The main reason SVG files are especially popular among developers and designers is that they are a scalable image format, generally smaller in file size (sometimes by quite a bit), and don’t pixelate on retina screens. WordPress by default though doesn’t allow you to upload the SVG file format, mainly due to security concerns.
Today we are going to dive into what SVGs are, how they can be beneficial, and how you can safely enable WordPress SVG support. We will also discuss browser support, as well as some caveats if you decide you want to switch to the vector image format.
Hopefully one day we will have SVG as part of WordPress core, but we are not quite there yet.
What Is an SVG File?
SVG (Scalable Vector Graphics) is an XML-based vector image that is commonly used by websites and brands to display logos and icons on their websites. Wikipedia defines SVG as:
An SVG (scalable vector graphics) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
You can even manipulate SVG files with code or your text editor. SVGs are currently utilized by 33% of all websites and as you can see below, the adoption rate is growing rapidly. Popular sites such as Google, Reddit, Dropbox, ESPN, and even our own website here at Kinsta use SVGs.
SVG File Browser Support
SVG files are currently supported by all major browsers including mobile browsers. The only issue you might run into is if you still need support for IE8, which we hope you don’t. IE8 only has around a 0.36% browser market share and is no longer supported. Here is a great article by Lubos on why developers should stop supporting IE8, IE9, and IE10. From a business perspective, this might not always be possible, but he brings up some good points. If for some desperate reason you still need IE8 support, you could define a fallback image (PNG or JPG) for your SVG images, but we won’t be going into that today. Below is a list of supported browsers:
- Internet Explorer 9, 10, 11+ and Edge
- Firefox 2+
- Chrome 4+
- Safari 3.1+
- Opera 10+
- iOS Safari 3.2+
- Android Browser 3+
- Firefox for Android 86+
- Opera Mini (all)
- Opera Mobile 12+
- Chrome for Android 89+
- UC Browser for Android 12.12+
- Samsung Internet 4+
- QQ Browser 10.4
- Baidu Browser 7.12
- KaiOS Browser 2.5
Benefits of Using SVG Files
SVG files are a vector format, meaning they are automatically scalable in both browsers and photo editing tools. This makes them great for both graphic and web designers. Normally when you try to edit a PNG or JPG in a tool like Photoshop, Sketch, or Paint, you can’t upscale them without pixelation. With SVGs, you can upscale them to an infinite amount and they will look pixel perfect (or should we say vector perfect) every time. This is why they are a great image format to use for retina screens.
Google indexes SVGs, which is great news for SEO purposes. SVG content that is linked to a file itself will be indexed and show up in Google image search. You can see this first-hand with the SVG illustrations we use on Kinsta by doing an advanced image search. Note: Inline SVGs, or rather those composed of just code, are typically not indexed.
SVGs are traditionally (not always) smaller in file size than PNGs or JPGs. By using SVGs, you can actually speed up your WordPress site as you will decrease your overall page size. Genki wrote a great article where he compares the size of SVG vs PNG vs JPEG and here’s our JPG vs JPEG comparison. Below are a few takeaways from his testing in which he compared the three different image types.
JPG (optimized size: 81.4 KB)
PNG (optimized size: 85.1 KB)
SVG (optimized size: 6.1 KB)
As you can see above, the SVG is a decrease in file size of 92.51% when compared to the JPG. And when compared to the PNG, 92.83%. Those are pretty impressive file size differences. However, there is one caveat, as he tested more detailed images, the SVGs eventually actually became larger in size than the JPG or PNG.
That is why many sites use SVGs for less detailed images such as logos, icons, etc. as they will see a significant decrease in file sizes. But for more images with great detail, like perhaps your blog post “featured images,” you might want to stick with a PNG or JPG but you can still optimize them. Many websites use a hybrid approach, using both file types together where it makes sense.
Also, it is important to note that social media networks like Facebook and Twitter don’t support SVGs for sharing. So if you used SVGs for your featured images, you would have to utilize the Yoast SEO feature and upload a PNG or JPG for the OG and meta tags, otherwise you could risk your featured image not showing up at all.
Why SVG Security is Important
The reason SVG is not part of WordPress core yet is that there are security concerns to be addressed. You can follow the active discussion about SVGs in WordPress core (#24251) which was started back in 2013. SVG is an XML file, which by itself opens it up to different vulnerabilities of which normal image formats aren’t affected. These include XML external entity attacks (XXE), bomb nested entities, and XSS attacks.
Mario Heiderich published an insightful presentation about the security risks due to active content injection with SVG files. One example given was that JavaScript was embedded in an SVG and it actually managed to call Mario on Skype. That is kind of scary! SecuPress, authors of a WordPress security plugin, also touched on the subject of being careful when adding SVGs to WordPress, and the importance of doing it the right way.
Many SVG plugins on the repository are utilizing the following code, which simply enables the MIME type to allow uploading of SVGs to the WordPress media library. This is not the safe way to do this! So don’t go and just download the first free SVG plugin you see or copy paste this code and think you’re good to go.
function cc_mime_types($mimes) {
$mimes['svg'] = 'image/svg+xml';
return $mimes;
}
add_filter('upload_mimes', 'cc_mime_types');The solution is that SVGs need to be sanitized. Sanitization is basically the cleaning of code or input to avoid security issues (such as code injection), code conflicts, and errors. This could entail things such as encoding data, filtering and validating strings, etc. This is where Daryll Doyle’s SVG-Sanitizer library comes into play, which he refers to as “his attempt to build a decent SVG sanitizer in PHP.” Check out the demo of his SVG sanitizer to see it in action.
It is also important that you consider who on your site has access to upload SVGs. For example, if you are on a multi-author site, you have no idea what kind of SVG someone else might upload, exposing your site. Restricting SVG uploads to administrators and those that understand some of the security concerns is advisable.
How to Safely Enable WordPress SVG Support
Daryll has developed a plugin, WP SVG (also know as Safe SVG), which utilizes the SVG-Sanitizer library upon uploading SVG images to your WordPress media library. The plugin also enables you to view SVGs like normal images in the media library.
You can download Safe SVG for free from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins. You can get up and go with a few simple clicks.
There’s also a premium version, available at wpsvg.com, which allows you to restrict certain users from uploading SVGs and additional SVG optimization. In the example below, we are going to simply use the free version.
As an alternative plugin, you might want to check out SVG Support.
Before uploading your SVG file, it is important to understand that they behave slightly differently than images. When exporting an SVG from your photo editing tool, you will want to export the text as curves (or create an outline), otherwise, it might render slightly different in various browsers.
After you install the plugin, there are no settings, it will simply sanitize your SVGs upon upload. On our test site below you can see we replaced our logo with an SVG file, it is view-able like normal in the media library.
This also then allowed us to use our theme’s control panel to change the logo in our WordPress header over to our SVG file. You can see below it is indeed serving up the .svg file. And looks beautiful now on retina screens.
There is one additional tweak we had to make. In IE9-11 desktop & mobile don’t properly scale SVG files yet. Adding height and width fixes this issue. This might vary per theme, but on our test site we simply modified our header.php file and added these custom dimensions. Some WordPress themes use CSS to modify the scaling, which is not good for performance reasons, but due to that it might require you adding additional code to fix the IE issue.
And that’s it! You have now safely enabled WordPress SVG support. This plugin and or method isn’t endorsed or supported by WordPress core, so of course, use at your own risk. However, if you were already uploading SVGs with only the MIME type snippet, then, by all means, please do it this way.
Also, if you have never used SVGs before, ensure you have GZIP enabled on your server for the “image/svg+xml” file type. This will ensure they are compressed and will load as fast as possible. Sometimes sysadmins only enable the more standard file types. Note: GZIP is enabled on all Kinsta servers already for SVGs.
Summary
SVGs are a great way to enhance the look of your site! We recommend utilizing SVGs, PNG, and JPGs together to achieve the best performance, as very detailed images will not perform as good in SVG format. SVGs are great for your logo, to ensure it looks pixel-perfect on every screen, along with icons.
What are your thoughts? Have you used SVGs yet on your WordPress site?
Brian has a huge passion for WordPress, has been using it for over a decade, and even develops a couple of premium plugins. Brian enjoys blogging, movies, and hiking. Connect with Brian on Twitter.
I use the function all the time, but I didn’t know about the WP SVG plugin. Looks handy.
Definitely a great plugin! I highly recommend using the plugin, rather than just the function, as this sanitizes the SVGs upon upload.
Good point! I appreciate it.
Extraordinary explanation for the SVG graphics plugin. Keep up the good work!
Very interesting article Brian. After the installation of plugin WP SVG, what did you use to convert all old images (jpg or png) to svg?
Thanks!
Hey Alessandro, we wouldn’t recommend using only SVGs on your site. It’s better to only use them in combination. For example, on our Kinsta site, we use an SVG for our logo and for icons (as seen on https://kinsta.com/wordpress-hosting/). For more detailed images, like featured images on blog posts, etc… you will still want to use JPGs/PNGs.
And we didn’t convert to SVG, we always use the original SVG/create it.
Hello,
So I guess that calling SVG file in my WordPress page template like this isn’t safe at all ?
echo file_get_contents( get_stylesheet_directory_uri() . ‘/img/home.svg’ );
1) I create my SVG in illustrator
2) I upload it on my server with Filezilla
3) I call the SVG with the code above in php
What do you think about it ?
Thanks
Correct, it would be safer to use the free plugin mentioned above as the file gets sanitized upon uploading. You can then call it via PHP after it is in your media library.
Nice! Thank you for the post. Saw this on FB a few weeks ago, and this is when it came in handy! I set this up for a client, which was super easy and got amazing quality graphics! The only issue I’m having is SVGs are not showing up in Firefox. Do you know of a fix or did I miss something in the article?! :-o
Hey Paul. Glad it was helpful :) Firefox supports SVG files in pretty much every version (all the way back to Firefox 2). We are using SVGs on this website (and it runs WordPress). I have SVGs on 6+ other sites and they all work fine in Firefox. So it definitely isn’t a browser issue. Did you clear your cache everywhere? Also, make sure to specify dimensions on the images. Did you create your SVGs with a photo editing program or simply download them from somewhere?
Hi Brian,
Thanks for getting back to me! FF is up to date. Cache is cleared everywhere (server / browser) and dimensions are there. SVGs were created using Adobe Illustrator Creative Cloud…. I can’t bring my client back to PNGs LOL
You mind sharing URL?
iweartruth.com and someone just told me on all 3 browsers (Chrome FF and Safari) there is no logo……
Ya you have some weird styles set on your image… As you can see in the picture attached I was able to get it to show up in Firefox after playing around in devtools. http://jmp.sh/ePeyQAJ
I had to remove the width:100% from these classes:
.mk-image-holder
.mk-image .mk-image-inner img
As well as the inline style of 100%.
Your theme is making this process a lot harder than it should be :(
Brian thank you for pointing this out. I will forward it to the theme authors for an update. Their theme is SVG compatible so probably a little bug. I really appreciate you taking the time for this and it won’t be forgotten :-)
Thanks. The sanitizer is a nice touch.
Hey!
Ya we aren’t using SVGs in our article, but we do use them on our site. For example, our logo at the top of the site is an SVG, along with icons on our feature pages, etc… Thanks
Excellent post, we make a custom plugin for icons in .SVG easy upload in WordPress too.
Hi
About google indexing – yes, a file (like img src) is indexed. I’ve seen no real evidence that inline SVGs are routinely indexed, even on big sites
Hey Ed! Thanks for catching that. You are correct, it should be SVGs that are linked directly to a file will be indexed by Google. I’ve updated the post above and gave an example of our indexed SVGs on our Kinsta site.
Thanks again
I was wondering where I am going wrong with creating an SVG logo or icon. I have been learning Inkscape and have created several logos and icons and after creating them and attempting to use them in my Avada WP theme or even on a standard HTML page I have noticed that these SVG files are not scaling and just stay the same size. What should I do? Is this an issue at the production level, meaning at the time that I create and save the created SVG file on Inkspace or is this more of a WP or Avada theme issue? Wondering if you know of any web based material that you can point me in the direction of so that I can learn what to do? I have been searching online to learn but have only ran into stuff that is either not accurate, too vague or just not detailed enough. Thanks and would greatly appreciate the help.
Hey Joseph,
As long as you are uploading the SVGs correctly, the scaling issue is more likely to a CSS issue with your theme. I would recommend opening up a ticket with Avada crew.
“Normally when you try to edit a PNG or JPG in a tool like Photoshop or Paint”
Paint!!!
Love!!!
I am planning to use SVG images on my site to improve performance. These will be verified SVGs created by my team. I want to understand that is it safe to use them? Are SVGs open to attack or are the unverified SVGs the ones we need to be careful about?
Yes, SVGs are safe. Just use a plugin like mentioned above to make sure they are sanitized upon upload and ensure only verified users can upload them.
Hi, I was just wondering how I would upload an SVG font file into my WordPress website?
Hey Alexa,
If you install the free Safe SVG plugin mentioned above, you can just upload SVGs to your media library like any other image.
Thank you so much for this, I was having problems uploading an appstore image.
I installed the plugin and uploaded my svg for the header image/ logo. When I choose select and crop, it shows my image selected and only gives me the option to crop. I click Crop, and it says “There was an error cropping your image.”
It seems like a wordpress issue, because the svg looks great when I pull it up in a chrome window. Any ideas?
Hey Lauren,
Yes I don’t think you’ll be able to crop SVGs in WordPress. This isn’t a plugin problem, but rather a lack of support by WordPress. This plugins simply sanitizes them and allows you to see them. I would recommend cropping your SVGs before uploading them.
Hey there – this becomes problematic when trying to use an SVG as the site icon. Upon selecting an uploaded SVG for the site icon, you are presented with a screen to crop said image. Unlike the regular usage (using an SVG anywhere else on the site), there is no “skip cropping” button/link, but the same error appears. The only option is to cancel out of that screen. I realize this is not a direct plugin issue, but has anyone come up with a workaround that allows you to use an SVG image for the site’s icon?
I tried to install the SVG after installing the plugin, but it says ““[email protected]” has failed to upload.
Sorry, this file type is not permitted for security reasons.” and I couldn’t upload the SVG files. Please help!!
Hey Sarath! Are you sure you’re uploading a .SVG file? The file name above shows .XML.
This is a great post — thank you! I had not known about their security risks until I tried uploading one to my site just now. So the sanitizer cleans on upload. That sanitation process prevents hackers from injecting malicious code into an SVG. Left unsanitized (dirty code) the SVG graphic is always going to be more vulnerable.
Is there any security drawback to uninstalling Safe SVG after you are done uploading your svg’s?
Thanks for the text, but the plugin that you endorsed is breaking my theme (i’m using the Ave of Liquid themes).
Had to use SVG Support that worked for me without breaking my theme.
Does not work anymore in wp 5.0.2
Hey Zakir!
We can confirm that the WP SVG plugin works fine in WordPress 5.0.3. Are you getting an error? You might try temporarily disabling your plugins to see if there is a conflict. https://kinsta.com/knowledgebase/disable-wordpress-plugins/
I was wondering if you know of how best to transition a site to including SVGs. Since the new SVGs would have different URLs than our current images, this could break some of the links on our site. Do you have any tips on how to handle this switch?
Hi Kinsta team,
What do you think of possibility of WordPress suporrting SVG in the future?
I manually enable SVG, but then new updates of WordPress render it worthless. I grew tired of fixing my codes so I decided to rely on the help of plugin developers who have way more experience than me.
It turns out that the plugin was developed by one member of your team, so thank you.
I have the question above because I’m worried that the author may stop updating the plugin some day. I love SVG.
This plugin works well, but when used on your servers it throws an exception:
“`
ErrorException: libxml_disable_entity_loader() has been disabled for security reasons
“`
It’s being called by the sanitization library in the plugin:
“`
[…removed…]/mu-plugins/safe-svg/lib/vendor/enshrined/svg-sanitize/src/Sanitizer.php
“`
Specifically here:
“`
protected function resetAfter()
{
// Reset the entity loader
libxml_disable_entity_loader($this->xmlLoaderValue);
}
“`
So far as I can tell this doesn’t actually prevent it from functioning as intended, but it DOES fill up my logs with errors. I contacted support, and was told that although `libxml_disable_entity_loader()` can be enabled, doing so would mean that Kinsta wouldn’t be willing to fix my server if it was compromised, since they feel that function opens up a dangerous attack vector. I can appreciate concern over users uploading SVGs, which is the reason I installed the plugin, but I feel like this creates a difficult situation: If I need SVG uploads, either I enable them in an unsafe manner (i.e. w/o the plugin) or I enable the plugin and ask for Kinsta to abandon any commitment to remove future malware on my server.
The referenced plugin, Safe SVG, has been removed from the WordPress Plugin repository pending a full review.
So maybe don’t recommend it.
Hey Patrik!
This was just removed today. This happens very often with many plugins. Most likely the developer will resolve the issue within the next couple of days and it will be back online. 👍
Is safe using svg logo directly into header.php?
Yes! It is safe to use SVGs in your header…but they just need to be sanitized if these SVGs aren’t from a trusted source. The article mentions this resource – which is an ONLINE sanitizer for SVGs. http://svg.enshrined.co.uk/
We use a lot of custom icons that have been made with iconPRO ( https://iconpro.io ) on our sites. iconPRO actually automatically sanitizes the custom icons you make before you download. Wish this was more standard for all SVG tools!
Great article! Thanks! It helped me