WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Kodlo Media Manager

Kodlo Media Manager

By Kodlo
Download

Description

Keep Your WordPress Media Library Clean, Safe, and Supercharged!

Kodlo Media Manager is a lightweight, professional-grade media optimization, sanitation, and security plugin. Unlike other bloated plugins, it is built to run natively and seamlessly within the WordPress core ecosystem. It embeds directly into the standard Media Settings screen with a clean, modern dashboard that matches native WordPress aesthetics.

Need help? For questions, support, or feedback, contact us at hello@kodlo.dev or visit our website at kodlo.dev.

Key Problems Solved by the Plugin

By default, WordPress allows users to upload unoptimized, oversized files with messy names and duplicates, potentially introducing security vulnerabilities like SVG-based XSS attacks. Kodlo Media Manager solves these issues with advanced server-side validation and sanitization:

  1. Stop Duplicate Image Bloat:
    Uploading the same image repeatedly wastes storage space and clutters the database. Our Duplicate Filename Guard checks the database before upload, warning users and blocking duplicate files, encouraging them to reuse existing assets.

  2. Enforce Next-Gen Formats (WebP & AVIF):
    Legacy formats like JPG, JPEG, and PNG slow down page load times. Globally block legacy formats and force users to upload optimized modern formats like WebP or AVIF for maximum speed and SEO performance.

  3. Advanced Filename Sanitization & Transliteration:
    Filenames with Cyrillic characters, accents, spaces, or special symbols cause broken links and database encoding bugs on many hosting setups. The plugin automatically transliterates non-Latin characters, removes accents, replaces spaces with clean separators, and sanitizes filenames using a custom regular expression pattern.

  4. Custom File Size Limits per Format:
    Prevent users from uploading heavy PDF documents, video loops, or archives. You can specify precise maximum file size limits (in KB) for every file extension individually.

  5. Control Image Resolutions & Dimensions:
    Oversized high-resolution images can crash servers during processing. Define custom maximum width and height limits for images. The plugin also overrides the WordPress big image threshold (2560px default) dynamically based on your custom rules to prevent scaling conflicts.

  6. XML-Based SVG Security Sanitizer:
    SVG files are XML documents, making them vulnerable to JavaScript injection (Cross-Site Scripting – XSS) and XML External Entity (XXE) attacks. The plugin includes a robust XML parser-based sanitizer that strips malicious scripts, handlers (on*), and external links, making SVG uploads safe.

  7. Smart Autocomplete & Native UX:
    Features autocomplete suggestion lists for popular extensions and MIME types, auto-populates fields, dynamically hides inputs based on selected policies, and provides a fully responsive layout for seamless use on mobile devices.

Key Features

  • Dynamic Upload Policies: Set formats to Allowed (Media Library Only), Allowed (Globally), or Blocked (Globally).
  • Duplicate Filename Guard: Client and server-side duplicate check (can be disabled in settings).
  • Regex Filename Validator: Custom regular expression input to enforce strict naming conventions.
  • Auto-Sanitize Filenames: Automatic transliteration and formatting option that adjusts dynamically.
  • Format-Specific File Size Limits: Prevent server space exhaustion by setting individual limits.
  • Image Dimension Controls: Constrain image width/height and adapt the WordPress big image threshold dynamically.
  • Bulletproof SVG Sanitizer: Strip XSS scripts and block XXE attacks automatically.
  • Clean UI, No Ads: Integrated into the standard WordPress Settings -> Media screen. No premium ads, no banners.
  • Mobile Responsive: Layout switches to interactive cards on mobile screens for easy management.

No hidden subscriptions, no annoying advertisements, and no premium version gates. Kodlo Media Manager is 100% free and open-source.

Installation

  1. Upload the kodlo-media-manager directory to the /wp-content/plugins/ directory.
  2. Activate the plugin through the ‘Plugins’ menu in WordPress.
  3. Configure your custom rules by navigating to Settings -> Media.

FAQ

Why are default settings applied automatically upon installation?

To protect your website’s performance and security from the moment you activate the plugin, we apply pre-configured, battle-tested default rules. These settings are strictly based on web performance and SEO best practices recommended by Google PageSpeed Insights, web.dev, and WordPress VIP guidelines:
* Next-Gen Formats: We block legacy formats (JPG/PNG) by default to enforce next-gen formats (WebP/AVIF), complying with Lighthouse’s “Serve images in next-gen formats” audit.
* Optimal File Sizes: We limit WebP/AVIF images to 250 KB (matching web.dev’s recommendation to keep hero banners under 250–300 KB and standard content images under 100 KB) and limit web fonts (WOFF2) to 150 KB.
* Resolution Caps: Image dimensions are capped at 2560px (2K resolution) to prevent oversized uploads from exhausting server memory during resizing.
* Security Safeguards: SVG uploads are limited to 50 KB and sanitized to block malicious scripts.
These defaults ensure your website passes Core Web Vitals audits out-of-the-box, but you can customize or override them at any time in Settings -> Media.

Can I allow JPG/PNG uploads again?

Yes! Navigating to Settings -> Media, find the rule for jpg or png and change the policy from “Blocked (Globally)” to “Allowed (Globally)” or “Allowed (Media Library Only)”.

How does the SVG Sanitizer work?

When you upload an .svg file, the plugin parses it on the server using DOMDocument. It inspects all elements, attributes, and styles, stripping dangerous scripts (XSS) and blocking external entities (XXE) before saving the file to your server.

What does a max size of zero mean?

Setting the maximum size of a format to 0 (or leaving it blank) disables the size limit verification for that specific file format.

Can I customize the filename validation pattern?

Absolutely. The plugin lets you enter any standard regular expression to enforce naming conventions (e.g., lowercase letters, hyphens, and numbers only). If a filename doesn’t match, it can be automatically sanitized or blocked.

How does the Duplicate Filename Guard work?

It queries the WordPress database (_wp_attached_file post metadata) before a file is uploaded. If a match is found, it alerts the user and blocks the upload. This prevents media library clutter and saves hosting storage. You can enable or disable this feature anytime in the Settings.

How does the plugin handle WordPress’s default image scaling?

WordPress automatically scales down very large images (exceeding 2560px). Kodlo Media Manager dynamically overrides this threshold according to the custom resolution limits you set for that image format, preventing scaling conflicts and ensuring uploads process seamlessly.

How does the Auto-Sanitize Filenames option work?

When enabled, if a user uploads a file with Cyrillic characters, accents, or spaces, the plugin automatically transliterates non-Latin characters, removes accents, replaces spaces with hyphens/underscores, and formats the filename to match your regex pattern without rejecting the upload.

Why are some formats blocked from being added?

For security reasons, dangerous file extensions (such as .php, .html, .js, .exe, .htaccess) are blacklisted. Even if you try to add them to the rules table, the settings sanitizer will automatically reject them to keep your site safe from execution vulnerabilities.

Will this plugin affect my website’s loading speed?

No. Kodlo Media Manager is extremely lightweight. It uses native WordPress hooks and Settings APIs without adding bloat, external stylesheets, or advertisements. All validation checks run on the server side only during media uploads, meaning there is zero impact on your front-end performance.

What is the difference between the upload policies?

  • Allowed (Media Library Only): The file format is allowed when users upload files directly to the Media Library, but is blocked in other parts of WordPress (e.g., plugins uploading temp files or theme assets).
  • Allowed (Globally): The format is permitted for all uploads across the entire WordPress installation.
  • Blocked (Globally): The format is completely restricted from being uploaded anywhere on your site.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Kodlo Media Manager” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Kodlo Media Manager” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.7.5

  • Minor updates to plugin description, labels, and translations.

1.7.4

  • Initial version after the release on WordPress.org, minor bug fixes, and updates to the plugin description.

1.7.3.1

  • Added client-side visual validation warnings in the Settings UI rules builder when configuring blocked/insecure formats.

1.7.3

  • Resolved all WordPress.org review issues.
  • Extracted inline footer and welcome notice scripts to enqueued JavaScript assets.
  • Renamed all KMM_ constants, handles, and global parameters to KODLO_MEDIA_MANAGER_ prefix to avoid naming collisions.
  • Set contributors to kodlo (owner account).
  • Deprecated libxml_disable_entity_loader calls.
  • Added regex syntax validation to register_setting options callback.
  • Blocked whitelisting of dangerous formats (e.g. php, html, js) in settings and uploads.
  • Restricted filename sanitization hooks to run only during user Media Library uploads.

1.7.2

  • Updated the plugin description to focus on custom media upload rules, format validation, and naming constraints to keep the Media Library clean and optimized.
  • Audited the codebase to optimize scripts and assets.

1.7.1

  • Widened the rules table Extension column relative to the MIME Type column for better visibility of longer extension names.
  • Prevented creation of duplicate rules in the settings manager rules builder.
  • Integrated real-time client-side HTML5 form validation warning notifications and input focus/blur suggestions filtering to exclude already added extensions.
  • Added backward compatibility/reverse mapping from MIME type to Extension suggestions and auto-population.

1.7.0

  • Added HTML5 suggestions autocomplete lists for extension and MIME type input fields (loaded from a separate suggestions.json file containing popular formats).
  • Added real-time extension-to-MIME-type auto-population to automatically fill in the corresponding MIME type when an extension is typed or selected.

1.6.5

  • Made the “Auto-Sanitize Filenames” option dynamically toggle. It now only appears in the settings dashboard if the “Filename Regex Pattern” has been customized (is different from standard default or empty). If the regex is default, the auto-sanitize option is automatically hidden, disabled, and evaluated as inactive.

1.6.4

  • Added dynamic override for WordPress’s default big image threshold filter. The plugin now dynamically overrides the scaling threshold based on the configured custom image dimensions (or falls back to the 2560px standard default if no limits are specified), avoiding scaling conflicts.

1.6.3

  • Re-balanced admin rules table columns layout to offer more space for Width/Height fields (allowing 4+ characters) and MIME Type / Upload Policy, while reducing the Max Size column width to accommodate 6 characters.
  • Bumped max-width of the rules settings configuration table to 1100px.

1.6.2

  • Added automatic enforcement of the WordPress big image size threshold (defaults to 2560px) to prevent oversized image uploads from bypassing the plugin’s validation constraints.
  • Refined mobile card top padding (20px) and set the rule deletion cross icon size to 24px.

1.6.1

  • Refined mobile card top padding (20px) and set the rule deletion cross icon size to 24px.

1.6.0

  • Redesigned mobile rules cards layout to position the delete cross at the top right, stack labels above fields, and expand inputs/dropdowns to full-width.
  • Added dynamic cell visibility to hide the “Max Dim (px)” block on mobile if empty or if the format is not a raster image.
  • Added dynamic disable controls for the size and dimension inputs when a file format’s policy is set to Blocked (Globally).

1.5.0

  • Added mobile responsive layout for the settings rules table (card styling below 782px).
  • Added dynamic hiding of the entire “Max Dim (px)” column when no raster images are configured in the table.

1.4.0

  • Added WebM video format support with 10 MB optimized size limits.
  • Changed default limits for WebP/AVIF images to 2K resolution (2560px) and 250 KB max size.
  • Tuned default size limits for other common formats (SVG, PDF, DOCX, ZIP, MP4) for optimal web performance.
  • Added a persistent, dismissible welcome admin notification after first plugin installation.

1.3.0

  • Integrated dynamic settings rules JS inline inside class-settings.php to resolve assets load dependencies.
  • Removed unused external settings.js file.
  • Conducted full plugin security audit and performance optimization checks.

1.2.0

  • Removed left-padding override styling on the first column of the settings rules table.

1.1.0

  • Disabled filename duplication checks by default, making them an opt-in feature.
  • Defaulted filename regex pattern to match standard WordPress allowed character configurations.
  • Added fallback to default regex rules if custom pattern is left empty.
  • Added a direct “Settings” action link on the Plugins dashboard list page.
  • Cleaned up and polished delete button Dashicon action aesthetics.

1.0.0

  • Initial release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Support

Got something to say? Need help?

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin