Learn how to lock down WordPress file uploads, limit dangerous file types, and safely handle media so your site stays secure without breaking everyday workflows.
Why WordPress File Upload Settings Matter for Security
Any place where users or admins can upload files is a potential doorway for malware, phishing pages, or data leaks. In WordPress, that includes the Media Library, form uploads, and eCommerce product files.
By default, WordPress restricts some file types, but it does not fully protect you from risky uploads, oversized files, or misconfigured servers. Hardening your upload settings is a key part of ongoing security maintenance, alongside backups, updates, and strong logins.
Key Principles for Safer File Uploads
- Least privilege: Only allow uploads for the roles and file types that truly need them.
- Validation in multiple layers: WordPress, plugins, and the web server should all enforce limits.
- Segregation: Keep executable code out of upload directories whenever possible.
- Monitoring: Regularly review what has been uploaded and remove anything unnecessary.
Step 1 – Review Who Can Upload Files in WordPress
By default, WordPress allows Authors and above to upload files. Custom roles or plugins may grant upload rights more broadly. Before changing technical settings, confirm that only trusted roles can upload.
How to Check Upload Capabilities
- Log in to your WordPress Dashboard as an Administrator.
- Go to Users ? All Users and review which roles your team members have.
- If you use a role editor plugin, open its settings and verify which roles have the
upload_filescapability.
Best practice: Limit file uploads to trusted roles (e.g., Editor, Author) and avoid giving upload permissions to Subscriber-level users unless absolutely necessary. WordPress core defines capabilities like upload_files and manage_options for this purpose. Source
Step 2 – Understand WordPress Allowed File Types
WordPress uses a list of allowed MIME types to decide which files can be uploaded through the Media Library and other core interfaces. Common safe types include JPEG, PNG, GIF, PDF, and some document formats.
By default, potentially dangerous file types like PHP or executable binaries are blocked. You should avoid re-enabling them unless you have a very specific, well-controlled need.
Where File Type Checks Happen
- WordPress core: Validates file extensions and MIME types during upload.
- PHP: Enforces maximum upload size and post size limits.
- Web server: Can block certain extensions or restrict execution in upload directories.
WordPress exposes filters like upload_mimes so developers can safely add or remove MIME types when needed. Source
Step 3 – Set Safe File Size Limits
Oversized uploads can cause performance issues, fill your hosting storage, or trigger timeouts. You should align WordPress, PHP, and server limits so they are consistent and reasonable for your use case.
Check Current Limits in WordPress
- Go to Dashboard ? Media ? Add New.
- Look for the text under the upload area that says “Maximum upload file size: X MB”.
If you see a very large value (for example, hundreds of megabytes), consider lowering it.
Adjust PHP Upload Limits (Hosting-Level)
Exact steps vary by host, but you typically adjust these PHP directives:
upload_max_filesize– maximum size of a single uploaded file.post_max_size– maximum size of the entire request (should be ?upload_max_filesize).max_file_uploads– maximum number of files per request.
These can be set in php.ini, .htaccess, or a hosting control panel. PHP’s documentation explains how these directives control file uploads and memory usage. Source
Practical guideline: For most brochure or small business sites, a limit between 8–32 MB per file is plenty. For sites that regularly upload large PDFs or videos, set a higher limit but encourage video hosting platforms for very large media.
Step 4 – Restrict Executable Files in Upload Directories
Even if WordPress blocks PHP uploads, misconfigurations or vulnerable plugins can sometimes allow executable files into your uploads directory. You should configure the web server so that code in wp-content/uploads cannot run.
Using .htaccess on Apache
If your site runs on Apache and allows .htaccess overrides, you can add rules in wp-content/uploads/.htaccess such as:
<FilesMatch "\.(php|php[0-9]|phtml)$">
Deny from all
</FilesMatch>
This tells Apache to deny access to PHP files in that directory. You can also use Options -ExecCGI or similar directives to prevent script execution. Apache’s core documentation describes how FilesMatch and access control directives work. Source
Note: If you are not comfortable editing server configuration, ask your host’s support to confirm that PHP execution is disabled in wp-content/uploads.
Step 5 – Harden Upload Handling in Forms and Plugins
Many security incidents come from file uploads in contact forms, job application forms, or customer portals rather than the core Media Library. You should review each plugin that accepts uploads.
Checklist for Form and Upload Plugins
- Allow only the specific file types you truly need (e.g.,
.pdf,.jpg). - Set a maximum file size per upload field.
- Store uploads in a non-public or protected directory when possible.
- Disable direct access to uploaded files that may contain sensitive information (e.g., resumes with personal data).
- Ensure the plugin is actively maintained and updated.
From a secure design perspective, file upload features should validate both the content and the metadata of files, and never trust client-side checks alone. OWASP’s file upload security guidance emphasizes validating file type, size, and content on the server side. Source
Step 6 – Use HTTPS and Correct MIME Types for Safer Delivery
Once files are uploaded, they are delivered to visitors’ browsers. Using HTTPS and correct MIME types helps prevent certain classes of attacks and browser warnings.
Why MIME Types and HTTPS Matter
- Correct MIME types: Ensure files are served with accurate
Content-Typeheaders so browsers handle them safely and predictably. - HTTPS: Protects file downloads from tampering in transit and avoids mixed content issues when your pages are secure but assets are not.
Modern browsers rely heavily on MIME type sniffing and security checks; misconfigured types can lead to unexpected behavior or blocked downloads. The HTTP specification and MDN documentation explain how Content-Type headers influence browser behavior. Source
Step 7 – Regularly Review and Clean Up Uploaded Files
Even with strong upload rules, old or unused files can accumulate and increase your attack surface. Build file review into your maintenance routine.
Simple Review Process
- Go to Dashboard ? Media ? Library.
- Switch to List View for easier scanning.
- Sort by Date and review older uploads.
- Delete files that are clearly unused or test content, after confirming they are not embedded on key pages.
For larger sites, consider a media management plugin that can show where each file is used. Always ensure you have a recent backup before bulk deletions.
What You Should See After Hardening Upload Settings
- When you upload a file in Media ? Add New, oversized or disallowed file types are rejected with a clear error message.
- Only trusted user roles (such as Editors and Authors) can upload files; Subscribers cannot access the Media Library.
- Form upload fields accept only the specific file types and sizes you configured.
- Security scans or hosting support confirm that PHP execution is disabled in
wp-content/uploads. - Your site continues to function normally in Elementor and the front-end, with images and documents loading as expected.
Ongoing Maintenance Tips
- Re-check upload limits and allowed file types after major plugin or hosting changes.
- Include file upload checks in your regular WordPress security review.
- Train your team to avoid uploading unnecessary files or executable content.
- Keep WordPress core, themes, and plugins updated so known upload-related vulnerabilities are patched promptly.
By tightening file upload settings and reviewing them periodically, you significantly reduce one of the most common attack paths against WordPress sites while keeping day-to-day content editing smooth for your team.
