What is the unfiltered_upload permission in WordPress?
The unfiltered_upload permission is closely related to unfiltered_html. If this permission is given to a user, they can upload files are NOT on the WordPress whitelist:
- Images: jpg, jpeg, png, gif, ico
- Documents pdf, doc, docx, ppt, pptx, pps, ppsx, odt, xls, xlsx, psd
- Audio: mp3, m4a, ogg, wav
- Video: mp4, m4v, mov, wmv, avi, mpg, ogv, 3gp, 3g2
So if a user does not have this permission, they will be blocked from uploading any file type that is not on the list above.
For example, a user without the unfiltered_upload permission will see this message if they try to upload a .svg file: “Sorry, this file type is not permitted for security reasons.”
Who has the unfiltered_upload permission?
By default, this permission is not available to any role. The permission needs to be enabled by adding this line to in your wp-config.php file:
define( 'ALLOW_UNFILTERED_UPLOADS', true );
All roles on a single site install can be given this unfiltered_upload permission, but only Super Admins can be given the capability on a Multisite install.
How to control who has the unfiltered_upload permission
You can control who has the unfiltered_upload permission by installing the PublishPress Capabilities plugin.
- After installing PublishPress Capabilities, go to “Capabilities” in your admin menu.
- Using the dropdown in the top-left corner, choose the role you want to edit.
- Enter “unfiltered_upload” into the “Add Capability” box.
- Click “Add to role”.
- Check or uncheck the “unfiltered upload” box in the “Other WordPress Core Capabilities” area.