Lord of the Files: Enhanced Upload Security


WordPress relies mostly on name-based validation when deciding whether or not to allow a particular file, leaving the door open for various kinds of attacks.

Lord of the Files adds to this content-based validation and sanitizing, making sure that files are what they say they are and safe for inclusion on your site.

The main features include:

  • Robust real filetype detection;
  • Full MIME alias mapping;
  • SVG sanitization (if SVG uploads have been whitelisted);
  • File upload debugger;
  • Fixes issues related to #40175 that have been present since WordPress 4.7.1.
  • Admin warnings if plugin contributors have changed since you last updated #42255;


  • WordPress 4.7.1 or later.
  • PHP 7.2 or later.
  • DOMDocument extension is optional, but will improve SVG sanitizing.

Please note: it is not safe to run WordPress atop a version of PHP that has reached its End of Life. Future releases of this plugin might, out of necessity, drop support for old, unmaintained versions of PHP. To ensure you continue to receive plugin updates, bug fixes, and new features, just make sure PHP is kept up-to-date. 🙂

Privacy Policy

This plugin does not make use of or collect any “Personal Data”.


  • Results from the File Validation Debug tool, available to administrators under the Tools menu.
  • The Updates and Plugins screens display a warning if a local copy of a plugin has different contributors listed than an available update.


Nothing fancy! You can use the built-in installer on the Plugins page or extract and upload the blob-mimes folder to your plugins directory via FTP.

To install this plugin as Must-Use, download, extract, and upload the blob-mimes folder to your mu-plugins directory via FTP. Please note: MU Plugins are removed from the usual update-checking process, so you will need to handle future updates manually.


Does this require any theme or config changes?

Nope! The main magic is all automatic.

There are, however, plenty of under-the-hood goodies developers can hook into to modify the default behaviors. Visit the Github page for more detailed reference.

This has mostly helped but I am still having trouble with one file…

While this plugin extends MIME alias handling more than 20-fold, we are still busy tracking down unusual edge cases. Please go to Tools > Debug File Validation and post that output in a new support ticket for this plugin.

Does this plugin enable SVG support?

No. This plugin does not modify your site’s upload whitelist (see e.g. upload_mimes for that). However if SVGs have been enabled for your site, this will sanitize them at the upload stage to make sure they do not contain any dangerous exploits.

There are a number of SVG-related filters that can be used to modify the sanitization behavior. Checkout the Github documentation for more information.


شتنبر 5, 2019
this plugin made the wpmu file upload list work to allow correctly svg and other types. thank you!
نونبر 6, 2017
I dealt with upload issues and Josh (along with his creation - the LoTF plugin) helped mi to solve them.
غشت 22, 2017
thanks, this helped me out!
Read all 6 reviews

Contributors & Developers

“Lord of the Files: Enhanced Upload Security” is open source software. The following people have contributed to this plugin.




  • [Misc] Improved handling of MS Office file formats.
  • [Misc] Update MIME database.


  • [Misc] Update MIME database.


  • [Misc] Improved handling of XML and JSON file formats.
  • [Misc] Correctly identify MXL files.


  • [Misc] Update MIME database.


  • [Misc] Update MIME database.