Secure File Uploads: Restricting File Types in WordPress Forms

File uploads are powerful but dangerous. Every uploaded file is a potential security risk—malicious scripts, malware, or exploits disguised as innocent documents. Restricting file types is your first line of defense against upload-based attacks.

In this guide, you’ll learn how to secure your WordPress form file uploads by allowing only safe, necessary file types.

Why File Type Restrictions Matter

Security Threats

Unrestricted uploads invite attacks:

• Executable files: .exe, .bat, .sh can run malicious code
• PHP files: Can execute server-side scripts
• JavaScript: Can run in browsers, steal data
• Web shells: Give attackers server access
• Malware: Viruses hidden in files

Real Attack Scenarios

Scenario 1: PHP Web Shell

Attacker uploads malicious.php disguised as image.php. If executed, they gain server control.

Scenario 2: Double Extension

Attacker uploads resume.pdf.exe. User sees “PDF,” downloads and runs executable.

Scenario 3: Embedded Malware

Malware hidden inside seemingly normal document. Opens and infects systems.

The Principle

Allow only what you need. Block everything else.

Dangerous File Types to Block

Always Block These

High-Risk File Types

Safe File Types to Allow

Images (Generally Safe)

Note: Avoid .svg unless necessary—it can contain scripts.

Documents (Generally Safe)

Spreadsheets

Configuring File Type Restrictions

Here’s how to restrict file types with Auto Form Builder:

Step 1: Add File Upload Field

1. Create or edit your form
2. Add a File Upload field
3. Click to open field settings

Step 2: Configure Allowed Types

By Category

Select only the categories you need:

• ☑️ Images – Enable for photos
• ☑️ Documents – Enable for PDFs, Word
• ☐ Spreadsheets – Only if needed
• ☐ Archives – Only if necessary
• ☐ Audio – Only if required
• ☐ Video – Only if required

Specific Extensions

For fine-grained control, specify exact extensions:

• Allow: .pdf, .jpg, .png
• Block everything else automatically

Secure File Uploads

Step 3: Set Additional Security

File Size Limits

• Prevents massive file uploads
• Reduces DoS attack surface
• Set reasonable limits (5MB, 10MB)

File Count Limits

• Limit number of files per submission
• Prevents abuse

File Type Restrictions by Use Case

Job Application Form

Needed: Resume, cover letter

Allow:

• .pdf
• .doc, .docx

Block: Everything else

Max size: 5 MB

Support Ticket Form

Needed: Screenshots, logs

Allow:

• .jpg, .jpeg, .png, .gif
• .pdf
• .txt (for logs)

Block: Everything else

Max size: 10 MB

Photo Contest Form

Needed: High-quality images

Allow:

• .jpg, .jpeg, .png

Block: Everything else (including .gif, .webp if not wanted)

Max size: 15 MB

Document Submission Form

Needed: Various documents

Allow:

• .pdf
• .doc, .docx
• .xls, .xlsx
• .jpg, .png (for scanned docs)

Block: Everything else

Max size: 10 MB

General Contact Form

Needed: Optional attachments

Allow:

• .pdf
• .jpg, .png
• .doc, .docx

Block: Everything else

Max size: 5 MB

Additional Security Measures

1. Server-Side Validation

Client-side restrictions can be bypassed:

• Always validate on server too
• Check MIME type, not just extension
• Good form plugins do this automatically

2. MIME Type Checking

Verify file content matches extension:

• malicious.php renamed to malicious.jpg fails MIME check
• Prevents extension spoofing

3. File Content Scanning

For high-security applications:

• Scan uploads for malware
• Use security plugins
• Third-party scanning services

4. Secure Storage Location

Where files are stored matters:

• Outside web root when possible
• No direct URL access
• Access only through authenticated requests

5. Randomized File Names

Don’t keep original filenames:

• Prevents predictable URLs
• Harder to guess file locations
• Removes potentially dangerous names

6. File Permissions

Restrict what uploaded files can do:

• No execute permissions
• Read-only where possible
• Proper ownership settings

Common Attack Vectors & Prevention

Attack: Double Extension

Method: file.pdf.php

Prevention: Check final extension only, validate MIME type

Attack: Null Byte Injection

Method: file.php%00.jpg

Prevention: Sanitize filenames, modern PHP versions are protected

Attack: Content-Type Spoofing

Method: Send PHP file with image/jpeg header

Prevention: Check actual file content, not just headers

Attack: Polyglot Files

Method: File valid as both image and script

Prevention: Re-process/re-save images, strip metadata

Attack: ZIP Bombs

Method: Tiny ZIP expands to huge size

Prevention: Size limits, careful archive handling

WordPress-Specific Security

WordPress Allowed MIME Types

WordPress has built-in allowed file types:

• Defined in wp-includes/functions.php
• Can be filtered with upload_mimes hook
• Form plugins may have additional restrictions

Upload Directory Security

Protect wp-content/uploads:

• Disable PHP execution in uploads folder
• Add .htaccess rules
• Monitor for suspicious files

.htaccess Protection

Add to uploads folder:

# Disable PHP execution
<FilesMatch "\.ph(p[3-7]?|tml)$">
    Deny from all
</FilesMatch>

Testing Your File Restrictions

Test Valid Files

1. Upload allowed file types
2. Verify they upload successfully
3. Confirm they’re accessible

Test Invalid Files

1. Try uploading blocked extensions
2. Verify rejection with clear error message
3. Test renamed files (malicious.php → malicious.jpg)

Test Edge Cases

• Double extensions (.pdf.exe)
• Case variations (.PHP, .Php)
• Files at size limit
• Files over size limit

Error Messages for Users

Good Error Messages

• “File type not allowed. Please upload PDF, JPG, or PNG files.”
• “File is too large. Maximum size is 10 MB.”
• “Please upload an image file (JPG, PNG, or GIF).”

Bad Error Messages

• “Error” (too vague)
• “Invalid file” (doesn’t help user)
• “Security violation detected” (alarming)

Don’t Reveal Too Much

Error messages shouldn’t help attackers:

• Don’t list all blocked types
• Don’t explain security mechanisms
• Just say what IS allowed

Frequently Asked Questions

What file types should I allow?

Only what you actually need. For most forms: PDF for documents, JPG/PNG for images. Add other types only when specifically required.

Is PDF safe to allow?

Generally yes—PDFs can’t execute server-side code. They can contain embedded scripts that run on user devices, but this is lower risk than executable files.

Should I allow ZIP files?

Only if necessary. ZIP files can contain anything, including malicious files. If you allow them, don’t automatically extract, and scan contents before use.

Are SVG files safe?

No—SVG can contain JavaScript. Block SVG unless you have a specific need and sanitize them before use.

How do I block macro-enabled Office files?

Allow .doc/.docx/.xls/.xlsx but block .docm/.xlsm/.pptm (the “m” indicates macro-enabled).

What if users need to upload a blocked file type?

Have them ZIP the file (if you allow ZIP), or use alternative submission methods (email, cloud storage link). Don’t compromise security for convenience.

Summary

Securing file uploads with type restrictions:

1. Allow only what you need – Block everything else by default
2. Never allow executables – .exe, .php, .js are always blocked
3. Stick to safe types – PDF, JPG, PNG, DOCX for most forms
4. Validate server-side – Don’t rely on client-side only
5. Check MIME types – Verify content matches extension
6. Set size limits – Prevent large file abuse
7. Test restrictions – Verify blocks work correctly
8. Monitor uploads – Watch for suspicious activity

Conclusion

File upload security starts with restricting what types of files users can upload. By allowing only necessary, safe file types—and blocking everything else—you eliminate most upload-based attack vectors before they start.

Auto Form Builder makes file type restrictions simple with category-based and extension-based controls. Select what you need, and dangerous file types are automatically blocked.

Ready for secure file uploads? Download Auto Form Builder and configure safe, restricted file uploads for your forms.