It's not that hard to enable SVG upload in WordPress via snippet, but is it really that clever to do so?

SVG Upload to WordPress

Last week I saw you in one article showed how you can optimize and perfect SVG files to get rid of the unnecessary ballast of the format. Remember: An SVG is a scalable file based on XML. The advantage is that SVG files keep their quality in every size, so they really scale. But WordPress does not allow SVG uploads within the media library and there is a good reason for that. But I will come back to this later, because first I want to show you how to activate the SVG upload in WordPress. Then I will talk about security risks, problems and why this is not such a good idea or why WordPress still does not allow SVG uploads.

WordPress SVG uploads via snippet

First of all, there are many ways to enable SVG upload in WordPress. But it should also be said that almost every one of these ways failed at some point, for example when updating WordPress. Also the last update of WordPress destroyed previous snippets. What does this tell us now? Either use a plugin that detects such problems quickly and fixes them automatically, or watch out yourself to avoid sudden error messages. Basically it only needs a few lines of code to activate the SVG upload in WordPress. Strictly speaking, it's the following lines.

function add_svg_to_upload_mimes($upload_mimes)
	{
	$upload_mimes['svg'] = 'image/svg+xml';
	$upload_mimes['svgz'] = 'image/svg+xml';
	return $upload_mimes;
	}
add_filter('upload_mimes', 'add_svg_to_upload_mimes');

Since the last update, however, this path now fails, which is why it only works with unfiltered uploads. This assumes that you have no problems with them and no users you don't fully trust with SVG uploads. It's up to you if you really want to activate it, because of course there is a potential security risk. Either way, you still need the following line.

define('ALLOW_UNFILTERED_UPLOADS', true);

Now, besides the quick solution above, there are several tickets and workarounds regarding SVG uploads in WordPress, because of course the outcry after the last update was big, when many people suddenly had SVG files that didn't work anymore. This may be justified or not, but SVG is not yet officially supported in WordPress and therefore it is always tricky to allow it at your own risk. This is because SVG is an XML file format and therefore has an incredible amount of potential for possible security holes. Nearly infinite, I would like to say, to make this really clear to you. An SVG file can contain executable scripts and much more, all the stuff you'd better keep off your blog. So you'd better think about activating the SVG upload in WordPress three times.

SVG files are extremely insecure

So because SVG is now extremely insecure, there is no official support for WordPress yet. In the different areas of development, of course, this has been talked about for a very long time and discussedbut several security checks would have to be implemented to allow SVG files in a mainstream CMS like WordPress. After all, not everyone understands the background and one of the reasons WordPress is so popular is because it is easy to use and extremely easy to handle. If SVG uploads were now allowed in WordPress, it wouldn't take a week before infinitely contaminated SVG files would be circulating. Therefore, if SVG uploads are allowed in WordPress, you have to think about how to make it as safe as possible. They will come, sometime, but not just like that.

WordPress and SVG uploads

If you really want to use SVG uploads in WordPress, you should still not unlock them with a snippet. Currently there is a relatively good one, but not a perfect one either, SVG Plugin for WordPresswhich contains the corresponding files at least through the SVG Sanitizer ...is in charge. But even this is not seen as a solution, but only as a possible concept as the plugin description clearly states. Using SVG files in WordPress may be tempting, but should be avoided at this stage. Even if you know your way around, there are countless risk factors regarding SVG uploads.

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

1 thought on “Wie ihr den SVG Upload in WordPress aktiviert”

  1. Thank you for pointing out the plugin.
    I do not share the security concerns of WordPress. As long as it concerns self-created SVG graphics, I don't see any risk.
    Kind regards from Wittenberge
    Andre

Leave a Comment

Your email address will not be published. Required fields are marked *

en_GB