Building a WordPress Site?Learn WP From Scratch
Wordpress Hosting
The Important Tutorials
Create a Wordpress Theme
View All Tutorials
How to Fix ‘Sorry, This File Type Is Not Permitted for Security Reasons’ Error in WordPress

How to Fix ‘Sorry, This File Type Is Not Permitted for Security Reasons’ Error in WordPress

Last modified: June 28, 2026

FAQ
Fiverr freelancers

When you try uploading a file to WordPress and get hit with “Sorry, this file type is not permitted for security reasons,” WordPress is doing its job. The platform maintains a whitelist of allowed MIME types, and anything outside that list gets blocked at the point of upload. It is a sensible default, but it can get in the way when you have a legitimate need to upload SVGs, JSON files, or other formats the whitelist does not cover. The good news is there are several ways to fix this, ranging from a one-line code change to a plugin that takes under a minute to set up.

What File Types WordPress Allows by Default

WordPress ships with a built-in whitelist of permitted MIME types. Out of the box, you can upload common image formats (JPG, PNG, GIF, WebP), standard document types (PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX), audio and video files (MP3, MP4, MOV, AVI), and a handful of others like TXT and CSV.

What gets blocked by default? Anything WordPress considers a potential security vector. That includes SVG files, JSON, XML, SWF, and executable types like PHP or EXE. SVGs are particularly notable because they are XML-based and can carry embedded JavaScript, making them a real attack surface if uploaded by a malicious user. JSON and XML are similarly risky in certain contexts because they can be parsed in unexpected ways.

The block is intentional. If your WordPress site has user-submitted content or multiple editors, keeping these formats off the whitelist reduces the attack surface significantly. Only extend the list when you have a specific need and you understand the associated risk.

Method 1: Add the ALLOW_UNFILTERED_UPLOADS Constant to wp-config.php

The fastest single-line fix is adding a constant to your wp-config.php file. Open the file via FTP or your host’s file manager and add this line above the /* That's all, stop editing! */ comment:

define( 'ALLOW_UNFILTERED_UPLOADS', true );

This grants administrator-level users the ability to upload any file type without restriction. Save the file and try your upload again.

Important limitation: This constant only works on single-site WordPress installations. On WordPress Multisite, it has no effect. If you are running a network, you will need one of the methods below instead.

Also be clear-eyed about what this does. It removes all file type restrictions for admin users. If you only need to allow one or two specific types, the upload_mimes filter (Method 2) is a better approach because it is more targeted.

Method 2: Add Specific File Types via the upload_mimes Filter

If you want to allow particular file types without opening the door to everything, the upload_mimes filter is the right tool. Add this snippet to your theme’s functions.php file or, better yet, a site-specific plugin:

function scanwp_custom_mime_types( $mimes ) {
    $mimes['svg'] = 'image/svg+xml';
    $mimes['json'] = 'application/json';
    $mimes['xml'] = 'text/xml';
    return $mimes;
}
add_filter( 'upload_mimes', 'scanwp_custom_mime_types' );

Adjust the array entries to match whatever types you need. Each entry takes the file extension as the key and the MIME type as the value. You can find official MIME type strings at the IANA media types registry if you are unsure of the correct value for a particular format.

One catch to be aware of: in WordPress 4.7.1 and later, a secondary check called wp_check_filetype_and_ext() verifies the actual file content against the declared MIME type using PHP’s fileinfo extension. Adding a MIME type to the filter is not always enough on its own if the server-level MIME detection disagrees. In those cases, you may also need to add a filter on wp_check_filetype_and_ext for that specific type.

How to Handle the wp_check_filetype_and_ext Secondary Check

In WordPress 4.7.1+, a secondary MIME verification called wp_check_filetype_and_ext() runs alongside the upload_mimes filter. It uses PHP’s fileinfo extension to inspect the actual file contents rather than trusting the extension. If the detected MIME type does not match what upload_mimes returns, WordPress blocks the upload even though you added the extension to the allowed list.

To disable this real MIME check for a specific file type, add a filter on wp_check_filetype_and_ext:

add_filter( 'wp_check_filetype_and_ext', function( $data, $file, $filename, $mimes, $real_mime ) {
    $ext = strtolower( pathinfo( $filename, PATHINFO_EXTENSION ) );
    if ( $ext === 'svg' ) {
        $data['ext']  = 'svg';
        $data['type'] = 'image/svg+xml';
    }
    return $data;
}, 10, 5 );

Change 'svg' to whichever extension you need. This filter tells WordPress to trust the declared type for that extension rather than relying on server-level MIME detection. Combine it with the upload_mimes filter above for a complete solution when the standard approach is not working.

If your server does not have the fileinfo PHP extension installed, the secondary check may also fail silently. In that case, upload_mimes alone is sufficient and the additional filter is not needed.

Method 3: Use a Plugin for a No-Code Approach

If you would rather not touch code, several plugins handle this cleanly. WP Extra File Types is a well-maintained free option available from the WordPress plugin directory. After installing and activating it:

  1. Go to Settings > WP Extra File Types in your WordPress admin.
  2. Check the box next to each file type you want to allow.
  3. Click Save Changes.

The plugin adds the selected MIME types to WordPress’s whitelist using the same upload_mimes filter under the hood. It also includes an SVG sanitizer option, which is worth enabling if you plan to allow SVG uploads.

Safe SVG is another solid plugin specifically for SVG uploads. It sanitizes SVG files on upload to strip out potentially harmful scripts before they are stored on your server. If SVGs are your primary need, Safe SVG is the more focused choice.

Method 4: Upload Files via FTP as a Workaround

If you need to get a file onto your server without changing any WordPress settings, FTP is a reliable workaround. Connect to your server using an FTP client like FileZilla, then navigate to wp-content/uploads/ and drop the file into the appropriate year/month subfolder.

The file will be on your server and accessible via its URL, but it will not appear in the WordPress Media Library automatically. To reference it in posts or pages, you would need to use the direct URL rather than selecting it through the media picker. This approach works well for one-off situations but is not practical if you regularly need to upload a particular file type.

Method 5: Use the REST API for Programmatic Uploads

For developers or specific workflow needs, WordPress’s REST API can handle file uploads to the media library. A POST request to /wp-json/wp/v2/media with the appropriate authentication and content headers will upload a file programmatically. This bypasses the admin UI upload check in some configurations, though the same MIME type filtering still applies server-side.

This method is most useful when you are building an integration, automating asset uploads, or working in a headless WordPress setup. For standard content management, the plugin or functions.php approaches are simpler.

SVG Uploads Require Extra Care

SVG files deserve their own discussion because they sit at the intersection of image formats and code. An SVG is an XML file, and XML can contain JavaScript. A maliciously crafted SVG uploaded to your media library and then rendered in a browser could execute scripts in your site’s context, creating a cross-site scripting (XSS) vulnerability.

If you allow SVG uploads, you should also sanitize them. The Safe SVG plugin handles this automatically on upload. It parses the SVG and strips any elements or attributes that could execute scripts, leaving a clean file. Do not simply add SVG to your MIME type whitelist and leave it at that, especially on sites where editors or contributors can upload files independently.

Restricting File Type Uploads by User Role

Sometimes you want to allow a file type for administrators but not for editors or contributors. The upload_mimes filter makes this straightforward because you can check the current user’s role before modifying the list:

function scanwp_role_based_mime_types( $mimes ) {
    if ( current_user_can( 'administrator' ) ) {
        $mimes['svg'] = 'image/svg+xml';
        $mimes['json'] = 'application/json';
    }
    return $mimes;
}
add_filter( 'upload_mimes', 'scanwp_role_based_mime_types' );

This approach lets you give trusted users access to additional formats while keeping tighter restrictions in place for lower-privileged accounts. For more on how WordPress user roles affect site permissions, see this guide on WordPress user roles and permissions.

Security Considerations Before You Enable New File Types

It is tempting to just allow everything and move on, but that creates unnecessary risk. Instead, follow this checklist before enabling any new file type:

  • Enable only what you actually need. If you need SVG support for one project, add SVG. Do not add SVG, JSON, XML, and SWF just because you can.
  • Sanitize uploads where possible. SVGs need sanitization. If a plugin or filter exists that cleans the file on upload, use it.
  • Consider who can upload. If your site has open registration or multiple editors, restrict new file types to trusted roles only.
  • Review periodically. If you enabled a file type for a one-time project, remove that permission when the project is done.
  • Keep plugins updated. If you use a plugin to manage file types, make sure it stays current. Outdated plugins with security flaws in their upload handling can create real problems.

How to Test That Your Fix Worked

After applying any of the methods above, confirm the change works before considering the job done:

  1. Go to Media > Add New in your WordPress admin.
  2. Try uploading a file of the type you just enabled.
  3. If it uploads successfully and appears in the media library, the fix is working.
  4. If you still see the “file type is not permitted” error, double-check that you saved your changes and, if you edited functions.php, that there are no PHP syntax errors causing the file to fail silently.

For the wp-config.php method, also confirm you are logged in as an administrator, since the ALLOW_UNFILTERED_UPLOADS constant only takes effect for admin-level accounts.

Show More

* This button will show the rest of the post and open up an offer from a vendor

What File Types WordPress Allows by Default

WordPress ships with a built-in whitelist of permitted MIME types. By default you can upload common image formats (JPG, PNG, GIF, WebP), standard documents (PDF, DOC, DOCX, XLS, XLSX), audio and video (MP3, MP4, MOV, AVI), and a handful of others including TXT and CSV.

What gets blocked are formats WordPress treats as security risks: SVG, JSON, XML, PHP, EXE, and SWF. SVGs are blocked because they are XML-based and can carry embedded JavaScript. If you see “sorry, this file type is not permitted for security reasons,” the file you are uploading falls outside this default list.

How to Fix the 'Sorry, This File Type Is Not Permitted' Error

There are five main ways to fix this error in WordPress:

1. Add ALLOW_UNFILTERED_UPLOADS to wp-config.php (fastest, but only for single-site installations and admin users)
2. Use the upload_mimes filter in functions.php to allow specific file types by MIME type
3. Apply a role-based version of the filter to restrict new types to administrators only
4. Install WP Extra File Types or Safe SVG for a no-code plugin approach
5. Upload files directly via FTP to wp-content/uploads/ as a one-time workaround

The right method depends on whether you need a permanent solution or a one-off fix, and whether you prefer editing code or using a plugin.

Allow Specific File Types via upload_mimes Filter

The upload_mimes filter is the most targeted code-based fix. Add this to your theme’s functions.php or a site-specific plugin:

function scanwp_custom_mime_types( $mimes ) {
$mimes[‘svg’] = ‘image/svg+xml’;
$mimes[‘json’] = ‘application/json’;
return $mimes;
}
add_filter( ‘upload_mimes’, ‘scanwp_custom_mime_types’ );

Each entry takes the file extension as the key and the MIME type as the value. Unlike the ALLOW_UNFILTERED_UPLOADS constant, this approach lets you allow specific formats without opening everything. It also works on WordPress Multisite, unlike the wp-config.php method.

Note: in WordPress 4.7.1 and later, a secondary check via wp_check_filetype_and_ext() verifies the actual file contents. In rare cases you may need an additional filter on that function for certain file types.

Plugin Options: WP Extra File Types and Safe SVG

Two plugins handle this without requiring code edits. WP Extra File Types is a free option from the official plugin directory. After installing, go to Settings > WP Extra File Types, check the file types you want to allow, and save. It uses the same upload_mimes filter under the hood.

Safe SVG is the better choice if SVG files are your primary need. It sanitizes uploaded SVG files on the way in, stripping embedded scripts and attributes that could create XSS vulnerabilities. This matters on any site where editors or contributors can upload files independently, not just administrators.

Both plugins are free and maintained. Safe SVG adds security that a simple MIME type filter does not provide, which is why it is the recommended approach for SVG uploads specifically.

Fixing the ‘Sorry, This File Type Is Not Permitted for Security Reasons’ Error

WordPress blocks unrecognized file types as a security measure, but when you have a legitimate reason to upload SVGs, JSON files, or other formats outside the default whitelist, you have several reliable options.

The quickest fix is adding ALLOW_UNFILTERED_UPLOADS to wp-config.php, though this opens the door for all file types and only works on single-site installations. For more targeted control, the upload_mimes filter lets you allow specific file types while leaving everything else blocked. The role-based version of that filter gives you even finer control, restricting new formats to administrators only.

If you would rather avoid code changes, WP Extra File Types and Safe SVG both handle MIME type management through the WordPress admin. Safe SVG is the better choice when SVG files are your primary need, since it sanitizes uploads on the way in to remove potentially harmful scripts.

For one-off situations, FTP upload to wp-content/uploads/ bypasses the WordPress file type check entirely. And for developers working programmatically, the REST API media endpoint handles file uploads outside the admin UI.

Whatever method you choose, be deliberate about which file types you enable and who can upload them. The default restrictions exist for good reason, especially on sites with multiple editors or open registration.

Recap:
Contents [Hide]

Related Posts

How to Change an Author in WordPress
How to Add Scroll Effect in WordPress
How to Add a Button on Menu WordPress
How to Add an Image Gallery in WordPress
Save 4 Later
Email liked links to yourself

    Offers & Promos

    Website Maintenence Website Maintenance – Use Promocode: scanwp Jet plugins for Elementor Advanced JetPlugins for Elementor semrush Semrush 14 days trial Kinsta Kinsta – Managed WordPress Hosting bluehost hosting Bluehost Hosting

    Stay Updated with WordPress Insights

    Get the latest WordPress tips, theme reviews, and industry deals delivered to your inbox.