Title: Kodlo Media Manager
Author: Kodlo
Published: <strong>June 18, 2026</strong>
Last modified: June 29, 2026

---

Search plugins

![](https://ps.w.org/kodlo-media-manager/assets/banner-772x250.png?rev=3587930)

![](https://ps.w.org/kodlo-media-manager/assets/icon-256x256.png?rev=3587629)

# Kodlo Media Manager

 By [Kodlo](https://profiles.wordpress.org/kodlo/)

[Download](https://downloads.wordpress.org/plugin/kodlo-media-manager.1.8.4.zip)

 * [Details](https://test.wordpress.org/plugins/kodlo-media-manager/#description)
 * [Reviews](https://test.wordpress.org/plugins/kodlo-media-manager/#reviews)
 *  [Installation](https://test.wordpress.org/plugins/kodlo-media-manager/#installation)
 * [Development](https://test.wordpress.org/plugins/kodlo-media-manager/#developers)

 [Support](https://wordpress.org/support/plugin/kodlo-media-manager/)

## Description

**Keep Your WordPress Media Library Clean, Safe, and Supercharged!**

Kodlo Media Manager is a lightweight, professional-grade media optimization, sanitation,
and security plugin. Unlike other bloated plugins, it is built to run natively and
seamlessly within the WordPress core ecosystem. It embeds directly into the standard
Media Settings screen with a clean, modern dashboard that matches native WordPress
aesthetics.

**Need help?** For questions, support, or feedback, contact us at [hello@kodlo.dev](https://test.wordpress.org/plugins/kodlo-media-manager/hello@kodlo.dev?output_format=md)
or visit our website at [kodlo.dev](https://kodlo.dev).

### Key Problems Solved by the Plugin

By default, WordPress allows users to upload unoptimized, oversized files with messy
names and duplicates, potentially introducing security vulnerabilities like SVG-
based XSS attacks. Kodlo Media Manager solves these issues with advanced server-
side validation and sanitization:

 1. **Stop Duplicate Image Bloat:**
     Uploading the same image repeatedly wastes storage
    space and clutters the database. Our Duplicate Filename Guard checks the database
    before upload, warning users and blocking duplicate files, encouraging them to 
    reuse existing assets.
 2. **Enforce Next-Gen Formats (WebP & AVIF):**
     Legacy formats like JPG, JPEG, and
    PNG slow down page load times. Globally block legacy formats and force users to
    upload optimized modern formats like **WebP** or **AVIF** for maximum speed and
    SEO performance.
 3. **Advanced Filename Sanitization & Transliteration:**
     Filenames with non-ASCII
    characters, spaces, or special symbols can cause broken links and database encoding
    bugs on many hosting setups. The plugin normalizes filenames across scripts and
    languages: accented characters from German (ä, ö, ü, ß), Spanish (ñ, é), French(
    è, à, ç), and other European alphabets are converted to ASCII equivalents; Cyrillic
    characters are transliterated to Latin; spaces are replaced with clean separators;
    and the result is validated or reshaped using a configurable regular expression
    pattern.
 4. **Custom File Size Limits per Format:**
     Prevent users from uploading heavy PDF
    documents, video loops, or archives. You can specify precise maximum file size 
    limits (in KB) for every file extension individually.
 5. **Control Image Resolutions & Dimensions:**
     Oversized high-resolution images can
    crash servers during processing. Define custom maximum width and height limits 
    for images. The plugin also overrides the WordPress big image threshold (2560px
    default) dynamically based on your custom rules to prevent scaling conflicts.
 6. **XML-Based SVG Security Sanitizer:**
     SVG files are XML documents, making them
    vulnerable to JavaScript injection (Cross-Site Scripting – XSS) and XML External
    Entity (XXE) attacks. The plugin includes a robust XML parser-based sanitizer that
    strips malicious scripts, handlers (`on*`), and external links, making SVG uploads
    safe.
 7. **Smart Autocomplete & Native UX:**
     Features autocomplete suggestion lists for
    popular extensions and MIME types, auto-populates fields, dynamically hides inputs
    based on selected policies, and provides a fully responsive layout for seamless
    use on mobile devices.

### Key Features

 * **Dynamic Upload Policies:** Set formats to Allowed (Media Library Only), Allowed(
   Globally), or Blocked (Globally).
 * **Duplicate Filename Guard:** Client and server-side duplicate check (can be 
   disabled in settings).
 * **Regex Filename Validator:** Custom regular expression input to enforce strict
   naming conventions.
 * **Auto-Sanitize Filenames:** Automatic transliteration and formatting option 
   that adjusts dynamically.
 * **Format-Specific File Size Limits:** Prevent server space exhaustion by setting
   individual limits.
 * **Media Uploader Size Hint:** The “Maximum upload file size” label shown in the
   WordPress media uploader and WooCommerce product image tooltips reflects the 
   highest per-format limit configured in the plugin, not the raw PHP server limit.
 * **Image Dimension Controls:** Constrain image width/height and adapt the WordPress
   big image threshold dynamically.
 * **Bulletproof SVG Sanitizer:** Strip XSS scripts and block XXE attacks automatically.
 * **Clean UI, No Ads:** Integrated into the standard WordPress Settings -> Media
   screen. No premium ads, no banners.
 * **Mobile Responsive:** Layout switches to interactive cards on mobile screens
   for easy management.

### Who Is This Plugin For?

**Agencies and site administrators** handing over a WordPress site to content managers
or third-party contributors will find this plugin invaluable. Not everyone who uploads
content understands what file formats, sizes, or naming conventions matter for performance
and SEO. Kodlo Media Manager enforces your standards silently in the background —
preventing costly mistakes before they happen, without requiring any technical knowledge
from the end user.

**At the project kickoff stage,** installing the plugin before handing a fresh WordPress
installation to developers sets the rules from day one. Developers cannot upload
unoptimized or oversized images, the media library stays organized from the start,
and you won’t inherit a site with thousands of unused heavy files consuming expensive
hosting storage. Clean from the beginning means cheaper to maintain long-term.

**In any other combination** that suits your workflow — restrict by format only,
by size only, by filename convention, or use all rules together. The plugin’s settings
are fully independent and can be mixed to match the exact requirements of any project.

_No hidden subscriptions, no annoying advertisements, and no premium version gates.
Kodlo Media Manager is 100% free and open-source._

## Screenshots

[⌊The settings interface integrated directly into the standard Media Settings screen.⌉⌊
The settings interface integrated directly into the standard Media Settings screen
.⌉[

The settings interface integrated directly into the standard Media Settings screen.

[⌊Client-side validation blocking invalid formats and duplicate filenames in the
Media Uploader modal.⌉⌊Client-side validation blocking invalid formats and duplicate
filenames in the Media Uploader modal.⌉[

Client-side validation blocking invalid formats and duplicate filenames in the Media
Uploader modal.

## Installation

 1. Upload the `kodlo-media-manager` directory to the `/wp-content/plugins/` directory.
 2. Activate the plugin through the ‘Plugins’ menu in WordPress.
 3. Configure your custom rules by navigating to Settings -> Media.

## FAQ

### Why are default settings applied automatically upon installation?

To protect your website’s performance and security from the moment you activate 
the plugin, we apply pre-configured, battle-tested default rules. These settings
are strictly based on web performance and SEO best practices recommended by **Google
PageSpeed Insights**, **web.dev**, and **WordPress VIP guidelines**:

 * **Next-Gen Formats:** We block legacy formats (JPG/PNG) by default to enforce
   next-gen formats (WebP/AVIF), complying with Lighthouse’s _“Serve images in next-
   gen formats”_ audit.
 * **Optimal File Sizes:** We limit WebP/AVIF images to **250 KB** (matching web.
   dev’s recommendation to keep hero banners under 250–300 KB and standard content
   images under 100 KB) and limit web fonts (WOFF2) to **150 KB**.
 * **Resolution Caps:** Image dimensions are capped at **2560px** (2K resolution)
   to prevent oversized uploads from exhausting server memory during resizing.
 * **Security Safeguards:** SVG uploads are limited to **50 KB** and sanitized to
   block malicious scripts.
 * **General Settings Page:** Plugin restrictions are bypassed by default on the
   WordPress General Settings page (e.g., site icon uploads) to avoid interfering
   with core WordPress functionality. You can enable restrictions there explicitly
   via the “General Settings Page Uploads” option in Settings  Media.

These defaults ensure your website passes Core Web Vitals audits out-of-the-box,
but you can customize or override them at any time in **Settings -> Media**.

### What is the difference between the upload policies?

 * **Allowed (Media Library Only):** The file format is allowed when users upload
   files directly to the Media Library, but is blocked in other parts of WordPress(
   e.g., plugins uploading temp files or theme assets).
 * **Allowed (Globally):** The format is permitted for all uploads across the entire
   WordPress installation.
 * **Blocked (Globally):** The format is completely restricted from being uploaded
   anywhere on your site.

### Can I allow JPG/PNG uploads again?

Yes! Navigating to **Settings -> Media**, find the rule for `jpg` or `png` and change
the policy from “Blocked (Globally)” to “Allowed (Globally)” or “Allowed (Media 
Library Only)”.

### How does the SVG Sanitizer work?

When you upload an `.svg` file, the plugin parses it on the server using `DOMDocument`.
It inspects all elements, attributes, and styles, stripping dangerous scripts (XSS)
and blocking external entities (XXE) before saving the file to your server.

### What does a max size of zero mean?

Setting the maximum size of a format to 0 (or leaving it blank) disables the size
limit verification for that specific file format.

### Can I customize the filename validation pattern?

Absolutely. The plugin lets you enter any standard regular expression to enforce
naming conventions (e.g., lowercase letters, hyphens, and numbers only). If a filename
doesn’t match, it can be automatically sanitized or blocked.

### How does the Duplicate Filename Guard work?

It queries the WordPress database (`_wp_attached_file` post metadata) before a file
is uploaded. If a match is found, it alerts the user and blocks the upload. This
prevents media library clutter and saves hosting storage. You can enable or disable
this feature anytime in the Settings.

### How does the plugin handle WordPress’s default image scaling?

WordPress automatically scales down very large images (exceeding 2560px). Kodlo 
Media Manager dynamically overrides this threshold according to the custom resolution
limits you set for that image format, preventing scaling conflicts and ensuring 
uploads process seamlessly.

### How does the Auto-Sanitize Filenames option work?

When enabled, the plugin automatically normalizes filenames to fit your custom regex
pattern instead of rejecting the upload outright. This includes: converting accented
characters from German, Spanish, French, Polish, Czech, and other European alphabets
to their ASCII equivalents; transliterating Cyrillic to Latin; replacing spaces 
with hyphens or underscores based on what the pattern allows; converting letter 
case; and stripping characters outside the allowed character class.

### Why are some formats blocked from being added?

For security reasons, dangerous file extensions (such as `.php`, `.html`, `.js`,`.
exe`, `.htaccess`) are blacklisted. Even if you try to add them to the rules table,
the settings sanitizer will automatically reject them to keep your site safe from
execution vulnerabilities.

### Will this plugin affect my website’s loading speed?

No. Kodlo Media Manager is extremely lightweight. It uses native WordPress hooks
and Settings APIs without adding bloat, external stylesheets, or advertisements.
All validation checks run on the server side only during media uploads, meaning 
there is zero impact on your front-end performance.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Kodlo Media Manager” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ Kodlo ](https://profiles.wordpress.org/kodlo/)
 *   [ Anatoliy ](https://profiles.wordpress.org/imaginary222/)

[Translate “Kodlo Media Manager” into your language.](https://translate.wordpress.org/projects/wp-plugins/kodlo-media-manager)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/kodlo-media-manager/),
check out the [SVN repository](https://plugins.svn.wordpress.org/kodlo-media-manager/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/kodlo-media-manager/)
by [RSS](https://plugins.trac.wordpress.org/log/kodlo-media-manager/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.8.4

 * Fix: Files with spaces or other invalid characters in their names (e.g. “Welbeck
   Street.png”) are now correctly auto-renamed client-side when using the default
   filename regex — previously the JS guard would reject such files outright instead
   of sanitizing them, while the server would have accepted and renamed them fine.
   Spaces are now converted to hyphens before validation, matching server-side behaviour.
 * Fix: Added a re-entrancy guard to the `sanitize_file_name` filter hook to prevent
   potential infinite recursion in edge cases where WordPress’s internal `sanitize_file_name()`
   call fires the same filter back, which could cause a PHP fatal error (HTTP 500)
   on uploads.

#### 1.8.3

 * Feature: Plugin upload restrictions are now bypassed on the WordPress General
   Settings page by default (e.g., site icon uploads). A new setting allows enabling
   restrictions there explicitly.
 * Fix: Files with spaces in their names are now correctly accepted when using default
   filename settings — spaces are converted to dashes via WordPress core sanitization
   before validation, matching WordPress’s native behavior.
 * Fix: Accented and special characters from German (ä, ö, ü, ß), Spanish (é, á,
   ó, ú, ñ), French (è, à, ç), and other European languages are now correctly transliterated
   to their ASCII equivalents in all filename processing paths, including when using
   the default regex pattern and when auto-sanitize is disabled for custom regex.

#### 1.8.2

 * Fix: Resolved PHPCS/Plugin Check security warnings — sanitize `$_POST['names']`
   array input using `array_map` with `sanitize_file_name` in a single expression
   with `wp_unslash`; added precise inline `phpcs:ignore` directives on the exact
   lines where dynamic SQL concatenation is flagged by static analysis.

#### 1.8.1

 * Fix: Welcome notice link was rendered broken in translated versions — `wp_kses_post()`
   was applied before `sprintf()` substituted the URL, causing `%s` to be treated
   as an invalid href and corrupting the output. Applied `wp_kses_post()` after 
   URL substitution.

#### 1.8.0

 * Fix: Hide datalist dropdown arrow on Extension and MIME Type input fields in 
   the settings rules table.

#### 1.7.9

 * Feature: The “Maximum upload file size” hint shown in the WordPress media uploader
   and WooCommerce product image tooltips now reflects the highest per-format size
   cap configured in the plugin settings, instead of the raw PHP server limit.

#### 1.7.8

 * Fix: Files uploaded via Plupload from the Media Library page now correctly pass
   through the format whitelist — `async-upload.php` was missing from the media 
   context check, allowing non-whitelisted formats to bypass server-side validation.
 * Fix: Duplicate filename AJAX check was silently failing due to an action name
   mismatch between the JavaScript call (`kmm_check_duplicate`) and the registered
   PHP handler (`kodlo_media_manager_check_duplicate`).
 * Maintenance: Renamed all asset files (`settings.css`, `settings.js`, `media-manager.
   js`) to include the `kodlo-media-manager-` prefix for easier identification in
   browser developer tools and profiling.
 * Maintenance: Renamed `suggestions.json` to `kodlo-media-manager-mime-type-suggestions.
   json` to clarify the file’s purpose.

#### 1.7.7

 * Prevent duplicate “View details” links in plugin row meta.

#### 1.7.6

 * Fixed flickering issue for the auto-sanitize button setting toggle.

#### 1.7.5

 * Minor updates to plugin description, labels, and translations.

#### 1.7.4

 * Initial version after the release on WordPress.org, minor bug fixes, and updates
   to the plugin description.

#### 1.7.3.1

 * Added client-side visual validation warnings in the Settings UI rules builder
   when configuring blocked/insecure formats.

#### 1.7.3

 * Resolved all WordPress.org review issues.
 * Extracted inline footer and welcome notice scripts to enqueued JavaScript assets.
 * Renamed all KMM_ constants, handles, and global parameters to KODLO_MEDIA_MANAGER_
   prefix to avoid naming collisions.
 * Set contributors to kodlo (owner account).
 * Deprecated libxml_disable_entity_loader calls.
 * Added regex syntax validation to register_setting options callback.
 * Blocked whitelisting of dangerous formats (e.g. php, html, js) in settings and
   uploads.
 * Restricted filename sanitization hooks to run only during user Media Library 
   uploads.

#### 1.7.2

 * Updated the plugin description to focus on custom media upload rules, format 
   validation, and naming constraints to keep the Media Library clean and optimized.
 * Audited the codebase to optimize scripts and assets.

#### 1.7.1

 * Widened the rules table Extension column relative to the MIME Type column for
   better visibility of longer extension names.
 * Prevented creation of duplicate rules in the settings manager rules builder.
 * Integrated real-time client-side HTML5 form validation warning notifications 
   and input focus/blur suggestions filtering to exclude already added extensions.
 * Added backward compatibility/reverse mapping from MIME type to Extension suggestions
   and auto-population.

#### 1.7.0

 * Added HTML5 suggestions autocomplete lists for extension and MIME type input 
   fields (loaded from a separate suggestions.json file containing popular formats).
 * Added real-time extension-to-MIME-type auto-population to automatically fill 
   in the corresponding MIME type when an extension is typed or selected.

#### 1.6.5

 * Made the “Auto-Sanitize Filenames” option dynamically toggle. It now only appears
   in the settings dashboard if the “Filename Regex Pattern” has been customized(
   is different from standard default or empty). If the regex is default, the auto-
   sanitize option is automatically hidden, disabled, and evaluated as inactive.

#### 1.6.4

 * Added dynamic override for WordPress’s default big image threshold filter. The
   plugin now dynamically overrides the scaling threshold based on the configured
   custom image dimensions (or falls back to the 2560px standard default if no limits
   are specified), avoiding scaling conflicts.

#### 1.6.3

 * Re-balanced admin rules table columns layout to offer more space for Width/Height
   fields (allowing 4+ characters) and MIME Type / Upload Policy, while reducing
   the Max Size column width to accommodate 6 characters.
 * Bumped max-width of the rules settings configuration table to 1100px.

#### 1.6.2

 * Added automatic enforcement of the WordPress big image size threshold (defaults
   to 2560px) to prevent oversized image uploads from bypassing the plugin’s validation
   constraints.
 * Refined mobile card top padding (20px) and set the rule deletion cross icon size
   to 24px.

#### 1.6.1

 * Refined mobile card top padding (20px) and set the rule deletion cross icon size
   to 24px.

#### 1.6.0

 * Redesigned mobile rules cards layout to position the delete cross at the top 
   right, stack labels above fields, and expand inputs/dropdowns to full-width.
 * Added dynamic cell visibility to hide the “Max Dim (px)” block on mobile if empty
   or if the format is not a raster image.
 * Added dynamic disable controls for the size and dimension inputs when a file 
   format’s policy is set to Blocked (Globally).

#### 1.5.0

 * Added mobile responsive layout for the settings rules table (card styling below
   782px).
 * Added dynamic hiding of the entire “Max Dim (px)” column when no raster images
   are configured in the table.

#### 1.4.0

 * Added WebM video format support with 10 MB optimized size limits.
 * Changed default limits for WebP/AVIF images to 2K resolution (2560px) and 250
   KB max size.
 * Tuned default size limits for other common formats (SVG, PDF, DOCX, ZIP, MP4)
   for optimal web performance.
 * Added a persistent, dismissible welcome admin notification after first plugin
   installation.

#### 1.3.0

 * Integrated dynamic settings rules JS inline inside class-settings.php to resolve
   assets load dependencies.
 * Removed unused external settings.js file.
 * Conducted full plugin security audit and performance optimization checks.

#### 1.2.0

 * Removed left-padding override styling on the first column of the settings rules
   table.

#### 1.1.0

 * Disabled filename duplication checks by default, making them an opt-in feature.
 * Defaulted filename regex pattern to match standard WordPress allowed character
   configurations.
 * Added fallback to default regex rules if custom pattern is left empty.
 * Added a direct “Settings” action link on the Plugins dashboard list page.
 * Cleaned up and polished delete button Dashicon action aesthetics.

#### 1.0.0

 * Initial release.

## Meta

 *  Version **1.8.4**
 *  Last updated **2 weeks ago**
 *  Active installations **10+**
 *  WordPress version ** 5.6 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/kodlo-media-manager/)
 * Tags
 * [image optimization](https://test.wordpress.org/plugins/tags/image-optimization/)
   [media library](https://test.wordpress.org/plugins/tags/media-library/)[security](https://test.wordpress.org/plugins/tags/security/)
   [SVG](https://test.wordpress.org/plugins/tags/svg/)[webp](https://test.wordpress.org/plugins/tags/webp/)
 *  [Advanced View](https://test.wordpress.org/plugins/kodlo-media-manager/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/kodlo-media-manager/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/kodlo-media-manager/reviews/)

## Contributors

 *   [ Kodlo ](https://profiles.wordpress.org/kodlo/)
 *   [ Anatoliy ](https://profiles.wordpress.org/imaginary222/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/kodlo-media-manager/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://kodlo.dev/)