unfiltered_upload

What is the unfiltered_upload permission in WordPress? #

The unfiltered_upload permission is closely related to unfiltered_html. If this permission is given to a user, they can upload files are NOT on the WordPress whitelist:

  • Images: jpg, jpeg, png, gif, ico
  • Documents pdf, doc, docx, ppt, pptx, pps, ppsx, odt, xls, xlsx, psd
  • Audio: mp3, m4a, ogg, wav
  • Video: mp4, m4v, mov, wmv, avi, mpg, ogv, 3gp, 3g2

So if a user does not have this permission, they will be blocked from uploading any file type that is not on the list above.

For example, a user without the unfiltered_upload permission will see this message if they try to upload a .svg file: “Sorry, this file type is not permitted for security reasons.”

Not Permitted
Not Permitted

Who has the unfiltered_upload permission? #

By default, this permission is not available to any role. The permission needs to be enabled by adding this line to in your wp-config.php file:

define( 'ALLOW_UNFILTERED_UPLOADS', true );

All roles on a single site install can be given this unfiltered_upload permission, but only Super Admins can be given the capability on a Multisite install.


How to control who has the unfiltered_upload permission #

You can control who has the unfiltered_upload permission by installing the PublishPress Capabilities plugin.

  • Add the line of code to your wp-config.php file as in the section above.
  • After installing PublishPress Capabilities, go to “Capabilities” in your admin menu.
  • Using the dropdown in the top-left corner, choose the role you want to edit.
  • Enter “unfiltered_upload” into the “Add Capability” box.
  • Click “Add to role”.
  • Click the “Additional” tab.
  • Check or uncheck the “unfiltered upload” box.