Why can’t I upload ICO files to WordPress?

Via the Site Identity settings in the Customizer, I can’t upload a favicon image.

Site Identity != favicon image. It’s used for favicons and resized down but it’s also used in lots of other locations.

E.g. it can appear in:

  • the theme header as the logo
  • smartphone homescreens
  • twitter and FB previews

So uploading a tiny image can be harmful, this is why the site identity has a minimum size recommendation. .ico files do not work in those places.

I get the error message ‘Sorry, you are not allowed to upload this file type.’

Yes and no, WP does indeed support uploading of .ico files:


    return apply_filters(
            // Image formats.
            'jpg|jpeg|jpe'                 => 'image/jpeg',
            'gif'                          => 'image/gif',
            'png'                          => 'image/png',
            'bmp'                          => 'image/bmp',
            'tiff|tif'                     => 'image/tiff',
            'webp'                         => 'image/webp',
            'ico'                          => 'image/x-icon',
            'heic'                         => 'image/heic',

If you cannot then this means one of two things:

  • a plugin or filter is removing support
  • the .ico file is not actually a .ico file and has the .ico extension but is actually a different format, so image/x-icon doesn’t amtch
  • the host is passing the file with the incorrect mime type

Eitherway you should be using PNG instead as it has wider support, fewer issues, and allows for higher resolutions, bit depths, and quality than .ico files.

The only benefit .ico has is that it has wider support on very old browsers.

But if I just copy the favicon to my root directory via my Cpanel File Manager it works fine.

If no HTML tag tells the browser where to find the image for favicons, it requests /favicon.ico from the server as a fallback. Since you did not set a site identity image, WP doesn’t print those HTML tags.

The browser is built to be very forgiving so even if it’s not a valid .ico or if it’s a PNG with a .ico extension it will still work when used this way.

Why is WordPress disallowing this? Is there a security reason?

WP allows it! But your server and the code in your theme/plugins does not. You will need to isolate this further by doing standard debugging steps such as disabling all plugins and using a default theme, then re-activating them one by one until the problem returns to identify the culprit.

But you shouldn’t be using .ico favicons anyway

The site identity is used for far more than the favicon, and there’s a reason WP wants files bigger than 512×512, because using a 64x64px icon for social media images and all the other things WP uses the site icon for would be bad for your site.

.ico files have limited support and capabilities, and have fundamental limitations on resolutions. They also have historic security issues.

You may want to upload a .ico file via CPanel for very old software but even if you do that, you should still include a PNG favicon via WP’s site identity.

Note that there are tools and converters that can take an existing .ico file and transform it into a PNG file, so needing a PNG file should not be a problem, even if the only file you have is in the .ico format.