WordPress Form File Upload — Form Forge (Secure, Multi-File)
Download Log in
All Features — Everything You Need to Build WordPress Forms

Secure File Upload Forms

Form Forge’s File Upload field lets users attach files to form submissions — resumes, photos, documents, spreadsheets, anything. Security is built in: file types are checked by MIME type, not just extension, sizes are enforced server-side, and uploaded files are stored safely outside the public directory by default.

What the file upload field supports

Allowed file types (MIME type validation)

Specify which file types the user is allowed to upload:

  • PDFapplication/pdf
  • ImagesJPEG, PNG, GIF, WebP, SVG (with extra sanitization)
  • DocumentsDOC, DOCX, ODT, TXT, RTF
  • SpreadsheetsXLS, XLSX, CSV, ODS
  • PresentationsPPT, PPTX, ODP
  • ArchivesZIP, RAR, 7Z, TAR
  • AudioMP3, WAV, OGG
  • VideoMP4, MOV, AVI, WebM

Form Forge verifies the actual file content, not just the extension. A .php file renamed to .jpg will be rejected.

File size limits

Set a per-field maximum file size in megabytes. Typical values:

  • Resumes / documents: 5–10 MB
  • Photos: 10–20 MB
  • High-res images: 25–50 MB
  • Video: 100 MB+

Server-side validation enforces the limit even if the client-side check is bypassed.

Multiple files

Enable multi-file upload so users can attach several files in one field — useful for photo galleries, document batches, or project portfolios.

Max number of files

When multi-file is on, set a maximum count. Prevents users from attaching 50 files to one submission.

Security features

MIME type validation

Form Forge reads the first bytes of every uploaded file (the “magic bytes”) to verify the actual file type matches the extension. This catches common attacks like uploading a PHP script renamed to .jpg.

Quarantined storage

By default, uploaded files are stored in a directory outside the public uploads folder with a randomized filename and a directory structure that prevents direct URL guessing. Admins access uploads through the WordPress admin, which checks capabilities before serving the file.

Capability checks

Only users with the edit_submissions capability can download uploaded files from the admin. For sensitive uploads (job applications, medical records, legal documents), this keeps attachments protected.

No execution

Uploaded files are never executed. If someone uploads a PHP file (and somehow passes MIME validation), the directory it’s stored in has execution explicitly disabled via .htaccess or equivalent server-level rules.

Antivirus hooks

For enterprise or healthcare use cases, Form Forge provides hooks for third-party antivirus scanning before a file is accepted. Integrate with your existing AV solution.

Common use cases

Job applications

  • Resume (PDF, DOC, DOCX, max 10 MB, required)
  • Cover letter (PDF, DOC, DOCX, max 5 MB, optional)
  • Portfolio link (URL field, alternative to upload)

RFPs and quotes

  • Project brief (PDF, DOCX, max 20 MB)
  • Reference materials (multi-file, up to 5 files, 10 MB each)

Customer support tickets

  • Screenshots (PNG, JPG, max 5 MB, multi-file)
  • Log files (TXT, LOG, max 2 MB)

Photo submissions

  • Contest entries (JPG, PNG, max 20 MB, multi-file, max 3 files)
  • Before/after images (JPG, PNG, max 10 MB each)

Medical intake

  • Insurance card photo (JPG, PNG, max 5 MB)
  • Previous records (PDF, max 25 MB)

Notifications with attachments

When a form is submitted with uploaded files, Form Forge includes them in the email notification as attachments (if their size is within your email provider’s limit) or as download links to the quarantined files in the WordPress admin.

You can configure this per form:

  • Always attach files
  • Always use download links
  • Attach if total size under X MB, otherwise use links

Integration with third-party services

For integrations that need file data (Mailchimp, HubSpot, Google Sheets), Form Forge passes the file URL, filename, MIME type, and size. Services that support attachments (Slack, Discord, Telegram, email) can receive the file directly.

Storage management

Form Forge’s admin includes a Files view showing all uploaded files across all forms with:

  • Preview (for images)
  • File size and type
  • Form and submission source
  • Upload date
  • Quick delete and bulk delete

Purge old submissions and their files on a schedule to manage storage usage on large sites.

Ready to accept file uploads?

Get Form Forge — from $49/year →

The File Upload field is included in every version of Form Forge, including the free one.

Forge AI Assistant Online

Hi! I'm the Form Forge AI assistant. Ask me anything about the plugin — setup, features, troubleshooting, or development.

Just now
Powered by Forge AI · Browse docs