AI Summary
You finally find the perfect SVG icon for your blog post header, drag it into the WordPress media library, and WordPress slaps you with an error.
Sorry, this file type is not permitted for security reasons. Same scene happens with CSV files, HEIC photos straight off an iPhone, AI files from your designer, and a dozen other formats people work with every day.
I’ve run into this enough times across client sites and my own projects that I stopped treating it like a problem and started treating it like a checkbox setting WordPress just hides from you by default.
How to Fix the ‘File Type Not Allowed’ Error in WordPress
WordPress restricts file uploads through a built-in allowlist that blocks anything outside its default file types. The same restriction triggers a few different error wordings, such as:
- This file type is not allowed
- Sorry, this file type is not permitted for security reasons
- Sorry, you are not allowed to upload this file type
What Does the ‘File Type Not Allowed’ Error Mean?
The error shows up because WordPress only permits a short list of file types by default. Anything outside that list gets blocked the moment you try to upload it. Here’s the default WordPress allowlist:
| Category | Extensions |
|---|---|
| Images | .jpg .jpeg .png .gif .ico |
| Audio files | .mp3 .wav .ogg .m4a |
| Documents | .pdf .doc .docx .ppt .pptx .pps .ppsx .odt .xls .xlsx .psd |
| Video files | .mp4 .m4v .mov .wmv .avi .mpg .ogv .3gp .3g2 |
Anything not in this table (CSV, SVG, HEIC, AI, ZIP, WOFF, JSON, and so on) triggers the error. WordPress isn’t saying these files are unsafe.
It just locks the upload form down to the bare minimum that most sites need, and leaves the rest for you to switch on. That doesn’t mean you should turn on everything.
WordPress also keeps a permanent block on file types that are genuinely dangerous (more on that in the security section below). But for the legitimate files you actually need, the fix is straightforward.
Quick Diagnostic, Check Your File Extension Spelling
Before changing any settings, look at the file extension on your computer. WordPress is case-sensitive, so Photo.JPG and photo.jpg are read as two different things.
Hidden file extensions on Mac and Windows are also a common cause. macOS and Windows both hide extensions by default, so what you see as report might actually be report.pdf.txt if a different program saved it.
How to Fix “File Type Is Not Permitted”
Use this when you want a no-code fix and you’d rather click checkboxes than touch your site’s files. This is the method I reach for first on every client project, even ones where I’d be comfortable editing code.
We’re going to use a free WordPress plugin called File Upload Types for this fix. It’s built by the same team behind WPForms, it’s 100% free, and it lets you add allowed file types right from the WordPress admin.
1. Install File Upload Types Plugin
The first thing we need to do is install the File Upload Types plugin.
The plugin is 100% free, and you can trust it: it was created by the same team that created WPForms!
To start, open up your WordPress dashboard and head to Plugins » Add New.
Search for the File Upload Types plugin in the search box at the top.
Click Install Now, and then click Activate.
Great! Now let’s add the file types you need.
2. Enable New File Type in WordPress
In the WordPress dashboard, click Settings » File Upload Types.
The settings for the File Upload Types plugin will open in your browser.
Many people need to allow common files types like .csv, .heic, and .svg in WordPress, so File Upload Types has some presets ready to go. I’ll explain those first.
3. Adding a Preset File Type
To find out if the preset for your file exists, search for the file type in the Search File Types box. In this example, we’re going to search for AutoCad .cad file types.
Notice how multiple files appear along with different extensions and MIME types. You’ll want to select the one that matches the extension and the MIME type.
What Is a MIME Type?
MIME types are sometimes called internet file types. The MIME type describes the file’s actual contents so that your computer or server can interpret it correctly.
When using File Upload Types, you’ll want to be 100% sure that the MIME type is the same as the preset says.
Luckily, we can easily find the MIME type of any file using this free MIME file type checker. Just upload a file similar to the one you want to accept and the tool will tell you the MIME type.
That’s it! Now you can compare the MIME type with the preset to find out if the preset matches. Check the box next to each file type you want to enable, then scroll down and click the orange Save Settings button.
When the page reloads, you’ll notice that the file types you selected are now listed in a new section titled Enabled. These will no longer trigger the ‘Sorry, this file type is not permitted for security reasons’ warning.
If you need to run through this again, we have a guide on how to accept Adobe Illustrator (AI) file uploads in WordPress that goes into a little more detail.
Next up, let’s look at creating custom file types for files that aren’t on the preset list.
4. Adding a Custom File Type
If the file type you want to upload isn’t listed in the File Upload Types plugin, you can add it as a custom entry. You should also use a custom entry if you see the error, This file was not uploaded. File type not allowed.
‘File type not allowed’ typically means that your MIME type doesn’t match the MIME type that WordPress is expecting to see.
To fix this, you’ll need to know the correct MIME type for the custom file type you want to add. Again, check an example with the free MIME file type checker before you continue.
In this example, we’ll add the .heif file format so users can upload smartphone images to your WordPress site.
(I already verified the MIME type of my test file: image/heif.) In the File Upload Types plugin, click the Add your custom file types link.
For this file type, we’re going to type in:
- A description for the custom file type – you can type anything you want here
- The MIME type (if you need to add more than 1, separate them with a comma)
- The file extension, including the leading period
.
In this example, we’re adding .heif files with the MIME type image/heif.
Once that’s done, click Save Settings. Your custom file type will be listed in the Enabled section in the plugin.
Now we can go ahead and upload these image files without getting the ‘sorry, this file type is not permitted for security reasons’ error in WordPress.
Fix It on Your WPForms File Upload Field
If your visitors are hitting this error on a WPForms File Upload form rather than the WordPress admin, the fix is slightly different. WordPress’s allowlist applies first, but WPForms also has a per-field setting that can further restrict what visitors are allowed to upload.
Why this is different from WordPress admin uploads
WordPress’s file type rules apply to every upload anywhere on your site, including WPForms submissions. So if WordPress is blocking .svg files, your File Upload field will also block them, even if you typed .svg into the WPForms field’s allowed list. The fix is two-step on a form.
- First, allow the file type at the WordPress level using one of the methods above
- Then, allow it at the field level inside the WPForms form builder
If you haven’t built a form yet, here’s how to create a file upload form in WordPress from scratch. Otherwise, open the form you’ve already built.
Set the Allowed File Extensions on your File Upload field
Click on the File Upload field inside the form builder to open its Field Options panel. In the Allowed File Extensions field, type the extensions you want to permit, separated by commas, with a leading period on each one.
For example, .pdf, .docx, .heif allows those three types and blocks everything else.
You can also set a Max File Size limit per upload. By default, WPForms uses your server’s maximum file size. Hover over the question mark icon next to the field to see what your server allows. If you need a higher cap, the fix is on the server side rather than in WPForms (here’s how to increase the WordPress max upload size if that’s the actual problem).
The Modern style file upload field also lets visitors drag and drop files onto your form, which makes it more accessible than the Classic file picker on mobile.
For every File Upload field setting in detail, see WPForms’ complete guide to the File Upload field.
What WPForms blocks no matter what
This part is reassuring if you’re worried about opening up file uploads to strangers. Even if you allow risky extensions in WordPress, WPForms maintains its own permanent denylist on the form side.
Executable files like .exe, .php, .js, .jar, .html, .htm, .swf, and .json are blocked at the form level, no matter what’s allowed in WordPress.
That’s the safety net I lean on when I’m setting up file upload fields for client sites that take resumes, medical records, or other sensitive uploads. WordPress and WPForms together give you two layers of file type filtering.
FAQs About File Types and MIME Types
The ‘file type not allowed’ error in WordPress comes with a lot of variations and edge cases, and most of them have the same root cause. Here are the questions I get asked most often when someone hits this for the first time.
How do I upload files to WordPress?
If you want to accept file uploads from visitors, the fastest path is to add a WPForms File Upload field to a form. WPForms is the best file upload plugin for WordPress, and it works for documents, images, videos, audio, and any custom file types you’ve added through the methods above. The Modern field style also supports drag and drop, which makes uploads feel native on phones.
What does MIME mean?
MIME stands for multipurpose internet mail extensions. It was originally built so people could send media files in emails, and it stuck around because the same idea is useful for the web. The MIME type in a file’s header tells a browser or server what’s actually inside the file, so it can decide how to handle it.
What does “this file was not uploaded. file type not allowed” mean?
You’ll usually see this version of the error after you’ve added a custom file type but the MIME type doesn’t match the file you’re trying to upload. WordPress checks both the extension and the MIME type, and if they’re out of sync, it blocks the upload.
Use the MIME file type checker to confirm the actual MIME type of your file, then go back to File Upload Types and update the entry to match.
You’ll also see a Windows variation of this if your computer doesn’t recognize the file. Something like It looks like we don’t support this file format. That’s the same root cause on the OS side rather than WordPress.
What does “Sorry, you are not allowed to upload this file type” mean?
This wording appears in some contexts where WordPress shows a slightly more permission-flavored message, often when a non-admin user is uploading. The fix is the same as the security-reasons version. Add the file type to the WordPress allowlist via one of the four methods above, and (if needed) confirm that the user role uploading the file has sufficient permissions.
Can I allow any file extension using the File Upload Types plugin?
Yes, the plugin lets you enable any file type or MIME type you want. Two things can still get in your way though.
- Your form builder plugin may keep its own block on common malware-carrying file types. WPForms always blocks
.exe,.php,.js,.jar,.html,.htm,.swf,.json, and a few others on the form side, even if you’ve allowed them in WordPress - Some hosts block certain file types at the server level. These blocks are usually about preventing hackers from exploiting plugin vulnerabilities, so they’re worth keeping. If you really need an upload allowed and your host is blocking it, contact their support
Are there security risks involved in adding file types?
If you’re careful, no. But File Upload Types is a powerful plugin, and it really will allow any file type you add, executables included.
I never recommend allowing executable file types like .exe, .php, .js, .jar, or .html to be uploaded. Those are the file types attackers use to drop malware on a site. If you’re using WPForms, it won’t allow these on its File Upload fields anyway, but the WordPress media library will if you’ve explicitly added them.
For a deeper look at hardening uploads on forms, our guide on file upload security best practices covers what to lock down beyond file types. The official documentation also has more on safe practices for the File Upload Types plugin.
Next, Build a File Upload Form in WordPress
Now that you’ve got file uploads working the way you want, the next step is to actually put a form in front of your visitors.
WPForms has a drag-and-drop builder that makes this quick, and the File Upload field works the same way the rest of the form fields do, no extra configuration needed.
If you want to send the uploaded files somewhere besides your server, take a look at the Dropbox file upload form guide.
It walks through how to push uploads straight into a cloud storage folder so they don’t take up space on your hosting account.
Create Your File Upload Form Now
Ready to build your form? Get started today with the easiest WordPress form builder plugin. WPForms Pro includes lots of free templates and offers a 14-day money-back guarantee.
If this article helped you out, please follow us on Facebook and Twitter for more free WordPress tutorials and guides.
This is truly ridiculous. Your plugin is written in PHP. That means there is a way to enable file uploads of specific types in PHP without a plugin. Yet everybody is dead set on making me install yet another single-use plugin. And then when my site grinds to a halt, everybody will say, “Of course your site is broken. Look how many plugins you’re using.”
Hi Mala,
This feature is currently not available with the core plugin. But we understand the importance of keeping a lean plugin list for site owners. We built this light-weight solution so everyone (including beginners) can allow additional file upload types with relative ease.