Stunning Fashion Website Design Examples to Inspire
January 16, 2026
Awesome VR Website Design Examples
January 19, 2026You're uploading a file to WordPress, and then it hits: "Sorry, this file type is not permitted for security reasons." The file is safe. You know that. But WordPress doesn't agree.
This error blocks any file format that isn't on the default allowed list. SVGs, custom fonts, JSON configs, newer image formats like AVIF. All rejected by the WordPress Media Library until you change the settings.
This guide covers how to fix "sorry, this file type is not permitted for security reasons" using six different methods, from simple file conversion to editing wp-config.php, adding custom MIME types through functions.php, and using plugins. Each method has different tradeoffs between convenience and security, so you can pick what fits your situation.
What Is the "Sorry, This File Type Is Not Permitted for Security Reasons" Error
"Sorry, this file type is not permitted for security reasons" is a WordPress error message that appears when you try to upload a file format that isn't on the default allowed list through the Media Library or wp-admin dashboard.
WordPress keeps a whitelist of approved file extensions inside wp-includes/functions.php. If your file doesn't match one of those extensions, the upload gets blocked immediately.
This isn't a bug. It's a built-in security restriction that prevents potentially harmful files from reaching your server.
The error shows up most often when uploading SVG icons, custom fonts in .woff or .woff2 format, JSON configuration files, or newer image formats like AVIF. Basically anything WordPress doesn't recognize as safe by default.
And yeah, it catches a lot of people off guard. You know the file is safe, but WordPress doesn't care about your intentions. It only checks the extension and MIME type.
Why Does WordPress Block Certain File Types
WordPress restricts file uploads because certain formats can carry executable code. An SVG file, for instance, can contain embedded JavaScript. A PHP file disguised with a different extension could give an attacker full access to your server.
The filtering happens at two levels.
First, WordPress checks the file extension against its internal list of allowed types. Second, it verifies the MIME type, which is the content identifier that tells browsers and servers what kind of data the file actually contains.
Back in January 2017, the WordPress 4.7.1 security patch tightened how MIME type verification works during uploads. Before that update, some plugins that added custom file types worked fine. After it, many of them started triggering this error because WordPress got stricter about matching the declared MIME type to the actual file contents.
This double-check system exists because file extensions alone are easy to fake. Someone could rename a .php file to .jpg and try uploading it through your media uploader. The MIME type validation catches that mismatch.
Look, it's annoying when you're trying to upload a legitimate .csv data file or a .json config. But the alternative (letting any file type through) would be far worse. Sites running on shared hosting would be especially exposed.
Which File Types Does WordPress Allow by Default
WordPress stores its list of registered MIME types in wp-includes/functions.php. You can pull the full list programmatically using the wpgetmimetypes() function, but not every recognized type is actually allowed for upload.
The uploadmimes filter controls which formats users can actually push through the WordPress Media Library. Here's what makes the cut.
What Image Formats Can You Upload to WordPress
Supported image formats: .jpg/.jpeg, .png, .gif, .ico, .webp, .avif, .heic, and .heif.
WebP and AVIF support were added in more recent WordPress versions. If you're running an older installation, those might still trigger the error.
What Document Formats Does WordPress Support
Allowed documents include .pdf, .doc, .docx, .ppt, .pptx, .pps, .ppsx, .odt, .xls, and .xlsx.
Microsoft Office and OpenDocument formats are covered. But .pages files from Apple, .ai files from Adobe Illustrator, and .psd files from Photoshop are all blocked.
What Audio and Video Formats Are Allowed in WordPress
Audio: .mp3, .m4a, .ogg, .wav
Video: .mp4, .m4v, .mov, .wmv, .avi, .mpg, .ogv, .3gp, .3g2
One thing worth mentioning. WordPress technically allows video uploads, but hosting video files directly on your server is a bad idea for most sites. It eats bandwidth and slows page loads. Most developers I've worked with push video content to external hosts and embed it instead, which also helps if you care about building a user friendly website that loads quickly.
Which File Types Does WordPress Block
Anything not on the allowed list gets rejected. But some blocked formats come up way more often than others.
.svg is probably the most requested. Designers love SVGs for icons and logos because they scale without losing quality, and they're tiny compared to PNGs. But SVG files can contain inline JavaScript and XML-based exploits, so WordPress blocks them by default.
.exe and .php files are blocked for obvious reasons. These are executable formats that could compromise your entire server if uploaded by someone with bad intentions.
.css and .js files are restricted for users without the unfilteredhtml capability. Admin-level users on single-site installations can sometimes upload these, but it depends on your configuration.
Here's a breakdown of commonly blocked categories:
- Images: .svg, .bmp, .psd, .ai
- Code files: .css, .js, .json, .php, .sql
- Fonts: .woff, .woff2, .ttf, .eot
- Video: .flv, .f4l, .qt
- Data: .csv (blocked on some configurations), .xml
The font situation is particularly frustrating. If you're working on typography for a custom theme and want to upload .woff2 files directly, WordPress won't let you without extra configuration. Same story if you're tweaking form design elements that require custom assets.
Each blocked format has a reason behind it. Whether that reason applies to your specific situation is a different question entirely.
How to Check If Your File Extension Is Correct
Before you start editing config files or installing plugins, check the obvious stuff first.
Mistyped file extensions cause this error more often than you'd think. A file saved as logo.pnng instead of logo.png will get rejected immediately. Same goes for double extensions like report.pdf.docx, which sometimes happen when files get renamed or downloaded from email attachments.
Here's what to verify:
- Right-click the file, check Properties (Windows) or Get Info (Mac), and confirm the actual extension
- Make sure hidden file extensions are visible in your operating system settings
- Check that the extension matches what WordPress expects (case doesn't usually matter, but
.JPEGand.jpegshould both work) - Try re-saving or re-exporting the file from its source application
I've seen situations where a .webp image downloaded from the browser gets saved with no extension at all, or picks up a weird suffix like .webp.tmp. Quick rename, problem solved. No plugins needed.
If the extension checks out and the file still won't upload, then the issue is actually the MIME type restriction in WordPress, and you'll need one of the methods covered in the next sections.
How to Fix This Error by Converting the File Format
The safest fix. No code changes, no plugins, no risk.
If WordPress blocks your file, convert it to a supported format before uploading. SVG to PNG. AVIF to JPEG. WEBP to PNG. The file gets through, and your site stays secure.
Free online converters like CloudConvert, Convertio, or Zamzar handle most formats in seconds. Desktop tools like GIMP, Photoshop, or even Preview on Mac work too.
The tradeoff is real though. Converting an SVG to PNG means you lose scalability. Converting AVIF to JPEG means a larger file size. For most content uploads, that's perfectly acceptable. For design-critical assets where vector quality matters, you'll need one of the methods below.
How to Allow Additional File Types Using a WordPress Plugin
Plugins are the most practical fix for most WordPress site owners. No touching code, no FTP access needed.
Four plugins handle this well:
- File Upload Types by WPForms, free, clean interface with a searchable preset list of file formats
- WP Add Mime Types, free, lightweight, works well on multisite networks
- WP Extra File Types, checkbox-based toggling for dozens of common extensions
- Pro Mime Types, includes security summaries for each MIME type explaining the risk level
Here's the process using File Upload Types (the one I reach for most):
- Go to Plugins > Add New in your WordPress dashboard
- Search "File Upload Types" and install it
- Navigate to Settings > File Upload Types
- Search for the extension you need (like .svg or .json)
- Check the box next to it, then hit Save Settings
Done. Go back to your Media Library and try the upload again.
One thing to watch for. Plugin conflicts. If you're running a security plugin like Wordfence or Sucuri, it might override your new MIME type settings. Test the upload right after enabling the new type to catch conflicts early.
How to Add Custom MIME Types Through Plugin Settings
If your file type isn't in the plugin's preset list, scroll to the "Add Custom File Types" section and fill in three fields: File Description (anything you want), MIME Type (check IANA's official registry at iana.org), and Extension (the dot-prefix format like .yaml).
How to Allow Unfiltered Uploads Using wp-config.php
This method removes all file type restrictions for administrator accounts. Powerful, but risky.
Access your site files through FTP (FileZilla works) or your hosting control panel's File Manager. Open wp-config.php from the root directory.
Add this line above the comment that reads / That's all, stop editing! /:
define('ALLOWUNFILTEREDUPLOADS', true);
Save the file and upload it back to your server.
Now any admin-level user can upload any file type through the WordPress media uploader. Any type. Including .php and .exe files if someone gains access to an admin account.
My strong recommendation: use this temporarily. Upload the files you need, then remove the line and re-upload wp-config.php. Leaving ALLOWUNFILTEREDUPLOADS enabled permanently is asking for trouble, especially on sites with multiple admin users.
How to Add Custom MIME Types Using functions.php
More targeted than the wp-config method. You pick exactly which file types to allow using the uploadmimes filter.
Add this code to your child theme's functions.php file (never the parent theme, updates will wipe it):
function customuploadmimes( $mimes )
{ $mimes['svg'] = 'image/svg+xml'; $mimes['json'] = 'application/json'; $mimes['woff'] = 'font/woff'; $mimes['woff2'] = 'font/woff2'; return $mimes; } addfilter( 'uploadmimes', 'customuploadmimes' );
Swap out the extensions and MIME types for whatever formats you actually need. The IANA media types registry has the correct MIME type string for practically every format.
This approach gives you granular control. You're only opening the door for specific file types instead of everything at once. Much safer than the wp-config constant, and it doesn't depend on a third-party plugin staying updated.
If you're building a site with a custom theme and handling things like hero section assets or custom icon sets, this is probably the cleanest long-term solution.
How to Allow File Types in WordPress Multisite
WordPress Multisite has its own upload settings that override individual site configurations.
Go to Dashboard > Settings > Network Settings. Scroll to the Upload Settings section. You'll see a field labeled "Upload file types" with a comma-separated list of allowed extensions.
Add your needed extensions to this list. Hit Save Changes. This applies across every site in your multisite network.
No code editing required. But keep in mind that every sub-site admin can now upload those file types. On networks with many users, that's a wider attack surface.
How to Upload Files Through FTP or File Manager
This bypasses WordPress entirely. You upload directly to the server.
Connect to your site via an FTP client like FileZilla, or open File Manager in your hosting control panel (cPanel, Plesk, or similar). Navigate to wp-content/uploads/ and drop your file into the appropriate year/month folder.
The file lands on your server, but it won't show up in the WordPress Media Library automatically. You'll need a plugin like Add From Server or Media from FTP to register it, or reference it directly by URL in your content.
This method works for one-off uploads where you don't want to change any site settings. Not practical for regular use.
What Are the Security Risks of Allowing Extra File Types
Every method that opens up new upload types introduces risk. The question is how much.
SVG files can contain embedded JavaScript that executes when the image renders in a browser. That's a direct path to cross-site scripting (XSS) attacks.
PHP files disguised with altered extensions can give attackers shell access to your server. If ALLOWUNFILTEREDUPLOADS is active and an admin account gets compromised, the damage is immediate.
Even seemingly harmless formats like .csv or .json can be vectors for injection attacks if your site processes uploaded files without proper sanitization.
The functions.php method is the most controlled approach, since you decide exactly which types get through. The wp-config constant is the most dangerous because it removes all restrictions with no granularity.
How to Keep Your WordPress Site Secure After Allowing New File Types
- Only allow the specific extensions you actually need, nothing more
- Remove the ALLOWUNFILTEREDUPLOADS constant after temporary use
- Restrict upload permissions to admin roles only
- Run a security plugin (Wordfence, Sucuri, or iThemes Security) that scans uploaded files
- Keep WordPress core, themes, and all plugins updated
- Back up your site before and after making any file type changes
If you're managing a site where design quality matters, like professional websites or SaaS websites, the balance between security and flexibility is something you'll revisit often. Took me a while to accept that there's no perfect answer here. You just manage the tradeoffs.
What Is a MIME Type in WordPress
MIME stands for Multipurpose Internet Mail Extensions. It's a labeling system that tells browsers and servers what kind of data a file contains, regardless of the file extension.
A .jpg file has the MIME type image/jpeg. A .pdf has application/pdf. A .mp3 has audio/mpeg.
WordPress uses two related functions to manage these:
- wpgetmimetypes()
returns every MIME type WordPress recognizes - getallowedmimetypes()
returns only the types currently permitted for upload
The uploadmimes filter hook is what plugins and custom code use to modify the allowed list. The mimetypes filter controls the broader recognition list.
When you upload a file, WordPress checks the extension first, then uses PHP's finfofile() function to verify the actual MIME type matches. If either check fails, you get the security error. This two-layer validation is why simply renaming a file extension doesn't always work.
Common File Types That Trigger This Error
Some formats trigger this error constantly. Here are the ones that come up in real projects, along with the quickest fix for each.
.svg (Scalable Vector Graphics) Used for logos, icons, and illustrations on sites ranging from minimalist websites to complex technology websites. Blocked because SVGs can contain JavaScript. Quickest fix: add via functions.php filter with the MIME type image/svg+xml, or use the Safe SVG plugin that sanitizes the code on upload.
.json (JavaScript Object Notation) Common for configuration files, Lottie animations, and theme settings imports. MIME type: application/json. Add through functions.php or a file types plugin.
.woff / .woff2 (Web Open Font Format) Custom web fonts. If you're doing any serious work with website typography, you'll hit this wall. MIME types: font/woff and font/woff2. Functions.php filter is the cleanest fix.
.csv (Comma-Separated Values) Data imports for WooCommerce products, user lists, plugin settings. Some WordPress configurations block .csv even though it should be allowed. MIME type: text/csv. Upload via FTP if it's a one-time import.
.avif (AV1 Image Format) Next-gen image format with better compression than WebP or JPEG. WordPress added support in version 6.5, but older installations still block it. Update WordPress first. If that's not an option, add the MIME type image/avif manually.
.webp (WebP Image Format) Google's image format. Supported since WordPress 5.8, but some server configurations still reject it because the PHP installation lacks the required image library. Check that your server's GD or Imagick library supports WebP processing.
.ai / .psd (Adobe Illustrator / Photoshop) Design source files. Almost never needed in the media library directly. Convert to PNG or PDF for upload, keep the originals in cloud storage or a file manager.
FAQ on How To Fix Sorry, This File Type Is Not Permitted For Security Reasons
Why does WordPress say "sorry, this file type is not permitted for security reasons"?
WordPress blocks file uploads that aren't on its default allowed MIME types list. This restriction exists to prevent malicious files like disguised PHP scripts or executable code from reaching your server through the media uploader.
Which file types does WordPress block by default?
WordPress blocks .svg, .bmp, .psd, .ai, .css, .js, .json, .exe, .php, .sql, .woff, .woff2, and .flv among others. Any extension not registered in wp-includes/functions.php triggers the upload error.
How do I allow SVG uploads in WordPress?
Add $mimes['svg'] = 'image/svg+xml'; to the uploadmimes filter in your child theme's functions.php. Alternatively, install the Safe SVG plugin, which sanitizes SVG files during upload to remove embedded scripts.
Is it safe to use ALLOWUNFILTEREDUPLOADS in wp-config.php?
Not as a permanent setting. Adding define('ALLOWUNFILTEREDUPLOADS', true); to wp-config.php removes all file type restrictions for admins. Use it temporarily, upload your files, then remove the line immediately.
Can I fix this error without editing code?
Yes. Install a plugin like File Upload Types by WPForms or WP Extra File Types. These let you enable specific blocked extensions through a checkbox interface in your WordPress dashboard settings. No code needed.
Why does my allowed file type still get rejected after adding it?
WordPress validates both the file extension and the MIME type. If the actual file content doesn't match the declared MIME type, the upload fails. Security plugins like Wordfence can also override your custom settings.
How do I add custom MIME types using functions.php?
Hook into the uploadmimes filter in your child theme's functions.php. Add each file type as a key-value pair, where the key is the extension and the value is the corresponding MIME type string from the IANA registry.
How do I allow extra file types on WordPress Multisite?
Go to Dashboard > Settings > Network Settings and scroll to Upload Settings. Add your needed extensions to the "Upload file types" field. This applies across all sites in your multisite network after saving.
Can I upload blocked file types through FTP instead?
Yes. Connect via an FTP client like FileZilla or use your hosting File Manager. Upload files directly to wp-content/uploads/. The file won't appear in the Media Library automatically, but it's accessible by direct URL.
What is the safest way to fix this WordPress upload error?
Convert your file to a WordPress-supported format before uploading. SVG to PNG, AVIF to JPEG. No settings changes, no security exposure. If you need the original format, the functions.php filter method offers the best balance of control and safety.
Conclusion
Fixing "sorry, this file type is not permitted for security reasons" comes down to picking the right method for your setup. Converting the file format is the zero-risk option. The uploadmimes filter in functions.php gives you precise control over which extensions get through.
Plugins like File Upload Types or WP Add Mime Types work well if you'd rather skip the code entirely.
The wp-config.php constant should stay temporary. Always remove it after uploading what you need.
Whatever approach you choose, keep your WordPress core updated, back up your site before making changes, and only allow the specific file extensions your project actually requires. Security restrictions exist for good reasons. Work with them, not around them.
