I had a requirement for one of my client’s sites recently to validate the file uploaded to the media library and scan it for potential viruses. On top of periodic scanning of the
uploads folder, the file also needs to be scanned in real-time during the upload process.
Luckily, this can be easily done by hooking into
wp_check_filetype_and_ext filter that is used by
wp_check_filetype_and_ext function. This function is originally called from the
_wp_handle_upload function that is used internally by WordPress whenever any file is uploaded through the media uploader.
If we check the source code of that function, we can see that WordPress validates the uploaded file against the allowed mime types, and if it’s invalid, the variable
$ext will be set to
false. We can use that to our advantage since the filter used will also pass that variable in the
$wp_check_filetype_and_ext. It certainly feels a bit hacky to me, but it gets the job done.
In essence, we can do something like this:
I have a separate helper class that runs an instance of ClamAV to check the validity of the file, but you can replace it with any validation that you want here. That’s it!