What is the unfiltered_upload permission in WordPress?

The unfiltered_upload permission is closely related to unfiltered_html. If this permission is given to a user, they can upload files are NOT on the WordPress whitelist:

  • Images: jpg, jpeg, png, gif, ico
  • Documents pdf, doc, docx, ppt, pptx, pps, ppsx, odt, xls, xlsx, psd
  • Audio: mp3, m4a, ogg, wav
  • Video: mp4, m4v, mov, wmv, avi, mpg, ogv, 3gp, 3g2

So if a user does not have this permission, they will be blocked from uploading any file type that is not on the list above.

For example, a user without the unfiltered_upload permission will see this message if they try to upload a .svg file: “Sorry, this file type is not permitted for security reasons.”

Not Permitted
Not Permitted

Who has the unfiltered_upload permission?

By default, this permission is not available to any role. The permission needs to be enabled by adding this line to in your wp-config.php file:


All roles on a single site install can be given this unfiltered_upload permission, but only Super Admins can be given the capability on a Multisite install.

How to control who has the unfiltered_upload permission

You can control who has the unfiltered_upload permission by installing the PublishPress Capabilities plugin.

  • After installing PublishPress Capabilities, go to “Capabilities” in your admin menu.
  • Using the dropdown in the top-left corner, choose the role you want to edit.
  • Enter “unfiltered_upload” into the “Add Capability” box.
  • Click “Add to role”.
Unfiltered Upload
Unfiltered Upload
  • Check or uncheck the “unfiltered upload” box in the “Other WordPress Core Capabilities” area.
Unfiltered Upload Box
Unfiltered Upload Box

Professional publishing plugins for WordPress! Get PublishPress