The DICOM Viewer works with DICOM medical image files in your WordPress media library.
Supported File Types
| Type | Extension | Use Case |
|---|---|---|
| DICOM | .dcm |
Single DICOM file (one or more slices) |
| ZIP Archive | .zip |
Bundle of multiple DICOM files (one or more series) |
Media Library Integration
Uploading DICOM files works exactly like uploading other media:
- Go to Media > Add New or Media > Library.
- Click Select Files or drag-and-drop your
.dcmor.zipfiles. - The files are uploaded and stored in your
wp-content/uploads/directory. - Once uploaded, you can select them in the Gutenberg block or reference them by ID in shortcodes.
File Security
The plugin provides several security features:
- Filename obfuscation: Uploaded DICOM filenames are replaced with random hex strings to prevent directory traversal attacks
- Original name preservation: The original filename is stored securely in the database
- MIME type validation: Only
.dcmand.zipfiles are accepted - Protected serving (optional): Files can be served through WordPress instead of directly, allowing access control per-file
See Uploading Files for details on how files are handled during upload, and Access Control for per-file access restrictions.
Protected Health Information (PHI)
DICOM files contain Protected Health Information (PHI) such as patient names, IDs, birth dates, and other identifying information. When uploading DICOM files:
- Only upload files you’re authorized to upload — ensure compliance with HIPAA, GDPR, or your local privacy laws
- Use file access controls — restrict who can download files by configuring Access Control
- Use anonymization — set Anonymization to redact tags in the info overlay (note: this doesn’t modify the actual file)
- Consider external anonymization — if you need to permanently remove PHI, use a third-party DICOM anonymization tool before uploading to WordPress
File Deletion
When you delete a file from the media library, it’s removed from the database and the file system. This action cannot be undone.
Next Steps
- See Uploading Files for details on the upload process and PHI warnings
- See Access Control to restrict who can access specific files
Uploading Files
Upload Process
- Navigate to Media > Add New.
- Click Select Files or drag-and-drop
.dcmor.zipfiles. - WordPress uploads the files to your uploads folder.
- The plugin automatically recognizes them as DICOM or ZIP files.
- You can now select them in the Gutenberg block or reference them in shortcodes.
Uploading DICOM Files
The plugin automatically allows .dcm and .zip files in your media library.
If uploads don’t work, your server might be blocking these file types. Contact your hosting provider and ask them to allow .dcm file uploads.
Filename Security
When you upload a DICOM file, the plugin automatically changes the filename to a random string for security and privacy.
Example:
- You upload:
MRI_Brain_20240315.dcm - It’s stored as:
a7f3e2d1b9c4f6a8e0d2c1b3a5f7e9d0.dcm
Why? This prevents sensitive information in your filename from being exposed online.
When users download: They get the original filename back, not the random one. So everything works normally for them.
Protected Health Information (PHI) Warning
When you navigate to Media > Upload or Media > Library, you’ll see a dismissible admin notice:
DICOM files may contain Protected Health Information. Only upload files you’re authorized to handle, and follow your organization’s privacy policies.
This is a reminder to be mindful when working with medical data. Click the × to dismiss it (it will appear again after a page refresh).
File Information
When you upload a DICOM file, WordPress stores information about it:
- Original filename — the name you uploaded with
- Protected marker — whether the file is restricted to logged-in users only
You can usually see this information in the attachment details page in your media library.
ZIP Archives
You can upload .zip files containing multiple DICOM files. The plugin supports:
- Any number of series
- Any number of files per series
- Mixed modalities (CT, MRI, XR, etc.)
When a ZIP is displayed, the viewer detects all series and displays them according to your layout settings (pills, dropdown, grid, etc.).
Tip: ZIP files are useful for uploading entire studies at once rather than individual files.
File Size Limits
Your hosting provider sets a maximum file size for uploads. You can see this limit in Media > Add New.
Typical limits: 256 MB to 1 GB per file
If you need to upload very large files, ask your hosting provider to increase the limit, or upload files via FTP instead of WordPress.
Next Steps
- See Access Control to restrict who can access uploaded files
- See Anonymization to redact PHI in the info overlay
Access Control
Access control lets you restrict who can download DICOM files from your site.
Protected File Serving
By default, DICOM files are served directly from the web server using their file path. To enable access control, you must enable protected file serving in the admin settings.
- Go to DICOM Viewer > General.
- Enable Protected File Serving.
- Save settings.
When enabled, files are served through /dv-file/{id}/ instead of direct URLs. This allows WordPress to check permissions before serving the file.
Performance note: Protected serving has a small performance overhead because file delivery goes through WordPress instead of the web server. Only enable if you need per-file access control.
Per-File Access Levels
Once protected serving is enabled, each file has an access level that controls who can download it:
| Access Level | Who Can Download |
|---|---|
public |
Anyone (no authentication required) |
logged_in |
Any logged-in WordPress user |
admin |
Only users with edit_posts capability (typically Admin or Editor roles) |
Setting Access Levels
Access levels are stored in the attachment metadata field _dv_access. To set it:
Option 1: Programmatically (Code)
// Set file to logged-in only
update_post_meta( $attachment_id, '_dv_access', 'logged_in' );
// Set file to admin-only
update_post_meta( $attachment_id, '_dv_access', 'admin' );
// Set file to public (or clear)
update_post_meta( $attachment_id, '_dv_access', 'public' );
Option 2: Via Custom Fields Metabox
If you have the Custom Fields metabox visible on the attachment detail page:
- Go to Media > Library and click an attachment.
- Scroll down to Custom Fields.
- Add a new field with key
_dv_accessand valuepublic,logged_in, oradmin. - Save.
Option 3: Using a Plugin UI (if available)
Some site builders or plugins may provide a UI for this. Check your plugin settings.
Default Access Level
Files with no _dv_access meta set default to public (anyone can access).
Access Denied (403 Error)
If a user tries to access a file they’re not permitted to download:
- The server returns a 403 Forbidden error
- The viewer won’t display the image
- The user sees an error message in the viewer
Download Button Visibility vs. Access Control
There are two separate settings:
- Show Download Button — controls whether the download link is visible in the viewer UI (General Settings)
- Access Level — controls whether a user is permitted to download if they try
A user could:
- See the download button but be denied access (403) if their access level is too low
- Not see the download button because the global setting hides it, but still be allowed to access the file if they guess the URL and have the right access level
Use Cases
Public medical education:
// Anyone can view
update_post_meta( $attachment_id, '_dv_access', 'public' );
Patient portal:
// Only patients (logged-in) can view their records
update_post_meta( $attachment_id, '_dv_access', 'logged_in' );
Internal staff only:
// Only medical staff can view
update_post_meta( $attachment_id, '_dv_access', 'admin' );
Troubleshooting
"403 Forbidden" error when trying to download:
- Check the file’s access level with:
get_post_meta( $attachment_id, '_dv_access', true ) - Ensure the current user has the required role
- If using a custom role, verify it has the correct capabilities
Access control not working:
- Confirm Protected File Serving is enabled in DICOM Viewer > General
- Ensure the file has the
_dv_secure_filemeta set to1(should be set automatically on upload) - Check WordPress rewrite rules are flushed (go to Settings > Permalinks and click Save Changes)
Next Steps
- See General Settings for the Protected File Serving toggle
- See Uploading Files for details on how files are secured during upload