You're trying to upload a file to the WordPress Media Library and getting the error "Sorry, this file type is not permitted for security reasons." The file is legitimate and you need it on the site. Here's why WordPress blocks it, and the right way to allow specific file types without compromising your site's security.
WordPress maintains a whitelist of permitted MIME types for the media uploader. This is a legitimate security measure: if WordPress allowed arbitrary file uploads, PHP files, executable scripts, shell scripts, an attacker with upload permissions could deploy malicious code directly to your server. The restriction prevents that category of attack entirely by refusing anything not on the approved list.
The problem is that the default whitelist is conservative. SVG files, WebP images (in older WordPress versions prior to 5.8), JSON files, XML files, various audio formats, and other legitimate file types are blocked unless you explicitly allow them. This creates friction for developers and content editors who need to work with files outside the defaults.
Two separate checks happen on upload: the file extension is checked against the MIME type whitelist, and the actual file content is verified against the declared MIME type using PHP's fileinfo extension. The error can be triggered by either check failing.
The cleanest approach for adding specific file types is to use the upload_mimes filter. Add this to your theme's functions.php or, preferably, to a site-specific plugin so it isn't lost when you switch themes:
function allow_custom_file_types( $mime_types ) {
$mime_types['svg'] = 'image/svg+xml';
$mime_types['webp'] = 'image/webp';
$mime_types['json'] = 'application/json';
$mime_types['xml'] = 'application/xml';
return $mime_types;
}
add_filter( 'upload_mimes', 'allow_custom_file_types' );Adjust the entries to include only the file types you genuinely need. Each entry is a key-value pair where the key is the file extension and the value is the MIME type. Only add formats you have a specific use case for, adding broadly is unnecessary risk.
Never add PHP, executable, or script file types (php, js as an uploadable media type, sh, exe). Allowing these in the media uploader creates exactly the security vulnerability the restriction was designed to prevent.
SVG files deserve special treatment because they are XML documents that can contain embedded JavaScript. An SVG uploaded by a malicious or compromised admin user could execute scripts in the browser when other users view it. Adding SVG support via the upload_mimes filter allows the upload but provides no protection against malicious content inside the file.
The better approach is the Safe SVG plugin (available free on the WordPress plugin directory). It sanitises SVG files on upload, stripping any embedded scripts, event handlers, or external references, before storing them. This gives you SVG support without the security exposure. For any site where multiple users have upload permissions, Safe SVG is the correct solution rather than manually allowing the MIME type.
WordPress 4.7.1 and later added a secondary check: even if a file extension is on the allowed list, WordPress verifies that the actual file content matches the expected MIME type. This is done using PHP's fileinfo extension. If fileinfo is missing or returns an unexpected result, the upload is rejected even for allowed file types.
You can work around an incorrect MIME type detection result (without fully disabling the check) by using the wp_check_filetype_and_ext filter:
add_filter( 'wp_check_filetype_and_ext', function( $data, $file, $filename, $mimes ) {
if ( ! empty( $data['ext'] ) ) {
return $data;
}
$wp_filetype = wp_check_filetype( $filename, $mimes );
if ( ! empty( $wp_filetype['ext'] ) ) {
$data['ext'] = $wp_filetype['ext'];
$data['type'] = $wp_filetype['type'];
}
return $data;
}, 10, 4 );This falls back to extension-based checking if MIME type detection returns empty, rather than rejecting the upload entirely. It's a more targeted fix than disabling MIME checking globally.
You'll find advice online suggesting you add define( 'ALLOW_UNFILTERED_UPLOADS', true ); to wp-config.php. Do not do this. That constant disables the entire file type restriction system and allows any file type, including PHP files, to be uploaded by any user with media upload permissions. It is a significant security vulnerability and you should not leave it in place on any site that has user accounts.
Similarly, avoid advice that tells you to set file upload permissions to 777 or to disable PHP's fileinfo extension. These create server-level security problems that extend far beyond the immediate upload issue.
For one-off cases where you need a specific file available on the server but don't need it in the media library, FTP is a pragmatic alternative. Connect via FTP and upload the file directly to /wp-content/uploads/ or a custom directory. The file won't appear in the media library, but you can reference it by its direct URL in your content. This sidesteps the media uploader restriction entirely for files that don't need media library management.
To see exactly what file types WordPress currently allows on your installation, you can add a temporary line to functions.php and check the output:
add_action( 'admin_notices', function() {
echo '<pre>';
print_r( get_allowed_mime_types() );
echo '</pre>';
});This prints the full list of allowed MIME types on every admin page. Remove it after checking, it's debug output, not something to leave in production.
HostBible runs PHP 8.2 with fileinfo and all standard modules active. No missing extension issues, and support that can diagnose upload errors directly.
View Hosting Plans