I need to allow .exe file uploads through the admin media manager. So far I have tried

function enable_extended_upload ( $mime_types = array() ) {
    $mime_types['exe']  = 'application/octet-stream';

    return $mime_types;
}
add_filter('upload_mimes', 'enable_extended_upload');

Three different sources have given me three different mime types for .exe. They are application/octet-stream, application/exe, and application/x-msdownload. None have worked.

Since my site happens to be a network, I've tried to whitelist the filetype under Network Settings -> Upload Settings, like so

It didn't work either.

The only thing that works is setting the constant define('ALLOW_UNFILTERED_UPLOADS', true); in wp-config.php, AND having the above mime type snippet, but is not the ideal solution since all files will be allowed.

How can I whitelist .exe nowadays?

I need to allow .exe file uploads through the admin media manager. So far I have tried

function enable_extended_upload ( $mime_types = array() ) {
    $mime_types['exe']  = 'application/octet-stream';

    return $mime_types;
}
add_filter('upload_mimes', 'enable_extended_upload');

Three different sources have given me three different mime types for .exe. They are application/octet-stream, application/exe, and application/x-msdownload. None have worked.

Since my site happens to be a network, I've tried to whitelist the filetype under Network Settings -> Upload Settings, like so

It didn't work either.

The only thing that works is setting the constant define('ALLOW_UNFILTERED_UPLOADS', true); in wp-config.php, AND having the above mime type snippet, but is not the ideal solution since all files will be allowed.

How can I whitelist .exe nowadays?

• uploads

• If you had researched existing questions please try to link them up and elaborate a bit which approaches from them had you tried. – Rarst Commented Apr 26, 2017 at 17:12

2 Answers 2

WordPress provide a hook to change the default mime types, like your hint in the question. The follow small code source demonstrated the change to allow a exe-file.

add_filter( 'upload_mimes', 'fb_enable_extended_upload' );
function fb_enable_extended_upload ( array $mime_types = [] ) {

   $mime_types[ 'exe' ]  = 'application/exe'; 

   return $mime_types;
} 

It is not necessary to change the database entry upload_filetypes.

I have had exactly the same problem and after exploring the wordpress source code, exactly the file '/wp_includes/functions.php', I conclude that wordpress has disabled by default upload to swf and exe files (see function get_allowed_mime_types) , and the only way to skip this is to enable ALLOW_UNFILTERED_UPLOADS in wp-config (see function wp_upload_bits).

Update: In addition, you must define your own enable_extended_upload function to enable the recognition of exe files in the upload files dialog box.

The only thing that changes when you enable ALLOW_UNFILTERED_UPLOADS in true is the upload of swf and exe files, since no more files will be loaded than those defined by default in wordpress. This means that if you want to load a "zzz" file, it will not load unless you set it to its own enable_extended_upload function.

Then I put the most relevant code of the functions involved:

function get_allowed_mime_types( $user = null ) {
    $t = wp_get_mime_types();

    unset( $t['swf'], $t['exe'] );

    ....

    /**
     * Filters list of allowed mime types and file extensions.
     *
     * @since 2.0.0
     *
     * @param array            $t    Mime types keyed by the file extension regex corresponding to
     *                               those types. 'swf' and 'exe' removed from full list. 'htm|html' also
     *                               removed depending on '$user' capabilities.
     * @param int|WP_User|null $user User ID, User object or null if not provided (indicates current user).
     */
    return apply_filters( 'upload_mimes', $t, $user );
}


function wp_check_filetype( $filename, $mimes = null ) {
    if ( empty($mimes) )
        $mimes = get_allowed_mime_types();
    $type = false;
    $ext = false;

    foreach ( $mimes as $ext_preg => $mime_match ) {
        $ext_preg = '!\.(' . $ext_preg . ')$!i';
        if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
            $type = $mime_match;
            $ext = $ext_matches[1];
            break;
        }
    }

    return compact( 'ext', 'type' );
}


function wp_upload_bits( $name, $deprecated, $bits, $time = null ) {
    ....

    $wp_filetype = wp_check_filetype( $name );
    if ( ! $wp_filetype['ext'] && ! current_user_can( 'unfiltered_upload' ) )
        return array( 'error' => __( 'Sorry, this file type is not permitted for security reasons.' ) );
    ?>
   ...