Allowed File Types of WordPress File Upload Plugin

This article describes the allowed file types of WordPress File Upload plugin.

After update of WordPress File Upload plugin to version 3.9.0, or newer, many users are getting an error “Upload failed! File not allowed.” which did not occur before.


This is caused by the new security policy of WordPress File Plugin, which affected the file types allowed to be uploaded. The change of policy occurred so that websites are better protected against hacking attempts, such as arbitrary file uploads.

According to the new policy, the default value *.* in Allowed File Extensions option of the plugin will not allow all file types to be uploaded, but only specific ones. As a best practice, administrators are strongly encouraged to define specific lists of allowed file types (whitelists) instead of leaving the generic *.* option.


However, even if administrators define a specific list of file extensions, it is not certain that all will be allowed. This is because the plugin keeps a list of forbidden file extensions (blacklist) and will check first if any of the specified extensions is in the blacklist and if yes it will reject them.

To find out if a specific file extension is allowed by default, or needs to be explicitly defined through Allowed File Extensions option or it is forbidden, type it in the textbox below and press Check button.


56 thoughts on “Allowed File Types of WordPress File Upload Plugin”

  1. Hi,

    I’m using the free version and considering pro version I have this issue:

    I can’t modify the allowed types. If I try for example: “*.*,*.png” or even: “*.png”. It still gives me error.

    Also the “CHECK” button on this page doesn’t do anything.

    Kind regards


    1. Hi, first of all there is no need to declare *.png, because it is included in the allowed file extensions already (the *.* pattern). So, the problem is somewhere else. Do the files you are trying to upload contain more than one dot (.) in their filenames?



  2. Thanks for the fantastic plugin!

    Managed to get most of my files to work once added to the whitelist, but having trouble with *.ld files (lower case “L”). These are files spooled by race telemetry applications and sensors. We can upload them in .rar format but any particular reason these are natively prevented?

    1. Hi, .ld files are included in the blacklist, because they may contain executable code. Nevertheless there is a way to add an exclusion. Please do the following:

      1. Go to Dashboard / Settings / WordPress File Upload / Hooks and add a new Hook.
      2. Give it any title you want.
      3. Put the following code in the Code box:

      global $wfu_extension_blacklist;
      if ( isset($wfu_extension_blacklist["ld"]) ) unset($wfu_extension_blacklist["ld"]);

      4. Set Status to Active and Save.
      5. Add extension *.ld to the list of Allowed File Extensions of the shortcode.

      You are done.



      1. Is Hooks and add new a new Hook only availble in the PRO?
        I’d like to gain access to the blacklist on my server.

        I’m trying to add a .ino file or a .py file


        1. Yes Hooks is a feature of the Pro version, however you can gain access to the blacklist and customize it by adding the following code at the end of functions.php file of your theme:

          global $wfu_extension_blacklist;
          if ( isset($wfu_extension_blacklist["ino"]) ) unset($wfu_extension_blacklist["ino"]);
          if ( isset($wfu_extension_blacklist["py"]) ) unset($wfu_extension_blacklist["py"]);



          1. I tried adding to the end of functions.php of my theme, and also at the wfu_functions.php. But still the upload of exe and zip files comes back with “not allowed”.

            What am I missing (free version of the plugin)

            global $wfu_extension_blacklist;
            if ( isset($wfu_extension_blacklist[“exe”]) ) unset($wfu_extension_blacklist[“exe”]);
            if ( isset($wfu_extension_blacklist[“zip”]) ) unset($wfu_extension_blacklist[“zip”]);

          2. Sorry, I forgot to mention, you also need to set Allowed File Extensions in the shortcode accordingly, e.g. it should be *.*, *.exe, *.zip


      2. Dominic Grieco

        I get “Hook has been saved but cannot be activated because the code contains errors. Please check its syntax.” error when adding this into a new hook. What gives?

        1. Go to Settings and activate option “ModSecurity Restrictions”. Then go back to the hook and activate it. Maybe this will fix the problem.


      1. Hi, go to Advanced tab in plugin’s area in Dashboard, locate option Wildcard Asterisk Mode and set it to loose. This will allow files with many dots.



  3. The issue I’m having is that file types that have a “-” in them or a “_” or a space or don’t have a file extension are all not allowed. This is a problem because smartphones automatically add many of those characters. e.g.” file-name.jpg”, “file_name.jpeg”, “file name.jpg” or “filename” all do not work for me.

  4. Is there a wildcard for numbers? We want files that have revisions extensions at the end of the file names that are numbers. Do I need to add *.1,*.2,*.3,*.4,*.5 etc to the allowed file extensions? I would need to do this up into the hundreds.

    1. Hi, this is a bit more complicated, it cannot be done with allowed file extensions only, it requires a hook. I have answered to your email directly about this.



  5. Yeah, i have tried .eps, *.*,*.eps, eps in both the hook and the themes function.php file. Its still not working


    1. Do you files have dots (.) in their filenames? If yes, then you need to go to Advanced tab in Dashboard area of the plugin, locate option Wildcard Asterisk Mode and set it to loose.



    1. Can you please send me the shortcode you use? I managed to upload .jpg files, so the upload form works, however .eps failed.


  6. I used this shortcode in my form builder:

    I then used this in the hook and theme function:

    global $wfu_extension_blacklist;
    if ( isset($wfu_extension_blacklist[“*.*,*.eps”]) ) unset($wfu_extension_blacklist[“*.*,*.eps”]);
    if ( isset($wfu_extension_blacklist[“py”]) ) unset($wfu_extension_blacklist[“py”]);

    1. eps extension is not blacklisted, so you need to remove if ( isset($wfu_extension_blacklist[“*.*,*.eps”]) ) unset($wfu_extension_blacklist[“*.*,*.eps”]);.
      You need to open the shortcode using the visual editor of the plugin and set *.*,*.eps in Allowed File Extensions, or put it manually inside the shortcode [wordpress_file_upload uploadpatterns="*.*,*.eps"]


  7. Hi there

    I would like to purchase the pro version but i have some problem using the free version:

    1. i want to upload .stl and .obj file, but your plugin have forbidden due to security issue, please advise.

    2. I setup my upload path as “uploads/users/%username%” and enabled “Create Upload Path”, however when i test try to upload a .doc file, the file goes to /uplaods/2017/10. Please advise.

    3. Continuing from question 2, after i successfully uploaded the .doc file, no successfully message pop-up.

    4. I added drop down in the “additional fields”, so after my visitors successfully uploaded their files, where does the “additional fields” information be shown?

    5. I have chosen upload roles as all users except guest. When i surf my web as a guest, there is no upload area be showing on the page. Can the plugin be adjusted to give notice to the visitors to sign in instead of hiding the upload area?


    1. Hi, here are answers:

      1. Indeed stl and obj extensions are forbidden. You can override this restriction by adding a Hook (this is a Pro version feature). You can also do it in Free version by adding some lines of code in functions.php file of your theme as follows:
      global $wfu_extension_blacklist;
      if ( isset($wfu_extension_blacklist["obj"]) ) unset($wfu_extension_blacklist["obj"]);
      if ( isset($wfu_extension_blacklist["stl"]) ) unset($wfu_extension_blacklist["stl"]);

      2. Have you enabled “Add Uploaded Files to Media” or “Attach Uploaded Files to Post” options? These will force the plugin to override uploadpath and upload the files to the default upload folder of WordPress.
      3. Have you made any changes to placements attribute? There is a ‘message’ block that displays information about the upload.
      4. It is shown in View Log and File Browser in plugin’s area in Dashboard and it can also be added to the notification email. The Pro version also includes file viewers for normal users (not admins), where you can also include this info.
      5. Good point! I hadn’t thought of this. It can be done, though it is not so straightforward and requires some code tweaks and Hooks of the Pro version. Nevertheless, I will mention it to include an easy way to do it in the next version.



  8. Hi Nickolas, I have a pro version.
    I need to upload file with .stl,*.dentalCAD,*.dentalProject extension.
    I created a hook with this code inside and activated it. I have extensions in shortcode also.

    global $wfu_extension_blacklist;
    if ( isset($wfu_extension_blacklist[“stl”]) ) unset($wfu_extension_blacklist[“stl”]);
    if ( isset($wfu_extension_blacklist[“dentalCAD”]) ) unset($wfu_extension_blacklist[“dentalCAD”]);
    if ( isset($wfu_extension_blacklist[“dentalProject”]) ) unset($wfu_extension_blacklist[“dentalProject”]);

    Uploading does not work.
    Please help.
    2) I need to upload file that have a “-” in them or a “_” or a space.
    Best regards

    1. Hi, you do not need to put dentalCAD and dentalProject lines inside the hook, they are not blacklisted, just leave the first two lines.

      You need also to set Allowed File Extensions in the shortcode like this: *.stl, *.dentalCAD, *.dentalProject

      Please also activate option “Do not Change Filename” in the shortcode, so that files with -, _ and spaces do not change their filename.


  9. Hi Nickolas, it is possible insert a simple label between the customized user fields? Simple label does not exist in the field type…
    Thanks in advance

    1. Hi Leo, maybe yes it can be done. Can you please tell me the URL of the page with the upload form and what exactly do you want to do?



      1. Hi Nickolas, URL page is visible only if user is logged in…I can make 1 account for you. When can I send you login credentials and URL page?

    1. Yes indeed, however stl extension may also represent “C++ standard template library” files, which contain script. So, being on the safe side for protecting the websites, this extension is blacklisted (together with another 2503 ones).



  10. Hi Nickolas,

    I’m not clear on how to do this–basically, I want to allow your default whitelist PLUS some additional extensions that are neither on the whitelist or the blacklist. How would I go about doing that?


    1. Hi, you can set extensions in Allowed File Extensions option of the shortcode like this: *.*, *.ext1, *.ext2, *.ext3 and so on.

      Here is an article explaining file extensions support.



  11. The theme also seamlessly supports McAlister’s new Atomic Blocks project, a collection of page-building blocks included in the accompanying Atomic Blocks plugin. It currently includes blocks for creating a post grid, call-to-action, testimonials, inline notices, sharing icons, author profiles, accordions, customizable buttons, drop caps, and spacer/dividers, with many more blocks planned.

  12. Please i need help to use this plugin,
    mp3 is among allowed file, all efforts to upload it isn’t successful.
    I followed every steps mentioned in the previous comments, it doesn’t work. Even mp4 that i thought could give problem upload easily.
    I’m using the Free one for now, please any help, i need it to work.

    1. The problem i think it’s only with mobile phones, mp3 successfully upload on PC.
      Since many people we be using phone, any help to make it work on phone will be appreciated.
      Thank in advance.

    1. Hi, for allowing .xlsm files you should set Allowed File Extensions in the shortcode like this: *.*, *.xlsm



Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.