Secure File Uploads: Restricting File Types in WordPress Forms
File uploads are powerful but dangerous. Every uploaded file is a potential security risk—malicious scripts, malware, or exploits disguised as innocent documents. Restricting file types is your first line of defense against upload-based attacks.
In this guide, you’ll learn how to secure your WordPress form file uploads by allowing only safe, necessary file types.
Why File Type Restrictions Matter
Security Threats
Unrestricted uploads invite attacks:
- Executable files: .exe, .bat, .sh can run malicious code
- PHP files: Can execute server-side scripts
- JavaScript: Can run in browsers, steal data
- Web shells: Give attackers server access
- Malware: Viruses hidden in files
Real Attack Scenarios
Scenario 1: PHP Web Shell
Attacker uploads malicious.php disguised as image.php. If executed, they gain server control.
Scenario 2: Double Extension
Attacker uploads resume.pdf.exe. User sees “PDF,” downloads and runs executable.
Scenario 3: Embedded Malware
Malware hidden inside seemingly normal document. Opens and infects systems.
The Principle
Allow only what you need. Block everything else.
Dangerous File Types to Block
Always Block These
| Extension | Type | Risk |
|---|---|---|
| .exe | Windows executable | Runs malicious programs |
| .php | PHP script | Server-side code execution |
| .js | JavaScript | Browser code execution |
| .bat, .cmd | Windows batch | Command execution |
| .sh | Shell script | Linux command execution |
| .phtml, .php5 | PHP variants | Server-side execution |
| .asp, .aspx | ASP scripts | Server-side execution |
| .jsp | Java Server Pages | Server-side execution |
| .cgi, .pl | Perl scripts | Server-side execution |
| .htaccess | Apache config | Server configuration changes |
| .dll | Dynamic library | Code injection |
| .scr | Screensaver | Actually executable |
| .msi | Installer | Installs software |
High-Risk File Types
| Extension | Risk Level | Consideration |
|---|---|---|
| .html, .htm | Medium | Can contain scripts |
| .svg | Medium | Can contain JavaScript |
| .xml | Medium | XXE vulnerabilities |
| .zip, .rar | Medium | May contain anything |
| .docm, .xlsm | Medium | Macro-enabled Office files |
Safe File Types to Allow
Images (Generally Safe)
| Extension | Type | Notes |
|---|---|---|
| .jpg, .jpeg | JPEG image | Most common photo format |
| .png | PNG image | Supports transparency |
| .gif | GIF image | Animated images |
| .webp | WebP image | Modern web format |
| .bmp | Bitmap | Uncompressed image |
Note: Avoid .svg unless necessary—it can contain scripts.
Documents (Generally Safe)
| Extension | Type | Notes |
|---|---|---|
| PDF document | Most common document format | |
| .doc, .docx | Word document | Avoid .docm (macros) |
| .txt | Plain text | Very safe |
| .rtf | Rich text | Generally safe |
Spreadsheets
| Extension | Type | Notes |
|---|---|---|
| .xls, .xlsx | Excel spreadsheet | Avoid .xlsm (macros) |
| .csv | Comma-separated values | Plain data, very safe |
Configuring File Type Restrictions
Here’s how to restrict file types with Auto Form Builder:
Step 1: Add File Upload Field
- Create or edit your form
- Add a File Upload field
- Click to open field settings
Step 2: Configure Allowed Types
By Category
Select only the categories you need:
- ☑️ Images – Enable for photos
- ☑️ Documents – Enable for PDFs, Word
- ☐ Spreadsheets – Only if needed
- ☐ Archives – Only if necessary
- ☐ Audio – Only if required
- ☐ Video – Only if required
Specific Extensions
For fine-grained control, specify exact extensions:
- Allow: .pdf, .jpg, .png
- Block everything else automatically
Secure File Uploads
Step 3: Set Additional Security
File Size Limits
- Prevents massive file uploads
- Reduces DoS attack surface
- Set reasonable limits (5MB, 10MB)
File Count Limits
- Limit number of files per submission
- Prevents abuse
File Type Restrictions by Use Case
Job Application Form
Needed: Resume, cover letter
Allow:
- .doc, .docx
Block: Everything else
Max size: 5 MB
Support Ticket Form
Needed: Screenshots, logs
Allow:
- .jpg, .jpeg, .png, .gif
- .txt (for logs)
Block: Everything else
Max size: 10 MB
Photo Contest Form
Needed: High-quality images
Allow:
- .jpg, .jpeg, .png
Block: Everything else (including .gif, .webp if not wanted)
Max size: 15 MB
Document Submission Form
Needed: Various documents
Allow:
- .doc, .docx
- .xls, .xlsx
- .jpg, .png (for scanned docs)
Block: Everything else
Max size: 10 MB
General Contact Form
Needed: Optional attachments
Allow:
- .jpg, .png
- .doc, .docx
Block: Everything else
Max size: 5 MB
Additional Security Measures
1. Server-Side Validation
Client-side restrictions can be bypassed:
- Always validate on server too
- Check MIME type, not just extension
- Good form plugins do this automatically
2. MIME Type Checking
Verify file content matches extension:
- malicious.php renamed to malicious.jpg fails MIME check
- Prevents extension spoofing
3. File Content Scanning
For high-security applications:
- Scan uploads for malware
- Use security plugins
- Third-party scanning services
4. Secure Storage Location
Where files are stored matters:
- Outside web root when possible
- No direct URL access
- Access only through authenticated requests
5. Randomized File Names
Don’t keep original filenames:
- Prevents predictable URLs
- Harder to guess file locations
- Removes potentially dangerous names
6. File Permissions
Restrict what uploaded files can do:
- No execute permissions
- Read-only where possible
- Proper ownership settings
Common Attack Vectors & Prevention
Attack: Double Extension
Method: file.pdf.php
Prevention: Check final extension only, validate MIME type
Attack: Null Byte Injection
Method: file.php%00.jpg
Prevention: Sanitize filenames, modern PHP versions are protected
Attack: Content-Type Spoofing
Method: Send PHP file with image/jpeg header
Prevention: Check actual file content, not just headers
Attack: Polyglot Files
Method: File valid as both image and script
Prevention: Re-process/re-save images, strip metadata
Attack: ZIP Bombs
Method: Tiny ZIP expands to huge size
Prevention: Size limits, careful archive handling
WordPress-Specific Security
WordPress Allowed MIME Types
WordPress has built-in allowed file types:
- Defined in wp-includes/functions.php
- Can be filtered with upload_mimes hook
- Form plugins may have additional restrictions
Upload Directory Security
Protect wp-content/uploads:
- Disable PHP execution in uploads folder
- Add .htaccess rules
- Monitor for suspicious files
.htaccess Protection
Add to uploads folder:
# Disable PHP execution
<FilesMatch "\.ph(p[3-7]?|tml)$">
Deny from all
</FilesMatch>
Testing Your File Restrictions
Test Valid Files
- Upload allowed file types
- Verify they upload successfully
- Confirm they’re accessible
Test Invalid Files
- Try uploading blocked extensions
- Verify rejection with clear error message
- Test renamed files (malicious.php → malicious.jpg)
Test Edge Cases
- Double extensions (.pdf.exe)
- Case variations (.PHP, .Php)
- Files at size limit
- Files over size limit
Error Messages for Users
Good Error Messages
- “File type not allowed. Please upload PDF, JPG, or PNG files.”
- “File is too large. Maximum size is 10 MB.”
- “Please upload an image file (JPG, PNG, or GIF).”
Bad Error Messages
- “Error” (too vague)
- “Invalid file” (doesn’t help user)
- “Security violation detected” (alarming)
Don’t Reveal Too Much
Error messages shouldn’t help attackers:
- Don’t list all blocked types
- Don’t explain security mechanisms
- Just say what IS allowed
Frequently Asked Questions
What file types should I allow?
Only what you actually need. For most forms: PDF for documents, JPG/PNG for images. Add other types only when specifically required.
Is PDF safe to allow?
Generally yes—PDFs can’t execute server-side code. They can contain embedded scripts that run on user devices, but this is lower risk than executable files.
Should I allow ZIP files?
Only if necessary. ZIP files can contain anything, including malicious files. If you allow them, don’t automatically extract, and scan contents before use.
Are SVG files safe?
No—SVG can contain JavaScript. Block SVG unless you have a specific need and sanitize them before use.
How do I block macro-enabled Office files?
Allow .doc/.docx/.xls/.xlsx but block .docm/.xlsm/.pptm (the “m” indicates macro-enabled).
What if users need to upload a blocked file type?
Have them ZIP the file (if you allow ZIP), or use alternative submission methods (email, cloud storage link). Don’t compromise security for convenience.
Summary
Securing file uploads with type restrictions:
- Allow only what you need – Block everything else by default
- Never allow executables – .exe, .php, .js are always blocked
- Stick to safe types – PDF, JPG, PNG, DOCX for most forms
- Validate server-side – Don’t rely on client-side only
- Check MIME types – Verify content matches extension
- Set size limits – Prevent large file abuse
- Test restrictions – Verify blocks work correctly
- Monitor uploads – Watch for suspicious activity
Conclusion
File upload security starts with restricting what types of files users can upload. By allowing only necessary, safe file types—and blocking everything else—you eliminate most upload-based attack vectors before they start.
Auto Form Builder makes file type restrictions simple with category-based and extension-based controls. Select what you need, and dangerous file types are automatically blocked.
Ready for secure file uploads? Download Auto Form Builder and configure safe, restricted file uploads for your forms.
