How I Secured WordPress Media Files by Building My Own
Upload Restriction Plugin
Security is one of those things you don't think about deeply
until something breaks badly.
For me, that moment came while managing multiple high-traffic
WordPress websites. Sites that were running fine — until they
weren't. Slowing down. Getting unstable. Eventually crashing.
The culprit? Unrestricted file uploads.
The Problem — What Was Actually Happening
WordPress is flexible by nature. And that flexibility, if left
unchecked, can become a serious vulnerability.
On high-traffic sites, users interact with forms, media
uploaders, and search inputs constantly. Even with proper input
escaping and sanitization in place, there are edge cases —
scenarios where those defenses don't fully catch what's coming
through. And attackers know this.
Here are the real attacks that happen when file upload
restrictions are weak or missing:
1. Malicious Script Uploads (.php, .exe, .sh)
An attacker uploads a file with a .php or .sh extension through
a form or a vulnerable media endpoint. Once that file lands on
your server, it can be executed remotely — giving the attacker
full control over your WordPress installation. This is called
Remote Code Execution (RCE) and it's one of the most dangerous
attacks on any web server.
2. SVG-Based XSS Attacks
SVG files are XML-based and can contain embedded JavaScript.
When a malicious SVG is uploaded to your media library and
rendered in a browser, that JavaScript executes — allowing
attackers to steal session cookies, hijack admin accounts, or
redirect users to phishing sites.
3. Web Shell Uploads
Attackers disguise a web shell — a backdoor script — as an
innocent looking file. Once uploaded and accessed via browser,
it gives them a persistent, hidden entry point into your server
that survives even plugin updates and password changes.
4. XML & HTML File Injections
Uploading malformed XML or HTML files can trigger parser errors,
expose server information, or be used to inject content into
your site that search engines and users see — damaging your SEO
and your reputation.
5. Large & Unnecessary File Type Uploads
Even without malicious intent, allowing every file type creates
problems. Uploading high-resolution TIFFs, PSDs, or uncompressed
video formats bloats your server storage, slows down your media
library, and eventually crashes shared or underpowered hosting
environments.
On one of my high-traffic projects, the site was slowing down
week by week. No obvious code issue. No server misconfiguration.
Just the gradual accumulation of unnecessary and problematic
files finding their way into the media library — quietly
consuming resources until the site buckled.
The Existing Solutions — And Why They Weren't Enough
Yes, WordPress has some built-in MIME type checking. And yes,
there are security plugins that handle broad firewall rules.
But I needed something specific, simple, and surgical. I didn't
want a bloated security suite. I wanted one thing — the ability
to precisely control which file extensions and MIME types are
allowed to be uploaded to my WordPress sites. Nothing more,
nothing less.
I searched. I couldn't find exactly what I needed.
So I built it.
The Solution — Restrict WP Upload Type
I built and published the Restrict WP Upload Type plugin on
WordPress.org.
The concept is straightforward: give site administrators full,
granular control over which file extensions and MIME types are
permitted in the WordPress Media Library — and block everything
else.
👉 View the plugin on WordPress.org
What the Plugin Does
The plugin provides a clean settings panel inside your WordPress
admin where you can:
- Allow or disallow any file extension — choose exactly which file types your site accepts
- Control MIME types precisely — not just extensions but the actual MIME type validation, making it harder to spoof
- Access 96 file extensions and MIME types — covering images, documents, audio, video, code files, archives, and more
- Restrict SVG uploads — one of the most commonly exploited file types in WordPress, now fully controllable
- Apply rules globally — restrictions apply across the media library, upload forms, and any standard WordPress upload endpoint
Real-World Use Cases
Here's how different types of sites can use this plugin:
WooCommerce stores — Allow only JPG, PNG, PDF and block
everything else. Prevent customers or vendors from sneaking
executable files through product upload forms.
Portfolio or agency sites — Block PSDs, TIFFs, and RAW
files that designers sometimes accidentally upload, keeping
your server storage clean.
Membership or community sites — Restrict uploads to safe
document formats only. Block PHP, SH, EXE, and all script
file types entirely.
Corporate websites — Allow only PDF and DOCX for document
uploads. Block all image formats if image uploads aren't
needed at all.
What I Learned Building This
The most interesting technical challenge was working with
WordPress's upload_mimes filter and wp_check_filetype_and_ext
function. WordPress does its own internal MIME validation, and
overriding it cleanly — without breaking legitimate uploads or
conflicting with other plugins — required careful handling.
I also learned that MIME type spoofing is more common than
most developers realize. An attacker can rename a .php file
to .jpg and attempt to upload it. That's why checking only the
file extension is never enough — you need to validate the actual
MIME type of the file content, not just what the filename claims
to be.
The plugin handles both layers.
The Result
The plugin currently has 300+ active installations on
WordPress.org, a perfect 5-star rating, and has been
tested up to WordPress 6.7.5. It's been live since April 2022
and has remained stable across multiple WordPress versions.
One reviewer described it as "simple, fast and objective."
Another said it "works like a charm."
A particularly useful piece of feedback from a user highlighted
the need to better communicate which plugin blocks an upload
when the restriction triggers — something I've noted for a
future update.
⚠️ One Thing to Keep in Mind — Plugin Conflicts
While the plugin works reliably across most WordPress setups,
there is one scenario worth being aware of.
If another active plugin on your site — such as Elementor,
Divi, or any page builder / media-heavy plugin — also hooks
into WordPress's MIME type functions internally, it may
conflict with this plugin's restrictions.
This happens because multiple plugins are trying to control
the same WordPress filter (upload_mimes) at the same time,
and they can override each other depending on the order they
load.
How to check for this:
- After activating the plugin and saving your settings, try uploading a restricted file type
- If the restriction doesn't work as expected, temporarily deactivate other plugins one by one to identify the conflict
- Re-activate them and check which plugin is overriding the MIME type settings
This is not a bug — it's simply how WordPress plugin
architecture works when multiple plugins touch the same hook.
Being aware of it will save you debugging time and help you
use this plugin more effectively on complex setups.
The Takeaway
If you're running any WordPress site with user-facing upload
functionality — forms, media libraries, WooCommerce product
uploads, membership portals — you should be controlling exactly
what file types are allowed in.
Sanitization and escaping are essential, but they are not
enough on their own. File type restriction is a separate,
dedicated layer of defense that too many WordPress sites skip.
Don't wait for a crash to find out why.
👉 Restrict WP Upload Type on WordPress.org
Have you ever dealt with a file upload attack on a WordPress
site? I'd love to hear how you handled it — drop a comment
below. 🔒
Top comments (0)