So you just tried to upload a file on your WordPress website and, instead of successfully uploading, got an error message that said “Sorry, this file type is not permitted for security reasons.”

Your first instinct might be to panic. Did you just almost upload a corrupted file to your site? Was it malware? Is your site compromised now? Don’t worry. While this message might seem ominous, it only means that WordPress does not support the file type you tried to upload.

In this post, we’ll take a closer look at what causes this error message, and how you can resolve it.

Grow Your Business With HubSpot's Tools for WordPress Websites

Let’s say I try to upload an AVIF file to WordPress. AVIF is a new image format that produces compressed images without compromising on quality. Although this format promises to be a game changer in image compression, it’s still new and therefore not a popular file format.

WordPress does not support this file type. So if I try to upload an AVIF file, then I’ll get the “sorry, this file type is not permitted for security reasons” error.

Here’s how it looks in the Gutenberg editor.

“Sorry, This File Type Is Not Permitted for Security Reasons” Error in Gutenberg editor

If you only upload file types that WordPress supports, then you may never see this error message. Let’s take a look at what those file types are below.

WordPress Allowed File Types

WordPress supports a wide range of file types, including the most common images, video, document, and audio formats.

These file types are also known as Multipurpose Internet Mail Extensions (MIME). MIME types allow browsers to figure out what type of file has been uploaded to a web page. If you upload a .png file, for example, the browser will be able to determine it’s an image, and not a video or audio file.

According to the WordPress Codex, WordPress supports uploading the following file types:

Category File Name Extensions
Images .jpg
.jpeg
.png
.gif
.ico
Document .pdf 
.doc, .docx 
.ppt, .pptx, .pps, .ppsx 
.odt 
.xls, .xlsx 
.psd 
Audio .mp3
.m4a
.ogg
.wav
Video .mp4, .m4v 
.mov 
.wmv 
.avi
.mpg
.ogv 
.3gp
.3g2

You may be trying to upload one of these permitted file types and still get the “sorry, this file type is not permitted for security reasons” error message. Or you may want to upload a file type that’s not on this list.

In either case, there are steps you can take to resolve or avoid this error message. Let’s take a look at them below.

1. Check your file type extension.

Before you start messing around with your WordPress settings or PHP files, check the extension of the file you’re trying to upload. Maybe you accidentally changed the extension when saving the file. So the reason you’re seeing the error message is not a problem with your wp-config.php or functions.php file — it’s that you’re trying to upload an image in a video format.

The example below shows that I tried to upload a .jpg file as an .avi file and got the error message as a result.

Incorrect file name extension causing the "“Sorry, This File Type Is Not Permitted for Security Reasons” Error

This is an easy first step: if the file name extension is incorrect, then you can fix it and upload the file in the correct format. If it is correct, then you can move right along to the next step.

2. Change your multisite network settings.

If you are running a multisite installation — a network of sites that all share the same WordPress installation core files —  then you can easily add more allowed file types.

Just click Settings > Network Settings in your dashboard, and scroll down to Upload Settings. Then, in the input field next to Upload file types, add the extensions for the file types you want to upload.

Adding allowed file types in upload settings of WordPress multisite installation

Then save your changes. Users on any site in your network will now be permitted to upload all the file types listed here.

If you are running a single-site WordPress installation, then you won’t have this option in your settings. So you’ll have to try one of the steps below.

3. Edit your wp-config.php file to upload any file type.

If you want to permit any and all file types to be uploaded to your site, then you just need to add one line of code to your wp-config.php file.

It’s a relatively simple process, but as a best practice, you should always make a backup of your wp-config.php file before editing. That’s because even a small error in the file can make your site inaccessible.

Once you’ve made a copy of your wp-config.php file, follow the steps below to permit any file type upload.

    • Access File Manager via your hosting control panel.
    • Open your public_html folder.
    • Locate and right-click the wp-config.php file, then choose the Edit option.
    • Scroll to the bottom of the file
    • Scroll down to the end of the file to the line that reads /* That's all, stop editing! Happy blogging. */and paste the following line of code:

 
define('ALLOW_UNFILTERED_UPLOADS', true);

  • Save your changes and sign back into your WordPress dashboard. You should now be permitted to upload any file type.

This is a relatively easy solution, but not ideal for every website. If multiple users are uploading files on your WordPress site for example, then you may want to be more specific about which file types are permitted. In that case, keep reading.

4. Edit your theme’s functions.php file to modify permitted file types.

If you want to permit only certain file types to be uploaded to your site, then you can use the Upload_Mimes Filter.

  • Access File Manager via your hosting control panel.
  • Open your wp-content folder.
  • Open your themes folder.
  • Locate and right-click the functions.php file, then choose the Edit option.
  • Scroll to the bottom of the file and paste the following code snippet.

 
function cc_mime_types($mimes) {

     

    // New allowed mime types.

  $mimes['svg'] = 'image/svg+xml';

  $mimes['svgz'] = 'image/svg+xml';

  return $mimes;

}

add_filter( 'upload_mimes', 'my_custom_mime_types' );

Note that this adds SVG and SVGZ files. You can change or add MIME types to this code snippet, depending on what file types you want to upload.

While advanced users won’t have a problem adding code to their functions.php or wp-config.php files, beginners might. In that case, they can use a WordPress plugin.

5. Install a plugin to add more permitted file types.

If you’d prefer not to edit your wp-config.php or functions.php files or deal with any code, then you can use a plugin to add permitted file types on your website. WP Add Mime Types and File Upload Types by WPForms are two such plugins. While both are available in the official WordPress directory (and therefore free) and highly rated, File Upload Types is more beginner-friendly. Let’s take a look at how to use it below.

  • Install and activate the plugin in your WordPress dashboard. You’ll be automatically redirected to the Plugins page.
  • Under File Upload Types, click Settings.
  • Check the box next to the file types you want to be able to upload, or add your own custom file type.
  • Click Save Settings when you’re ready.

Adding more permitted file types using File Upload Types by WPForms plugin

6. Contact your hosting provider.

If you’ve tried all the steps above and are still getting an error message, then contact your WordPress hosting provider.

It’s possible that your provider has stricter limits on the file types you can upload than WordPress has by default. In that case, the steps above won’t be able to resolve the “sorry, this file type is not permitted for security reasons” error, but your provider’s customer support likely can.

Uploading File Types in WordPress

A “sorry, this file type is not permitted for security reasons” error error can be frustrating for site admins and users. The good news is that the steps above can either resolve the error or allow you to control which file types you’re able to upload — without compromising the security of your WordPress site.

To review which file types WordPress allows by default, see its list of accepted file types. Also note that you can upload HTML files to WordPress as well.

 

Use HubSpot tools on your WordPress website and connect the two platforms  without dealing with code. Click here to learn more.

 Use HubSpot tools on your WordPress website and connect the two platforms  without dealing with code. Click here to learn more.

Originally published Jan 13, 2021 7:00:00 AM, updated March 18 2021

Topics:

WordPress Security