Kodlo Media Manager

Descripción

Keep Your WordPress Media Library Clean, Safe, and Supercharged!

Kodlo Media Manager is a lightweight, professional-grade media optimization, sanitation, and security plugin. Unlike other bloated plugins, it is built to run natively and seamlessly within the WordPress core ecosystem. It embeds directly into the standard Media Settings screen with a clean, modern dashboard that matches native WordPress aesthetics.

Need help? For questions, support, or feedback, contact us at hello@kodlo.dev or visit our website at kodlo.dev.

Key Problems Solved by the Plugin

By default, WordPress allows users to upload unoptimized, oversized files with messy names and duplicates, potentially introducing security vulnerabilities like SVG-based XSS attacks. Kodlo Media Manager solves these issues with advanced server-side validation and sanitization:

  1. Stop Duplicate Image Bloat:
    Uploading the same image repeatedly wastes storage space and clutters the database. Our Duplicate Filename Guard checks the database before upload, warning users and blocking duplicate files, encouraging them to reuse existing assets.

  2. Enforce Next-Gen Formats (WebP & AVIF):
    Legacy formats like JPG, JPEG, and PNG slow down page load times. Globally block legacy formats and force users to upload optimized modern formats like WebP or AVIF for maximum speed and SEO performance.

  3. Advanced Filename Sanitization & Transliteration:
    Filenames with non-ASCII characters, spaces, or special symbols can cause broken links and database encoding bugs on many hosting setups. The plugin normalizes filenames across scripts and languages: accented characters from German (ä, ö, ü, ß), Spanish (ñ, é), French (è, à, ç), and other European alphabets are converted to ASCII equivalents; Cyrillic characters are transliterated to Latin; spaces are replaced with clean separators; and the result is validated or reshaped using a configurable regular expression pattern.

  4. Custom File Size Limits per Format:
    Prevent users from uploading heavy PDF documents, video loops, or archives. You can specify precise maximum file size limits (in KB) for every file extension individually.

  5. Control Image Resolutions & Dimensions:
    Oversized high-resolution images can crash servers during processing. Define custom maximum width and height limits for images. The plugin also overrides the WordPress big image threshold (2560px default) dynamically based on your custom rules to prevent scaling conflicts.

  6. XML-Based SVG Security Sanitizer:
    SVG files are XML documents, making them vulnerable to JavaScript injection (Cross-Site Scripting – XSS) and XML External Entity (XXE) attacks. The plugin includes a robust XML parser-based sanitizer that strips malicious scripts, handlers (on*), and external links, making SVG uploads safe.

  7. Smart Autocomplete & Native UX:
    Features autocomplete suggestion lists for popular extensions and MIME types, auto-populates fields, dynamically hides inputs based on selected policies, and provides a fully responsive layout for seamless use on mobile devices.

Key Features

  • Dynamic Upload Policies: Set formats to Allowed (Media Library Only), Allowed (Globally), or Blocked (Globally).
  • Duplicate Filename Guard: Client and server-side duplicate check (can be disabled in settings).
  • Regex Filename Validator: Custom regular expression input to enforce strict naming conventions.
  • Auto-Sanitize Filenames: Automatic transliteration and formatting option that adjusts dynamically.
  • Format-Specific File Size Limits: Prevent server space exhaustion by setting individual limits.
  • Media Uploader Size Hint: The «Maximum upload file size» label shown in the WordPress media uploader and WooCommerce product image tooltips reflects the highest per-format limit configured in the plugin, not the raw PHP server limit.
  • Image Dimension Controls: Constrain image width/height and adapt the WordPress big image threshold dynamically.
  • Bulletproof SVG Sanitizer: Strip XSS scripts and block XXE attacks automatically.
  • Clean UI, No Ads: Integrated into the standard WordPress Settings -> Media screen. No premium ads, no banners.
  • Mobile Responsive: Layout switches to interactive cards on mobile screens for easy management.

Who Is This Plugin For?

Agencies and site administrators handing over a WordPress site to content managers or third-party contributors will find this plugin invaluable. Not everyone who uploads content understands what file formats, sizes, or naming conventions matter for performance and SEO. Kodlo Media Manager enforces your standards silently in the background — preventing costly mistakes before they happen, without requiring any technical knowledge from the end user.

At the project kickoff stage, installing the plugin before handing a fresh WordPress installation to developers sets the rules from day one. Developers cannot upload unoptimized or oversized images, the media library stays organized from the start, and you won’t inherit a site with thousands of unused heavy files consuming expensive hosting storage. Clean from the beginning means cheaper to maintain long-term.

In any other combination that suits your workflow — restrict by format only, by size only, by filename convention, or use all rules together. The plugin’s settings are fully independent and can be mixed to match the exact requirements of any project.

No hidden subscriptions, no annoying advertisements, and no premium version gates. Kodlo Media Manager is 100% free and open-source.

Capturas

Instalación

  1. Upload the kodlo-media-manager directory to the /wp-content/plugins/ directory.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  3. Configure your custom rules by navigating to Settings -> Media.

Preguntas frecuentes

Why are default settings applied automatically upon installation?

To protect your website’s performance and security from the moment you activate the plugin, we apply pre-configured, battle-tested default rules. These settings are strictly based on web performance and SEO best practices recommended by Google PageSpeed Insights, web.dev, and WordPress VIP guidelines:

  • Next-Gen Formats: We block legacy formats (JPG/PNG) by default to enforce next-gen formats (WebP/AVIF), complying with Lighthouse’s «Serve images in next-gen formats» audit.
  • Optimal File Sizes: We limit WebP/AVIF images to 250 KB (matching web.dev’s recommendation to keep hero banners under 250–300 KB and standard content images under 100 KB) and limit web fonts (WOFF2) to 150 KB.
  • Resolution Caps: Image dimensions are capped at 2560px (2K resolution) to prevent oversized uploads from exhausting server memory during resizing.
  • Security Safeguards: SVG uploads are limited to 50 KB and sanitized to block malicious scripts.
  • General Settings Page: Plugin restrictions are bypassed by default on the WordPress General Settings page (e.g., site icon uploads) to avoid interfering with core WordPress functionality. You can enable restrictions there explicitly via the «General Settings Page Uploads» option in Settings Media.

These defaults ensure your website passes Core Web Vitals audits out-of-the-box, but you can customize or override them at any time in Settings -> Media.

What is the difference between the upload policies?

  • Allowed (Media Library Only): The file format is allowed when users upload files directly to the Media Library, but is blocked in other parts of WordPress (e.g., plugins uploading temp files or theme assets).
  • Allowed (Globally): The format is permitted for all uploads across the entire WordPress installation.
  • Blocked (Globally): The format is completely restricted from being uploaded anywhere on your site.

Can I allow JPG/PNG uploads again?

Yes! Navigating to Settings -> Media, find the rule for jpg or png and change the policy from «Blocked (Globally)» to «Allowed (Globally)» or «Allowed (Media Library Only)».

How does the SVG Sanitizer work?

When you upload an .svg file, the plugin parses it on the server using DOMDocument. It inspects all elements, attributes, and styles, stripping dangerous scripts (XSS) and blocking external entities (XXE) before saving the file to your server.

What does a max size of zero mean?

Setting the maximum size of a format to 0 (or leaving it blank) disables the size limit verification for that specific file format.

Can I customize the filename validation pattern?

Absolutely. The plugin lets you enter any standard regular expression to enforce naming conventions (e.g., lowercase letters, hyphens, and numbers only). If a filename doesn’t match, it can be automatically sanitized or blocked.

How does the Duplicate Filename Guard work?

It queries the WordPress database (_wp_attached_file post metadata) before a file is uploaded. If a match is found, it alerts the user and blocks the upload. This prevents media library clutter and saves hosting storage. You can enable or disable this feature anytime in the Settings.

How does the plugin handle WordPress’s default image scaling?

WordPress automatically scales down very large images (exceeding 2560px). Kodlo Media Manager dynamically overrides this threshold according to the custom resolution limits you set for that image format, preventing scaling conflicts and ensuring uploads process seamlessly.

How does the Auto-Sanitize Filenames option work?

When enabled, the plugin automatically normalizes filenames to fit your custom regex pattern instead of rejecting the upload outright. This includes: converting accented characters from German, Spanish, French, Polish, Czech, and other European alphabets to their ASCII equivalents; transliterating Cyrillic to Latin; replacing spaces with hyphens or underscores based on what the pattern allows; converting letter case; and stripping characters outside the allowed character class.

Why are some formats blocked from being added?

For security reasons, dangerous file extensions (such as .php, .html, .js, .exe, .htaccess) are blacklisted. Even if you try to add them to the rules table, the settings sanitizer will automatically reject them to keep your site safe from execution vulnerabilities.

Will this plugin affect my website’s loading speed?

No. Kodlo Media Manager is extremely lightweight. It uses native WordPress hooks and Settings APIs without adding bloat, external stylesheets, or advertisements. All validation checks run on the server side only during media uploads, meaning there is zero impact on your front-end performance.

Reseñas

No hay reseñas para este plugin.

Colaboradores y desarrolladores

«Kodlo Media Manager» es un software de código abierto. Las siguientes personas han colaborado con este plugin.

Colaboradores

Traduce «Kodlo Media Manager» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios

1.8.4

  • Fix: Files with spaces or other invalid characters in their names (e.g. «Welbeck Street.png») are now correctly auto-renamed client-side when using the default filename regex — previously the JS guard would reject such files outright instead of sanitizing them, while the server would have accepted and renamed them fine. Spaces are now converted to hyphens before validation, matching server-side behaviour.
  • Fix: Added a re-entrancy guard to the sanitize_file_name filter hook to prevent potential infinite recursion in edge cases where WordPress’s internal sanitize_file_name() call fires the same filter back, which could cause a PHP fatal error (HTTP 500) on uploads.

1.8.3

  • Feature: Plugin upload restrictions are now bypassed on the WordPress General Settings page by default (e.g., site icon uploads). A new setting allows enabling restrictions there explicitly.
  • Fix: Files with spaces in their names are now correctly accepted when using default filename settings — spaces are converted to dashes via WordPress core sanitization before validation, matching WordPress’s native behavior.
  • Fix: Accented and special characters from German (ä, ö, ü, ß), Spanish (é, á, ó, ú, ñ), French (è, à, ç), and other European languages are now correctly transliterated to their ASCII equivalents in all filename processing paths, including when using the default regex pattern and when auto-sanitize is disabled for custom regex.

1.8.2

  • Fix: Resolved PHPCS/Plugin Check security warnings — sanitize $_POST['names'] array input using array_map with sanitize_file_name in a single expression with wp_unslash; added precise inline phpcs:ignore directives on the exact lines where dynamic SQL concatenation is flagged by static analysis.

1.8.1

  • Fix: Welcome notice link was rendered broken in translated versions — wp_kses_post() was applied before sprintf() substituted the URL, causing %s to be treated as an invalid href and corrupting the output. Applied wp_kses_post() after URL substitution.

1.8.0

  • Fix: Hide datalist dropdown arrow on Extension and MIME Type input fields in the settings rules table.

1.7.9

  • Feature: The «Maximum upload file size» hint shown in the WordPress media uploader and WooCommerce product image tooltips now reflects the highest per-format size cap configured in the plugin settings, instead of the raw PHP server limit.

1.7.8

  • Fix: Files uploaded via Plupload from the Media Library page now correctly pass through the format whitelist — async-upload.php was missing from the media context check, allowing non-whitelisted formats to bypass server-side validation.
  • Fix: Duplicate filename AJAX check was silently failing due to an action name mismatch between the JavaScript call (kmm_check_duplicate) and the registered PHP handler (kodlo_media_manager_check_duplicate).
  • Maintenance: Renamed all asset files (settings.css, settings.js, media-manager.js) to include the kodlo-media-manager- prefix for easier identification in browser developer tools and profiling.
  • Maintenance: Renamed suggestions.json to kodlo-media-manager-mime-type-suggestions.json to clarify the file’s purpose.

1.7.7

  • Prevent duplicate «View details» links in plugin row meta.

1.7.6

  • Fixed flickering issue for the auto-sanitize button setting toggle.

1.7.5

  • Minor updates to plugin description, labels, and translations.

1.7.4

  • Initial version after the release on WordPress.org, minor bug fixes, and updates to the plugin description.

1.7.3.1

  • Added client-side visual validation warnings in the Settings UI rules builder when configuring blocked/insecure formats.

1.7.3

  • Resolved all WordPress.org review issues.
  • Extracted inline footer and welcome notice scripts to enqueued JavaScript assets.
  • Renamed all KMM_ constants, handles, and global parameters to KODLO_MEDIA_MANAGER_ prefix to avoid naming collisions.
  • Set contributors to kodlo (owner account).
  • Deprecated libxml_disable_entity_loader calls.
  • Added regex syntax validation to register_setting options callback.
  • Blocked whitelisting of dangerous formats (e.g. php, html, js) in settings and uploads.
  • Restricted filename sanitization hooks to run only during user Media Library uploads.

1.7.2

  • Updated the plugin description to focus on custom media upload rules, format validation, and naming constraints to keep the Media Library clean and optimized.
  • Audited the codebase to optimize scripts and assets.

1.7.1

  • Widened the rules table Extension column relative to the MIME Type column for better visibility of longer extension names.
  • Prevented creation of duplicate rules in the settings manager rules builder.
  • Integrated real-time client-side HTML5 form validation warning notifications and input focus/blur suggestions filtering to exclude already added extensions.
  • Added backward compatibility/reverse mapping from MIME type to Extension suggestions and auto-population.

1.7.0

  • Added HTML5 suggestions autocomplete lists for extension and MIME type input fields (loaded from a separate suggestions.json file containing popular formats).
  • Added real-time extension-to-MIME-type auto-population to automatically fill in the corresponding MIME type when an extension is typed or selected.

1.6.5

  • Made the «Auto-Sanitize Filenames» option dynamically toggle. It now only appears in the settings dashboard if the «Filename Regex Pattern» has been customized (is different from standard default or empty). If the regex is default, the auto-sanitize option is automatically hidden, disabled, and evaluated as inactive.

1.6.4

  • Added dynamic override for WordPress’s default big image threshold filter. The plugin now dynamically overrides the scaling threshold based on the configured custom image dimensions (or falls back to the 2560px standard default if no limits are specified), avoiding scaling conflicts.

1.6.3

  • Re-balanced admin rules table columns layout to offer more space for Width/Height fields (allowing 4+ characters) and MIME Type / Upload Policy, while reducing the Max Size column width to accommodate 6 characters.
  • Bumped max-width of the rules settings configuration table to 1100px.

1.6.2

  • Added automatic enforcement of the WordPress big image size threshold (defaults to 2560px) to prevent oversized image uploads from bypassing the plugin’s validation constraints.
  • Refined mobile card top padding (20px) and set the rule deletion cross icon size to 24px.

1.6.1

  • Refined mobile card top padding (20px) and set the rule deletion cross icon size to 24px.

1.6.0

  • Redesigned mobile rules cards layout to position the delete cross at the top right, stack labels above fields, and expand inputs/dropdowns to full-width.
  • Added dynamic cell visibility to hide the «Max Dim (px)» block on mobile if empty or if the format is not a raster image.
  • Added dynamic disable controls for the size and dimension inputs when a file format’s policy is set to Blocked (Globally).

1.5.0

  • Added mobile responsive layout for the settings rules table (card styling below 782px).
  • Added dynamic hiding of the entire «Max Dim (px)» column when no raster images are configured in the table.

1.4.0

  • Added WebM video format support with 10 MB optimized size limits.
  • Changed default limits for WebP/AVIF images to 2K resolution (2560px) and 250 KB max size.
  • Tuned default size limits for other common formats (SVG, PDF, DOCX, ZIP, MP4) for optimal web performance.
  • Added a persistent, dismissible welcome admin notification after first plugin installation.

1.3.0

  • Integrated dynamic settings rules JS inline inside class-settings.php to resolve assets load dependencies.
  • Removed unused external settings.js file.
  • Conducted full plugin security audit and performance optimization checks.

1.2.0

  • Removed left-padding override styling on the first column of the settings rules table.

1.1.0

  • Disabled filename duplication checks by default, making them an opt-in feature.
  • Defaulted filename regex pattern to match standard WordPress allowed character configurations.
  • Added fallback to default regex rules if custom pattern is left empty.
  • Added a direct «Settings» action link on the Plugins dashboard list page.
  • Cleaned up and polished delete button Dashicon action aesthetics.

1.0.0

  • Initial release.