file and open it in your preferred editor.

Note: replace theme_name with your themes actual folder name instead.

• WordPress Installation Root
  • wp-content
    • themes
      • theme_name
        • functions.php

• Navigate to the bottom of the functions file and add a new line after the last.

The last lines of your functions file will likely be different than this example. However, the important take away is to make sure you are adding the new line to the very bottom past all other code contained in the file.

// updater for WordPress.com themes
if ( is_admin() )
            include dirname( __FILE__ ) . '/inc/updater.php';

• Input the following snippet on your newly added line

You will need to update this snippet to reflect your specific MIME needs. You can add/remove any number of MIME Types by duplicating the appropriate add/remove lines and modify them to cover your requirements.

function update_mime_types($mime_types) {

    // Add the new EXTENSION as its associated MIME/Type string
    $mime_types['EXTENSION'] = 'MIME/Type';

    // Remove the following extension's MIME/Type
    unset( $mime_types['EXTENSION'] );
    

    //Returns the full list of MIME types. 
    return $mime_types;
}
add_filter( 'upload_mimes', 'update_mime_types' );

Example:

This example uses the following keyword replacements, so be sure to substitute the correct information in these places. I’ve highlighted them within the example below to make them easier to tell apart.

• EXTENSION – The file type extension in all CAPS (e.g. SVG, TIFF, ETC…)
• MIME/Type – The extensions file type string. (e.g. image/gif, or video/divx)

// updater for WordPress.com themes
if ( is_admin() )
include dirname( __FILE__ ) . ‘/inc/updater.php’;

function update_mime_types($mime_types) {

// Add EXTENSION as its associated MIME Type string
$mime_types[‘SVG‘] = ‘image/svg+xml‘;
$mime_types[‘WOFF‘] = ‘font/woff‘;

// Remove EXTENSION from the allowed MIME Type list
unset( $mime_types[‘SVG‘] );
unset( $mime_types[‘WOFF‘] );

//Returns the full list of MIME types.
return $mime_types;
}
add_filter( ‘upload_mimes’, ‘update_mime_types’ );

• Save your file changes and retry your upload.

Note: you may need to logout of your WordPress Admin and login again.

Install A Plugin To Assist With Adding New MIME Types

In general if you have a problem, there is a plugin already in the marketplace that can solve it. Whether that plugin is free or costs a premium is generally the only question. In this particular case though, there are two very good completely free plugins you an use to modify the site’s list of supported file types. These make it simple for beginner users to circumvent the “sorry this file type is not permitted for security reasons” error for specific file types. You can visit these plugins pages in the marketplace using their respective buttons below:

Mime Types Plus

WP Add Mime Types

MIME Related Plugins

WordPress Multisite Uploads

Modifying the list of supported file extensions when running a WordPress Multisite doesn’t require any special plugins nor do you need to manually update your theme’s function code directly. You can simply visit the WordPress Network Settings page where you can add and remove permitted file types in a simple user-friendly interface.

1. Login to WordPress Admin
2. Navigate to Network Admin -> Settings -> Network Settings
3. Scroll down to Upload Settings
4. Add/Remove file extensions from the Upload file types field.
5. Return to the WordPress – Media Library for the site in question.
6. Retry your upload

Contact Your Webhost Support For Assistance

If you are unsure about making these types of changes yourself, than you should reach out to your web hosting provider’s support team. Depending on their support policies they can generally be able to walk you through the solutions outlined in this article. What’s even better, most fully-managed providers, may even do the work for you.

If you are hosting your sites with SirsteveHQ, than don’t hesitate to contact the everyday heroes in technical support who will gladly take up the charge to assist you through these types of changes.