Enable the “File Upload” field in the form builder.
The File Upload field in the WP Booking System form builder is intentionally disabled by default. Uploading files from the public internet straight into your WordPress site always comes with risk, so we want you to understand the implications before enabling it.
Why is it disabled?
A file upload field lets anyone who submits your booking form send a file to your server. If this is not controlled, users could try to upload:
-
very large files (filling up your hosting),
-
unwanted file types (like executables),
-
or, in the worst case, files that try to exploit your site.
Because of that, WP Booking System ships with the upload field turned off. You must deliberately opt in.
The risks
Here’s what you should be aware of before enabling uploads:
-
Security risk: If your site allows dangerous file types (PHP, JS, etc.) and they are placed in a public folder, an attacker could try to execute them.
-
Storage/bandwidth usage: Repeated uploads can fill your hosting account.
-
Privacy/GDPR: If customers upload personal documents (IDs, medical docs, etc.) you become responsible for storing them securely.
-
Hosting policies: Some hosts block or limit uploads.
Because of these, only enable the upload field if you really need it.
A safe alternative for requesting documents is to request them via email after the booking is created.
How to enable the file upload field
To enable the field in the form builder, you have to add a filter to your (child) theme’s functions.php file.
add_filter('wpbs_enable_file_upload_field', '__return_true');
