LiveChat
Support
Blog
Affiliates
The "Sorry, this file type is not permitted for security reasons" error appears when you try to upload a file type that WordPress does not allow by default. WordPress restricts uploads to common file types (images, documents, audio, video) and blocks everything else to prevent malicious file uploads.
Install the WP Add Mime Types plugin (free). It lets you whitelist specific file extensions without opening your site to all file types. This is safer than the wp-config.php workaround.
01. Why WordPress Blocks File Types
WordPress maintains an allowlist of safe file types. When you upload a file, WordPress checks both the file extension and the MIME type against this list. If either doesn't match, the upload is rejected. This prevents attackers from uploading PHP files, shell scripts, or other executable files through the media library.
This is a security feature, not a bug. The goal is to ensure that only known-safe file types can be uploaded through the WordPress admin interface.
02. Fix With a Plugin (Recommended)
- Install "WP Add Mime Types" from Plugins > Add New
- Go to Settings > Mime Type Settings
- Add the file extension and MIME type (e.g.,
svg = image/svg+xml) - Save and retry your upload
This approach is preferred because you only allow the specific file types you need, not everything.
03. Fix With functions.php
Add a custom MIME type filter to your theme's functions.php (or better, a site-specific plugin):
function uwh_allow_custom_uploads($mimes) {
$mimes['svg'] = 'image/svg+xml';
$mimes['json'] = 'application/json';
$mimes['webp'] = 'image/webp';
$mimes['woff'] = 'font/woff';
$mimes['woff2'] = 'font/woff2';
return $mimes;
}
add_filter('upload_mimes', 'uwh_allow_custom_uploads');Add only the file types you actually need. Each line adds one extension.
04. Commonly Blocked File Types
These are safe file types that WordPress blocks but many sites need:
SVG (image/svg+xml) - Vector graphics for logos and icons. Note: SVGs can contain JavaScript, so only upload SVGs from trusted sources.
JSON (application/json) - Configuration files, data feeds, schema markup files.
WOFF/WOFF2 (font/woff, font/woff2) - Web fonts. Needed if you self-host custom fonts.
CSV (text/csv) - Spreadsheet data. Needed for data import plugins.
WebP (image/webp) - Modern image format. Supported natively since WordPress 5.8, but older versions block it.
05. Temporary Workaround
If you need a one-time upload and don't want to install a plugin, add this to wp-config.php:
define('ALLOW_UNFILTERED_UPLOADS', true);This allows admin users to upload ANY file type, including PHP files. Only enable it temporarily for a specific upload, then remove the line immediately. Never leave this enabled on a production site.
An alternative is to upload the file directly via FTP or cPanel's File Manager, which bypasses WordPress's file type check entirely. See our FTP guide.
Upload Issues?
If the file type is allowed but uploads still fail, it may be a file size limit or ModSecurity rule. Open a ticket with the exact error.
Open a Support TicketQuick Recap: File Type Not Permitted
- Use WP Add Mime Types plugin to allow specific extensions safely
- Or add a filter in functions.php for the file types you need
- ALLOW_UNFILTERED_UPLOADS is a temporary workaround only
- Remove the setting immediately after your upload
- Upload via FTP as an alternative that bypasses WordPress checks
Last updated March 2026 · Browse all WordPress articles
