WordPress File Upload


With this plugin you or other users can upload files to your site from any page, post or sidebar easily and securely.

Simply put the shortcode [wordpress_file_upload] to the contents of any WordPress page / post or add the plugin’s widget in any sidebar and you will be able to upload files to any directory inside wp-contents of your WordPress site.

You can add custom fields to submit additional data together with the uploaded file.

You can use it to capture screenshots or video from your webcam and upload it to the website (for browsers that support this feature).

You can even use it as a simple contact (or any other type of) form to submit data without including a file.

The plugin displays the list of uploaded files in a separate top-level menu in Dashboard and includes a file browser to access and manage the uploaded files (only for admins currently).

Several filters and actions before and after file upload enable extension of its capabilities.

The characteristics of the plugin are:

  • It uses the latest HTML5 technology, however it will also work with old browsers and mobile phones.
  • It provides a nice upload form using Material UI React components.
  • It is compliant with the General Data Protection Regulation (GDPR) of the European Union.
  • It can be added in posts, pages or sidebars (as a widget).
  • It can capture and upload screenshots or video from the device’s camera.
  • It supports additional form fields (like checkboxes, text fields, email fields, dropdown lists etc).
  • It can be used as a simple contact form to submit data (a selection of file can be optional).
  • It produces notification messages and e-mails.
  • It supports selection of destination folder from a list of subfolders.
  • Upload progress can be monitored with a progress bar.
  • Upload process can be cancelled at any time.
  • It supports redirection to another url after successful upload.
  • There can be more than one instances of the shortcode in the same page or post.
  • Uploaded files can be added to Media or be attached to the current page.
  • Uploaded files can be saved to an FTP location (ftp and sftp protocols supported).
  • It is highly customizable with many (more than 50) options.
  • It supports filters and actions before and after file upload.
  • It contains a visual editor for customizing the plugin easily without any knowledge of shortcodes or programming
  • It supports logging of upload events or management of files, which can be viewed by admins through the Dashboard.
  • It includes an Uploaded Files top-level menu item in the Dashboard, from where admins can view the uploaded files.
  • It includes a file browser in the Dashboard, from where admins can manage the files.
  • It supports multilingual characters and localization.

The plugin is translated in the following languages:

  • Portuguese, kindly provided by Rui Alao
  • German
  • French, kindly provided by Thomas Bastide of http://www.omicronn.fr/ and improved by other contributors
  • Serbian, kindly provided by Andrijana Nikolic of http://webhostinggeeks.com/
  • Dutch, kindly provided by Ruben Heynderycx
  • Chinese, kindly provided by Yingjun Li
  • Spanish, kindly provided by Marton
  • Italian, kindly provided by Enrico Marcolini https://www.marcuz.it/
  • Polish
  • Swedish, kindly provided by Leif Persson
  • Persian, kindly provided by Shahriyar Modami http://chabokgroup.com
  • Greek

Please note that old desktop browsers or mobile browsers may not support all of the above functionalities. In order to get full functionality use the latest versions browsers, supporting HTML5, AJAX and CSS3.

For additional features, such as multiple file upload, very large file upload, drag and drop of files, captcha, detailed upload progress bars, list of uploaded files, image gallery and custom css please consider WordPress File Upload Professional.

Please visit the Other Notes section for customization options of this plugin.

Plugin Customization Options

Please visit the support page of the plugin for detailed description of customization options.


The plugin requires to have Javascript enabled in your browser. For Internet Explorer you also need to have Active-X enabled.
Please note that old desktop browsers or mobile browsers may not support all of the plugin’s features. In order to get full functionality use the latest versions of browsers, supporting HTML5, AJAX and CSS3.

Fota wobrazowki

  • A screenshot of the plugin in its most simple form.
  • A screenshot of the plugin showing the progress bar.
  • A screenshot of the plugin showing the successful upload message.
  • A screenshot of the plugin with additional form fields.
  • A screenshot of the plugin with subfolder selection.
  • A screenshot of the plugin in a sidebar.
  • A screenshot of the shortcode composer.
  • A screenshot of the file browser.


  1. First install the plugin using WordPress auto-installer or download the .zip file from wordpress.org and install it from the Plugins section of your Dashboard or copy wordpress_file_upload directory inside wp-contents/plugins directory of your wordpress site.
  2. Activate the plugin from Plugins section of your Dashboard.
  3. In order to use the plugin simply go to the Dashboard / Settings / WordPress File Upload and follow the instructions in Plugin Instances or alternatively put the shortcode [wordpress_file_upload] in the contents of any page.
  4. Open the page on your browser and you will see the upload form.
  5. You can change the upload directory or any other settings easily by pressing the small edit button found at the left-top corner of the upload form. A new window (or tab) with pop up with plugin options. If you do not see the new window, adjust your browser settings to allow pop-up windows.
  6. Full documentation about the plugin options can be found at https://wordpress.org/plugins/wp-file-upload/other_notes/ or at http://www.iptanus.com/wordpress-plugins/wordpress-file-upload/ (including the Pro version)

A getting started guide can be found at http://www.iptanus.com/getting-started-with-wordpress-file-upload-plugin/


Will the plugin work in a mobile browser?

Yes, the plugins will work in most mobile phones (has been tested in iOS, Android and Symbian browsers as well as Opera Mobile)

Do I need to have Flash to use then plugin?

No, you do not need Flash to use the plugin.

I get a SAFE MODE restriction error when I try to upload a file. Is there an alternative?

Your domain has probably turned SAFE MODE ON and you have restrictions uploading and accessing files. WordPress File Upload includes an alternative way to upload files, using FTP access. Simply add the attribute accessmethod=“ftp“ inside the shortcode, together with FTP access information in ftpinfo attribute.

Can I see the progress of the upload?

Yes, you can see the progress of the upload. During uploading a progress bar will appear showing progress info, however this functionality functions only in browsers supporting HTML5 upload progress bar.

Can I upload many files at the same time?

Yes, but not in the free version. If you want to allow multiple file uploads, please consider the Professional version.

Where do files go after upload?

Files by default are uploaded inside wp-content directory of your WordPress website. To change it use attribute uploadpath.

Can I see and download the uploaded files?

Administrators can view all uploaded files together with associated field data from the plugin’s Settings in Dashboard. The Professional version of the plugin allows users to view their uploaded files, either from the Dashboard, or from a page or post.

Are there filters to restrict uploaded content?

Yes, you can control allowed file size and file extensions by using the appropriate attribute (see Other Notes section).

Are there any upload file size limitations?

Yes, there are file size limitations imposed by the web server or the host. If you want to upload very large files, please consider the Professional version of the plugin, which surpasses size limitations.

Who can upload files?

By default all users can upload files. You can define which user roles are allowed to upload files. Even guests can be allowed to upload files. If you want to allow only specific users to upload files, then please consider the Professional version of the plugin.

What security is used for uploading files?

The plugin is designed not to expose website sensitive information. It has been tested by experts and verified that protects against CSRF and XSS attacks. All parameters passing from server to client side are encoded and sanitized. For higher protection, like use of captcha, please consider the Professional version of the plugin.

What happens if connection is lost during a file upload?

In the free version the upload will fail. However in the Pro version the upload will resume and will continue until the file is fully uploaded. This is especially useful when uploading very large files.

The plugin does not look nice with my theme. What can I do?

There is an option in plugin’s settings in Dashboard to relax the CSS rules, so that buttons and text boxes inherit the theme’s styles. If additional styling is required, this can be done using CSS. The Professional version of the plugin allows CSS rules to be embed in the shortcode.


15. meje 2024
Thank you very much for your great work! well done! I have some issue with the plugin and It would be great if you help me with them as soon as possible. first of all, I use the plugin inside Gravity form and I want the uploaded link could be saved with the form entry! I’ve tried different ways but didn’t come with the result! finally I just added the %pathfile% in the comment below when file successfully uploaded as a way to see the uploaded link but I want this path be saved some where with the form. but the link will disappears when we move to next page or next file upload! secondly, in wordpress dashboard > uploaded files, it doesn’t show the file path with the domain name of ftp server but it shows the direct ftp address to the file which is not wanted! thirdly, It would be great if the plugin asks the domain name and replace it with the ftp file address at the beginning of each file link. lastly, it would be fantastic if the (uploaded files)’s links and names could be exported in an xlsx or csv file from wordpress dashboard > uploaded files.
7. nowembra 2023
The plugin is well-written and has a clean, logical interface. I am using it primarily for its webcam support, and it is working very well indeed. There is a currently a problem with uploading the resulting video to Dropbox or Google Drive; however, that is caused by another plugin that has a dependency on an outdated version of Guzzle (an HTTP client). Not only does the plugin work well, but Nickolas, the developer, delivers outstanding support. Highly recommended!
1. septembra 2023
Do exactly what it should ! Very useful with a lot of shortcodes.Support is fast and precise.Very good plug.
27. awgusta 2023
This plugin is absolutely perfect and has everything one might need, especially in the pro version (awesome features that aren’t in the free version are listed there). If I was making a more serious website than I am currently working on, I’d definitely buy the pro version.
17. nowembra 2022
I’m impressed how great this plugin is… There might be some bits glitching, from design perspective, but the overall how it works is just amazing… Good job to the author!!
Čitajće 115 pohódnoćenjow

Sobuskutkowarjo a wuwiwarjo

„WordPress File Upload“ je softwara wotewrjeneho žórła. Slědowacy ludźo su k tutomu tykačej přinošowali.


„WordPress File Upload“ je so do 6 rěčow přełožił. Dźakujemy so přełožowarjam za jich přinoški.

Přełožće „WordPress File Upload“ do swojeje rěče.

Na wuwiću zajimowany?

Přehladajće kod, hladajće do SVN-repozitorija abo abonujće wuwiwanski protokol přez RSS.

Protokol změnow


  • verified compatibility with WordPress version 6.5.5
  • escaped userdata values in File Browser, File Details page and View Log, in order to avoid XSS attacks
  • removed the ability to upload files outside /wp-content folder, in order to avoid directory traversal attacks
  • removed the ability to edit the shortcode for authors and contributors, in order to avoid CSRF attacks
  • stripped tags and escaped dir query param in File Browser in order to avoid reflected XSS attacks


  • verified compatibility with WordPress version 6.5.2
  • fixed bug in Date, Time and DateTime user fields that were not working when Material UI theme was active
  • added Country List user field that prompts the user to make a selection from a list of countries


  • sanitized uploadbutton attribute input in order to protect against Stored XSS attacks
  • fixed bug not showing RecaptchaV2 captcha in the upload form when MaterialUI theme was active


  • added external customizable templates folder /uploads/wfu_templates


  • verified compatibility with WordPress version 6.4.3
  • added upload form option webcamstartoff to start webcam deactivated


  • verified compatibility with WordPress version 6.4.2


  • corrected bug where the plugin was generating a fatal PHP error during activation if allow_url_fopen was 0
  • added debug log options in Maintenance Actions: activate/deactivate debug logging, download and reset debug log data


  • verified compatibility with WordPress version 6.4.1
  • added nonce to visual editor and switched WFU_SHORTCODECOMPOSER_NOADMIN to false to avoid CSRF attacks through save_shortcode AJAX action


  • verified compatibility with WordPress version 6.3.2


  • added response header information in wfu_get_request() and wfu_post_request() functions
  • fixed security issue that could allow users with admin access to perform XSS attacks through the redirect link attribute


  • verified compatibility with WordPress version 6.3.1


  • corrected compatibility issue with Divi Theme Builder


  • added Home Domain information in Main tab of Dashboard area of the plugin
  • corrected bug where and templates were not placed correctly inside the shadow DOM
  • added _wfu_file_upload_output_inner filter for customizing inner upload form HTML before it is processed by the templating system


  • updated vendor libraries


  • fixed bug in wfu_webcam_update_preview() function that was breaking upload form when uploadid was greater than 1


  • added webcamselfile attribute in upload form shortcode so that webcam can work in parallel with file selection
  • added webcamswitch attribute in upload form shortcode to enable/disable camera switch button in webcam
  • added WFU_WEBCAMSWITCHMODE advanced variable attribute that defines the camera switch mode, ‚side‘ for switching between front and rear cameras, ‚device‘ for switching between available video devices
  • added WFU_MEDIARECORDER_MIMETYPE advanced variable attribute that defines a specific MIME type for webcam MediaRecorder
  • added webcambg attribute that defines the background color of the webcam capture box
  • webcam video width and height changed so that they correspond to ideal resolution of the camera
  • webcam capture feature improved so that screenshots have the camera’s resolution
  • webcam playback of recorded video is now working on iOS devices
  • added extended support of webcam feature for mobile devices
  • several other code improvements in webcam feature
  • correction of bugs related to wfuca_update_option() function in alternative Iptanus server


  • fixed bug in wfu_exclude_notifications_from_comments() which crashes the website when Woocommerce is present


  • improved webcam operation on iOS devices
  • code modifications to hide WFU admin notifications from Comments Dashboard menu page


  • added Themes tab in upload form visual editor to select a theme
  • added MaterialUI theme in upload form
  • added upload form attributes to define basic colors and dark mode in Material UI theme
  • added color picker with transparency in plugin’s visual editor
  • fixed small bug with time indication in webcam feature of the upload form


  • added Notifications tab in Dashboard area of the plugin


  • codes improvements in plugin settings to protect against XSS attacks
  • code improvements in backend file browser to avoid directory traversal attacks
  • permanent fix for compatibility with block themes


  • updated vendor libraries to their latest version
  • added logging of start and end time in uploader metrics
  • added userdata in wfu_before_upload filter
  • fixed bugs when uploading in classic HTML forms mode


  • added compatibility with block themes
  • added shortcode attribute blockcompatibility for controlling block theme compatibility


  • fixed compatibility issues with PHP 8.1 or higher
  • changed uploadform logic so that CSS pseudoselectors for Select File button work


  • minor bug fixes


  • minor bug fixes


  • sanitized page title in all places where it is retrieved to avoid XSS attacks


  • improved sanitization and escaping of shortcode attributes to avoid XSS attacks
  • file type .svg moved to blacklist to avoid XSS attacks coming from scripts inside SVG files
  • added security check to forbid uploads inside wp-content/plugin directory
  • improved handling of videoname and imagename file uploader shortcode attributes to avoid directory traversal attacks
  • improved /lib and /extensions loader to avoid arbitrary code execution through injected image files
  • all wfu_blocks.php functions became redeclareable


  • minor bug fixes in Pro version


  • corrected $_SESSION variable problem in maintenance purge function


  • visual editor edit button misalignment fixed
  • corrected echo problem when recording from webcam with sound


  • COOKIEHASH bug corrected
  • credentials in FTP paths are stripped from the paths
  • corrected File Detais to File Details
  • regex „/(.)<\/style><script.?>(.)<\/script>(.)/s“ changed to „/(.)<\/style>.?<script.?>(.)<\/script>(.*)/s“ in functions.php
  • corrected notice: Undefined index: post in wfu_admin.php when the website has no posts


  • restored .po files in languages so that users can change translations


  • slight change in wfu_get_filtered_recs to handle cases where b.date_from is null
  • code improvements to increase loading speed of plugin’s file browser
  • added wfu_mime_content_type() function that uses several methods to get MIME type of a file


  • code improved so that upload message colors correctly adjust to shortcode color settings
  • slight modifications to upload message colors while upload is in progress
  • plugin cookie names adjusted in case COOKIEHASH does not exist
  • corrected bug of the new plugin updater causing a warning when there are plugins that do not have their own subdirectory
  • closing tags removed from all PHP files to avoid „Headers already sent“ errors
  • corrected bug where the uploads counter was showing to non-administrators
  • wfu_log_action and wfu_process_files functions became redeclarable
  • removed debug_log from wfu_process_files_queue
  • consent Yes/No question was added in translation
  • corrected locale of Greek translation


  • fix webcam play button bug
  • corrected issue with implode() function of minifier library appearing in websites having PHP > 7.4.2
  • wfu_admin.php modified to use wfu_ajaxurl() function


  • minor fixes of bugs and code improvements.


  • file checking of uploaded files hardened to better handle xss attacks coming through uploaded image files.


  • corrected security vulnerability where remote code could be executed using directory traversal method. Credits to p4w security expert for identifying the vulnerability.
  • improved user check algorithm during upload, related to upload parameters array
  • corrected bug where Restricted Page Loading was working only for pages, all other post types were loading the plugin files as if there was no restriction


  • corrected bug where files could not be downloaded in some server environments when dboption user state handler was enabled


  • corrected bug where files could not be downloaded from Dashboard / Uploaded Files page


  • corrected bug where export data file was not deleted after download
  • corrected bug in FTP credentials configurator about double backslash (\) issue
  • added cookies user state handler that has been integrated with dboption as ‚Cookies (DBOption)‘ to comply with WordPress directives not to use session
  • ‚Cookies (DBOption)‘ user state handler has been set as the default one
  • added advanced option WFU_US_DBOPTION_BASE so that dboption can also work with session
  • added advanced option WFU_US_SESSION_LEGACY to use the old session functionality of the plugin, having session_start() in header
  • added auto-adjustment of user state handler to ‚dboption‘ during activation (or update) of the plugin
  • bug „Error: [] cURL error 28“ in WordPress Site Health disappears when setting user state handler to ‚Cookies (DBOption)‘ or when WFU_US_SESSION_LEGACY advanced option is false
  • added the ability to run PHP processes in queue, which is necessary for correctly handling uploads when user state handler is dboption


  • added easier configuration of FTP Credentials (ftpinfo) attribute of the uploader shortcode


  • corrected bug in functions wfu_manage_mainmenu() and wfu_manage_mainmenu_editor() that were echoing and not returning the generated HTML
  • added fix for compatibility with Fast Velocity Minify plugin


  • code improved so that shortcode composer can be used by all users who can edit pages (and not only the admins)
  • added environment variable ‚Show Shortcode Composer to Non-Admins‘ to control whether non-admin users can edit the shortcodes
  • added filtering of get_users() function in order to handle websites with many users more efficiently
  • added notification in shortcode composer if user leaves page without saving
  • corrected bug where restricted frontend loading of the plugin was not working for websites installed in localhost due to wrong calculation of request uri


  • added the ability to move one or more files to another folder through the File Browser feature in Dashboard area of the plugin
  • improved responsiveness of shortcode composer and Main Dashboard page of the plugin
  • bug fix in wfu_revert_log_action


  • added wordpress_file_upload_preload_check() function in main plugin file to avoid conflicts of variable names with WordPress
  • updated webcam code to address createObjectURL Javascript error that prevents webcam feature to work in latest versions of browsers


  • code modified so that vendor libraries are loaded only when necessary
  • improved process of deleting all plugin options
  • added honeypot field to userdata fields; this is a security feature, in replacement of captchas, invisible to users that prevents bots from uploading files
  • added attribute ‚Consent Denial Rejects Upload‘ in uploader shortcode Personal Data tab to stop the upload if the consent answer is no, as well as ‚Reject Message‘ attribute to customize the upload rejection message shown to the user
  • added attribute ‚Do Not Remember Consent Answer‘ in uploader shortcode Personal Data tab to show the consent question every time (and not only the first time)
  • attribute ‚Preselected Answer‘ in uploader shortcode Personal Data tab modified to be compatible with either checkbox or radio Consent Format
  • upload result message adjusted to show the correct upload status in case that files were uploaded but were not saved due to Personal Data policy
  • code improved for sftp uploads to handle PECL ssh2 bug #73597


  • plugin code improved to support files containing single quote characters (‚) in their filename
  • corrected bug where plugin was deactivated after update


  • added Maintenance action ‚Purge All Data‘ that entirely erases the plugin from the website and deactivates it
  • added advanced option ‚Hide Invalid Uploaded Files‘ so that Uploaded Files page in Dashboard can show only valid uploads
  • added advanced option ‚Restrict Front-End Loading‘ to load the plugin only on specific pages or posts in order to reduce unnecessary workload on pages not containing the plugin
  • code improved for better operation of the plugin when the website works behind a proxy
  • added option in Clean Log to erase the files together with plugin data


  • code further improved to reduce „Iptanus Server unreachable…“ errors
  • checked Weglot Translate compatibility; /wp-admin/admin-ajax.php needs to be added to Exclusion URL list of Weglot configuration so that uploads can work
  • several significant additions in the Pro version, including Microsoft OneDrive integration


  • added item in Admin Bar that displays number of new uploads and redirects to Uploaded Files Dashboard page
  • code improved in Uploaded Files Dashboard page so that download action directly downloads the file, instead of redirecting to File Browser
  • added Advanced option ‚WFU_UPLOADEDFILES_COLUMNS‘ that controls the order and visibility of Uploaded Files Dashboard page columns
  • added Advanced option ‚WFU_UPLOADEDFILES_ACTIONS‘ that controls the order and visibility of Uploaded Files Dashboard page file actions
  • added several filters in Uploaded Files Dashboard page to make it more customizable
  • PHP function redeclaration system significantly improved to support arguments by reference, execution after the original function and redeclaration of variables
  • code improved to reduce „Iptanus Server unreachable…“ errors (better operation of verify_peer http context property)
  • added a link in Iptanus Unreachable Server error message to an Iptanus article describing how to resolve it


  • added Uploaded Files top-level Dashboard menu item, showing all the uploaded files and highlighting the new ones
  • added Portuguese translation from Rui Alao
  • checked and verified compatibility with Gutenberg
  • plugin initialization actions moved to plugins_loaded filter
  • fixed bug clearing userdata fields when Select File is pressed
  • File Browser and View Log tables modified to become more responsive especially for small screens


  • corrected consent_status warning when updating user profile and Personal Data is off
  • user fields code improved for better data autofill behaviour


  • added uploader shortcode attribute ‚resetmode‘ to control whether the upload form will be reset after an upload
  • added pagination in File Browser tab in Dashboard area of the plugin


  • corrected slash (/) parse Javascript error near ‚fakepath‘ appearring on some situations
  • added nonces in Maintenance Actions to increase security
  • improved code in View Log so that no links appear to invalid files
  • improved code in View Log so that when the admin opens a file link to view file details, ‚go back‘ button will lead back to the View Log page and not to File Browser
  • improved code in ‚Clean Log‘ button in Maintenance Actions in Dashboard area of the plugin, so that the admin can select the period of clean-up


  • code improved in wfu_js_decode_obj function for better compatibility with Safari browser
  • code improved to sanitize all shortcode attributes before uploader form or file viewer is rendered
  • removed external references to code.jquery.com and cdnjs.cloudflare.com for better compliance with GDPR


  • added basic compliance with GDPR
  • added several shortcode attributes to configure personal data consent appearance and behaviour
  • added area in User Profile from where users can review and change their consent status
  • added Personal Data option in Settings that enables personal data operations
  • added Personal Data tab in plugin’s area in Dashboard from where administrators can export and erase users‘ personal data
  • corrected bug not accepting subfolder dimensions when subfolder element was active


  • added alternative user state handler using DB Options table in order to overcome problems with session variables appearing on many web servers


  • all Settings sanitized correctly to prevent XSS attacks – credits to ManhNho for mentioning this problem


  • all shortcode attributes sanitized correctly to close a serious security hole – credits to ManhNho for mentioning this problem


  • fixed bug in wfu_before_upload and wfu_after_upload filters that was breaking JS scripts if they contained a closing bracket ‚]‘ symbol


  • added placeholder option in available label positions of additional fields; label will be the placeholder attribute of the field


  • fixed bug where ftp credentials did not work when username or password contained (:) or (@) symbols
  • RegExp fix for wfu_js_decode_obj function for improved compatibility with caching plugins
  • corrected WFU_Original_Template::get_instance() method because it always returned the original class
  • View Log page improved so that displayed additional user fields of an uploaded file are not cropped


  • changed logic of file sanitizer; dots in filename are by default converted to dashes, in order to avoid upload failures caused when the plugin detects double extensions
  • corrected bug where a Javascript error was generated when askforsubfolders was disabled and showtargetfolder was active
  • added css and js minifier in inline code
  • plugin modified so that the shortcodes render correctly either Javascript loads early (in header) or late (in footer)
  • plugin modified so that Media record is deleted when the associated uploaded file is deleted from plugin’s database
  • corrected bug where some plugin images were not loaded while Relax CSS option was inactive


  • changed logic of file sanitizer; dots in filename are by default converted to dashes, in order to avoid upload failures caused when the plugin detects double extensions
  • added advanced option WFU_SANITIZE_FILENAME_DOTS that determines whether file sanitizer will sanitize dots or not
  • timepicker script and style replaced by most recent version
  • timepicker script and style files removed from plugin and loaded from cdn
  • json2 script removed from plugin and loaded from WordPress registered script
  • JQuery UI style updated to latest 1.12.1 minified version
  • added wfu_before_admin_scripts filter before loading admin scripts and styles in order to control incompatibilities
  • removed getElementsByClassName-1.0.1.js file from plugin, getElementsByClassName function was replaced by DOM querySelectorAll
  • corrected bug showing warning „Notice: Undefined variable: page_hook_suffix…“ when a non-admin user opened Dashboard
  • corrected fatal error „func_get_args(): Can’t be used as a function parameter“ appearing in websites with PHP lower than 5.3
  • added _wfu_file_upload_hide_output filter that runs when plugin should not be shown (e.g. for users not inluded in uploadroles), in order to output custom HTML
  • corrected bug where email fields were always validated, even if validate option was not activated
  • corrected bug where number fields did not allow invalid characters, even if typehook option was not activated
  • corrected bug where email fields were not allowed to be ampty when validate option was activated
  • corrected error T_PAAMAYIM_NEKUDOTAYIM appearing when PHP version is lower than 5.3
  • corrected bug with random upload fails caused when params_index corresponds to more than one params


  • translation of the plugin in Persian, kindly provided by Shahriyar Modami http://chabokgroup.com
  • corrected bug where notification email was not sending atachments
  • corrected bug not cleaning log in Maintenance Actions


  • huge renovation of the plugin, the UI code has been rewritten to render based on templates
  • code modified so that it can correctly handle sites where content dir is explicitly defined
  • corrected bug in Dashboard file editor so that it can work when the website is installed in a subdirectory
  • corrected warnings showing when editing a file that was included in the plugin’s database
  • added filter in get_posts so that it does not cause problems when there are too many pages/posts
  • bug fixes so that forcefilename works better and does not strip spaces in the filename
  • code improved to protect from hackers trying to use the plugin as email spammer
  • added advanced variable Force Email Notifications so that email can be sent even if no file was uploaded
  • corrected bug not showing sanitized filanames correctly in email
  • corrected bug so that dates show-up in local time and not in UTC in Log Viewer, File Browser and File Editor
  • fixed bug showing „Warning: Missing argument 2 for wpdb::prepare()“ when cleaning up the log in Maintenance Actions
  • corrected bug where when configuring subfolders with visual editor the subfolder dialog showed unknown error
  • corrected bug where the Select File button was not locked during upload in case of classical HTML (no-ajax) uploads
  • added cancel button functionality for classic no-ajax uploads
  • added support for Secure FTP (sftp) using SSH2 library
  • successmessagecolor and waitmessagecolors attributes are hidden as they are no longer used


  • added the ability to submit the upload form without a file, just like a contact form
  • added attribute allownofile in uploader shortcode; if enabled then the upload form can be submitted without selection of a file
  • added wfu_before_data_submit and wfu_after_data_submit filters which are invoked when the upload form is submitted without a file
  • added advanced debug options for more comprehensive and deep troubleshooting
  • added internal filters for advanced hooking of ajax handlers
  • fixed several security problems
  • fixed bug that was generating an error when automatic subfolders were activated and the upload folder did not exist
  • corrected bug where single quote, double quote and backslash characters in user fields were not saved correctly (they were escaped)
  • fixed bug where any changes made to the user data (e.g. through a filter) were not included in the email message
  • added unique_id variable in wfu_before_file_check and wfu_after_file_upload filters
  • changed column titles in the tables of plugin instances in Main tab in Dashboard
  • fixed bug where if a user field was modified from the file editor, custom columns were changing order


  • an alternative Iptanus server is launched in Google Cloud for resolving the notorious error „file_get_contents(https://services2.iptanus.com/wp-admin/admin-ajax.php): failed to open stream: Connection timed out.“
  • added option ‚Use Alternative Iptanus Server‘ in Settings to switch to the alternative Iptanus Server
  • added advanced option ‚Alternative Iptanus Server‘ that points to an alternative Iptanus Server
  • added advanced option ‚Alternative Iptanus Version Server‘ that points to the alternative Iptanus Server URL returning the latest plugin version
  • an error is shown in the Main page of the plugin in Dashboard if Iptanus Server is unreachable
  • a warning is shown in the Main page of the plugin in Dashboard if an alternative insecure (http) Iptanus Server is used
  • alternative fix of error accessing https://services2.iptanus.com for cURL (by disabling CURLOPT_SSL_VERIFYHOST) and for sockets by employing a better parser of socket response
  • added Swedish translation, kindly provided by Leif Persson
  • improved ftp functionality so that ftp folders can be created recursively


  • added internal filter _wfu_file_upload_output before echoing uploader shortcode html
  • added ability to change the order of additional user fields in shortcode visual editor


  • added environment variable ‚Upload Progress Mode‘ that defines how upload progress is calculated
  • improved progress bar calculation
  • minor bug fixes in AJAX functions mentioned by Hanneke Hoogstrate http://www.blagoworks.nl/


  • added option to enable admin to change the upload user of a file
  • code improvements and bug fixes related to file download feature
  • code improvements related to clean database function
  • added Italian translation


  • added option to allow loading of plugin’s styles and scripts on the front-end only for specific posts/pages through wfu_before_frontpage_scripts filter
  • fixed bug where when uploading big files with identical filenames and ‚maintain both‘ option, not all would be saved separately
  • two advanced variables were added to let the admin change the export function separators


  • added environment variable to enable or disable version check, due to access problems of some users to Iptanus Services server
  • added timeout option to wfu_post_request function
  • added Spanish translation, kindly provided by Marton


  • temporary fix to address issue with plugin’s Main page in Dashboard not loading, by disabling plugin version check
  • correct Safari problem with extra spaces in success message coming from force_close_connection
  • correct bug where when extension has capital letters it is rejected


  • a big number of extensions have been blacklisted for preventing upload of potentially dangerous files
  • the plugin will not allow inclusion, renaming or downloading of files with blacklisted extensions based on the new list
  • if no upload extensions are defined or the uploadpattern is too generic, then the plugin will allow only specific extensions based on a white list of extensions; if the administrator wants to include more extensions he/she must declare them explicitely
  • the use of the wildcard asterisk symbol has become stricter, asterisk will match all characters except the dot (.), so the default . pattern will allow only one extension in the filename (and not more as happened so far).
  • added environment variable ‚Wildcard Asterisk Mode‘ for defining the mode of the wildcard asterisk symbol. If it is ‚strict‘ (default) then the asterisk will not match dot (.) symbol. If it is ‚loose‘ then the asterisk will match any characters (including dot).
  • slight bug fixes so that wildcard syntax works correctly with square brackets
  • added maximum number of uploads per specific interval in order to avoid DDOS attacks
  • added environment variables related to Denial-Of-Service attacks in order to configure the behaviour of the DOS attack checker
  • bug fix of wfu_before_file_upload filter that was not working correctly with files larger than 1MB


  • added bulk actions feature in File Browser in Dashboard for admins
  • added delete and include bulk actions in File Browser
  • improvement of column sort functionality of File Browser
  • added environment variable ‚Use Alternative Randomizer‘ in order to make string randomizer function work for fast browsers
  • uploadedbyuser and userid fields became int to cope with large user ID numbers on some WordPress environments


  • dublicatespolicy attribute replaced by grammaticaly correct duplicatespolicy, however backward compatibility with the old attribute is maintained


  • fixed bug of subdirectory selector that was not initializing correctly after upload
  • fixed slight widget incompatibility with customiser
  • fixed bug of drag-n-drop feature that was not working when singlebutton operation was activated


  • fixed bug in wfu_after_file_loaded filter that was not working and was overriden by obsolete wfu_after_file_completed filter
  • added option in plugin’s Settings in Dashboard to include additional files in plugin’s database
  • added feature in Dashboard File Browser for admins to include additional files in plugin’s database


  • fixed bug with duplicate userdata IDs in HTML when using more than one userdata occurrences


  • added webcam option that enables webcam capture functionality
  • added webcammode atribute to define capture mode (screenshots, video or both)
  • added audiocapture attribute to define if audio will be captured together with video
  • added videowidth, videoheight, videoaspectratio and videoframerate attributes to constrain video dimensions and frame rate
  • added camerafacing attribute to define the camera source (front or back)
  • added maxrecordtime attribute to define the maximum record time of video
  • added uploadmediabutton, videoname and imagename attributes to define custom webcam-related labels
  • fixed bug that strips non-latin characters from filename when downloading files


  • improved filename sanitization function
  • added Chinese translation by Yingjun Li


  • added option to cancel upload
  • setting added so that upload does not fail when site_url and home_url are different
  • added attribute requiredlabel in uploader’s shortcode that defines the required keyword
  • required keyword can now be styled separately from the user field label
  • add user fields in Media together with file
  • setting added so that userdata fields are shown in Media Library or not
  • added Dutch translation by Ruben Heynderycx


  • internal code modifications and slight bug corrections


  • significant code modifications to make the plugin pluggable, invisible to users
  • addition of before and after upload filters
  • correction of small bug in Shortcode Composer of File Viewer


  • Iptanus Services server for getting version info and other utilities is now secure (https)
  • fixed bug with wfu_path_abs2rel function when ABSPATH is just a slash
  • additional fixes and new features in Professional version


  • French translation improved
  • correction of minor bug at wfu_functions.php
  • code improvements in upload algorithm
  • wp_check_filetype_and_ext check moved after completion of file
  • added wfu_after_file_complete filter that runs right after is fully uploaded
  • improved appearance of plugin’s area in Dashboard


  • textdomain changed to wp-file-upload to support the translation feature of wordpress.org
  • added option in Maintenance Actions of plugin’s area in Dashboard to export uploaded file data
  • added pagination of non-admin logged user’s Uploaded Files Browser
  • added pagination of front-end File List Viewer
  • added pagination of user permissions table in plugin’s Settings
  • added pagination of Log Viewer
  • corrected bug in View Log that was not working when pressing on the link
  • improvements to View Log feature
  • improvements to file download function to avoid corruption of downloaded file due to set_time_limit function that may generate warnings
  • added wfu_before_frontpage_scripts filter that executes right before frontpage scripts and styles are loaded
  • added functionality to avoid incompatibilities with NextGen Gallery plugin


  • plugin’s security improved to reject files that contain .php.js or similar extensions


  • added fitmode attribute to make the plugin responsive
  • added widget „WordPress File Upload Form“, so that the uploader can be installed in a sidebar
  • changes to Shortcode Composer so that it can edit plugin instances existing in sidebars as widgets
  • changes to Uploader Instances in plugin’s area in Dashboard to show also instances existing inside sidebars
  • added the ability to define dimensions (width and height) for the whole plugin
  • dimensioning of plugin’s …