Contact Form 7 includes a built-in file upload field that requires no additional plugin. The field lets visitors attach files to their form submissions. Uploaded files are included in the admin notification email as attachments. This guide covers the complete setup including the security configuration that prevents malicious file uploads.
Step 1: Add the File Field to Your Form
Open your form in the Contact Form 7 editor. Click File in the field shortcode bar above the form content area. The file upload field generator opens. Configure:
- Field Name – a unique identifier (e.g., “your-file”)
- Required field – check if the form should not submit without an attachment
- Limit filesize – maximum file size in bytes. 1048576 = 1MB, 5242880 = 5MB
- Acceptable file types – pipe-separated list of extensions: pdf|doc|docx|jpg|png
Click Insert Tag. The shortcode appears in your form:
[file your-file limit:5mb filetypes:pdf|docx|jpg]Need help with your WordPress site? Describe your project and get a free estimate.
Step 2: Configure Accepted File Types
Only allow the specific file types your form actually needs. Accepting all file types is a security risk. Common configurations:
- Document submissions:
filetypes:pdf|doc|docx - Image uploads:
filetypes:jpg|jpeg|png|gif|webp - Both documents and images:
filetypes:pdf|doc|docx|jpg|jpeg|png
Never accept executable file types (.exe, .php, .js) through a form upload field. Contact Form 7 validates file type server-side, but restrict it to only what the submission requires as an additional security layer.
Step 3: Include the File in the Admin Email
Go to the form’s Mail tab. In the “Attachments” field at the bottom of the mail settings, enter the file field name in square brackets:
[your-file]The uploaded file is now attached to the admin notification email when the form is submitted. The file is temporarily stored on the server during processing and then attached to the email. After the email sends, the file is deleted from the server by default.
Step 4: Keeping Uploaded Files on the Server
If you want to store uploaded files permanently (for later retrieval without searching email), use the Flamingo (by the Contact Form 7 plugin (also by the Contact Form 7 developer). Flamingo logs all form submissions including attached files in the WordPress database, making them accessible from the admin without relying on email archives.
Alternatively, use a Contact Form 7 extension that saves files to a specific server directory. The plugin “CF7 File Uploads Downloader” or similar addons in the WordPress repository handle this, though the built-in Flamingo approach is the most reliable.
Troubleshooting Upload Failures
If uploads fail with a vague error, the most common causes are: the file exceeds PHP’s upload_max_filesize or post_max_size server settings. Contact Form 7’s limit cannot exceed the server’s PHP limit. Check your hosting panel or php.ini for upload_max_filesize. The second common cause is an incorrect file type – Contact Form 7 checks the actual MIME type, not just the extension. A JPEG renamed to .pdf fails the filetypes:pdf check.
Server Configuration for Larger File Uploads
WordPress and PHP have server-level limits on upload size that Contact Form 7 cannot override. If visitors get an error when uploading files within CF7’s size limit, the server limit is lower than what CF7 allows. Check your hosting panel for PHP settings or ask your host to increase: upload_max_filesize (the maximum individual file size) and post_max_size (must be larger than upload_max_filesize). On cPanel hosting, these are in the PHP Settings section. On managed hosting, contact support to adjust these values.