WordPress.org Strongly Urges Theme Authors to Switch to Locally Hosted Webfonts

In light of a recent German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts, WordPress.org’s themes team is updating its recommendations for hosting webfonts. Most theme authors have been enqueuing Google Fonts from the Google CDN for better performance, but this method exposes visitors’ IP addresses.

“The themes team strongly encourages the theme authors to update their themes,” Themes Team representative @benachi said in a recent announcement. “We recommend updating by switching to locally hosted webfonts. Luckily Google Fonts can be downloaded and bundled in a theme. Bundled font files allow users to host webfonts locally and comply with GDPR.”

The Themes Team is also considering banning remotely hosted fonts moving forward and will discuss at the next meeting.

Core contributors are now working on updating all the default themes from Twenty Twelve through Twenty Seventeen to use locally hosted webfonts. The task had previously been discussed but was renewed by a recent topic in the German support forums. A user created a small website using the Twenty Seventeen theme and said he has been threatened by a site visitor who cited the German court ruling. The ruling threatens a fine of €250,000.00 for each case of infringement or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.

“While in the newer default themes fonts got added as an asset, the older default themes remained untouched,” WordPress contributor Jessica Lyschik said. “This can cause issues with users not being aware of both the legal stuff and the fact that Google Fonts are directly used in default themes.

“We think while it is still widely among plugins and other themes to use Google Fonts directly, the default themes of WordPress should be able to used risk-free and compliant with the GDPR.”

The Themes Team recommends authors refer to the Twenty Twenty-Two theme to learn how to bundle locally hosted webfont files using theme.json. Another option, for those using functions.php, is to follow the Implementing a Webfonts API in WordPress Core tutorial.

Many theme authors may not update their themes until forced to by a ban from WordPress.org. In the meantime, users might consider adding a plugin to host webfonts locally. WordPress developer Xaver Birsak has created a small single-purpose plugin called Local Google Fonts that automatically detects Google font sources and gives users the option to download them and use them locally.

Local Google Fonts admin screen

This plugin checks for fonts embedded via wp_enqueue_style. Users who are embedding Google fonts via @import will need to change that before using the plugin. It currently auto downloads new font versions if available. Birsak has created it as a set-it-and-forget it kind of plugin. This may be a good option for non-technical users who have a theme that hasn’t yet been updated by the author. Local Google Fonts is available for free on WordPress.org.

Another free plugin option on WordPress.org is the OMGF | Host Google Fonts Locally plugin, which has a few additional features. It preloads fonts to reduce Cumulative Layout Shift above the fold, unloads fonts that are not used by the theme or plugins, allows users to set a fallback font stack, and will replace font-families with system fonts to speed up loading times. A commercial version offers multisite support and more advanced features.

25

25 responses to “WordPress.org Strongly Urges Theme Authors to Switch to Locally Hosted Webfonts”

  1. If you’re looking for a free solution that checks for Google Fonts throughout the HTML document, instead of just enqueued stylesheets, try out OMGF.

    The Pro version even checks for Google Fonts in WebFont Loader, @font-face statements, @import statements and Beta (Early Access) versions of Google Fonts.

  2. Please don’t forget to mention Google-hosted Fonts in Plugins. Not only themes with Google-hosted Fonts are part of this problem.

  3. I was having a talk on a podcast I was a guest on this morning and………

    Going LOCAL on Fonts, emojis and other things…..will just add more files on your hosting, so many people don’t really have unlimited storage.
    The ones that do…we all know unlimited storage/bandwidth is not truly unlimited storage/bandwidth, correct?

    There is an advantage to hosted somewhere else. Just like we all know to not upload videos on our hosting instead go to Youtube, Vimeo, etc………

    • The average WOFF2 file is <25KB. If you don’t have the storage space to store a few hundred KB’s of files, then you have another, bigger problem. 😅

      You should either clean up logs, stale cache, or images you no longer use. Or, find out what else it is that is eating up your storage space.

      The thing I fear, though, is that theme authors will start including ALL Google Fonts with their themes, because people are supposed to have a choice, right!? In those cases you’re right, people might not have a few 100MBs left. 😱

      • Then at some point the whole OH EM GEE GRAVATAR thing…going local. So many elements will be forced to be local.

        It all adds up. Specially when you have one of your sites with 10M+ registered users (that M is for Million by the way).

        Also, I only have two fonts on my sites. First one is the twenty twenty whatever latest number, then the theme I actually use.

        I do not want my WordPress database+files to be a fat bloated whale.

        • Well, the alternative would be to ask for prior consent to display Gravatar images, which seems kind of ridiculous IMO. So, at that point I’d just disable Gravatar altogether.

          I can totally see where you’re coming from, but I also think it’s a matter of reconsidering which 3rd party services you use. Even more so on the scale you’re speaking off.

          If a service isn’t absolutely, 100% critical for your website/business, then drop it! And if it is, make sure you’re certain it respects the privacy of your visitors. If it doesn’t, find an alternative!

          But that’s just my perspective on the situation.

          On the other hand, an updated EU-US privacy shield would be nice. That’d give us website owners a bit of breathing room. Sadly, I just don’t see that happening — at least, anytime soon…

          • My privacy page, you’d need 25 pages to print it. EVERY little bit is listed.
            I do the cookies thing. I have gone with Burst statistics.
            The next item on my list is to get rid of Gravatar. At first I wanted local avatar upload thing but the 10M+ site makes it a pain. So it might be getting rid of Gravatars/Avatars. For comments I don’t use CONNECT WITH (SOCIAL MEDIA). I never really liked Avatars/Gravatars.

  4. The same argument can and will be used about the inclusion of Gravatar (a WordPress.com property) in every single WordPress site. The capability for 3rd party tracking, whether it happens or not, is the issue here.

  5. Under that premise, any request to an external static resource like js,css,jpg or third party API would be exposing the IP and violating GDPR, Also using a CDN would be exposing the visitor’s IP to a third party

      • Dann thank you for providing the article, I have read it in its entirety, however, I think the rules should apply to everyone, that’s why you can’t legislate lightly.

        It is very difficult to know which resources you can have locally and not use from third parties, for example, a JS from an external library, actually you can have it hosted locally, an image compression service, you can actually download the compressed image and host it locally.

        Now, an external font is served from a CDN, does that mean that if I use GOOGLE CLOUD CDN to serve all my resources I’m in compliance with policy but if I use a google font (hosted on their CDN) I am not in complying?

        If I call Jquery from Cloudflare then I don’t violate GDPR.
        https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js
        But if I call it from Google yes?
        https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js

        In case I’m not violating it, isn’t a font the same as a JS in that they are both static resources?

        I think there is still a lot of ambiguity

      • I think the rules should apply to everyone, that’s why you can’t legislate lightly.

        It is very difficult to know which resources you can have locally and not use from third parties, for example, a JS from an external library, actually you can have it hosted locally, an image compression service, you can actually download the compressed image and host it locally.

        Now, an external font is served from a CDN, does that mean that if I use GOOGLE CLOUD CDN to serve all my resources I’m in compliance with the policy but if I use a google font (hosted on their CDN) I am not in complying?

        If I call jQuery from Cloudflare then I don’t infringe GDPR. cdnjs.cloudflare.com/…/jquery/3.5.1/jquery.min.js

        But if I call it from Google yes?
        ajax.googleapis.com/…/jquery/3.5.1/jquery.min.js

        In case I’m not infringing it, isn’t a font the same as a JS in that they are both static resources?

        I think there is still a lot of ambiguity

    • It is, you have explicitly name ALL of them in your Privacy Policy.

      I tried to explain this, in a comment that was deleted, using my own example.

      • Wrong! IIf this were the case, it would suffice to include a description of Google Fonts in the privacy policy. The court has rejected exactly that. If you transfer personal data to US servers, I would strongly advise you to obtain the explicit consent of the visitor. Otherwise it can be expensive.

      • Wrong! If this were the case, it would suffice to include a description of Google Fonts in the privacy policy. The court has rejected exactly that. If you transfer personal data to US servers, I would strongly advise you to obtain the explicit consent of the visitor. Otherwise it can be expensive.

    • IT IS THAT STRICT. If you need a GDPR complient website you must not request any resources or APIs from servers in the US or any other country outside EU that hasen’t a sufficient privacy protection. And I’m dealing with that since 2018. For example: I have to be much more carefull with WordPress-Plugins, because a lot of them don’t care about the GDPR a sending such request to US-servers. If they do so, i dont use them.

    • THAT’S HOW STRICT IT IS. If you need a GDPR-compliant website, you can’t request resources or APIs from servers in the US or any other country outside the EU that doesn’t offer sufficient data protection (The only exception is if you’ve obtained the user’s consent, but there’s a lot to consider there too, and you need a fallback if the user doesn’t consent.

      And that’s what I’ve been dealing with since 2018 with the GDPR. I have to be much more careful with WordPress plugins, because many of them don’t care about GDPR and send such requests to US servers. If they do, I don’t use them. IT IS THAT STRICT. If you need a GDPR complient website you must not request any resources or APIs from servers in the US or any other country outside EU that hasen’t a sufficient privacy protection.Only exeption is to ask the vistor for And I’m dealing with that since 2018.

      For example: I have to be much more carefull with WordPress-Plugins, because a lot of them don’t care about the GDPR a sending such request to US-servers. If they do so, i dont use them.

  6. I am a German web developer and I know the court ruling.

    Germany is now a democratic constitutional state and punishments must be proportionate to the offence. Nobody has to go to jail for 6 months for using Google Fonts.

    Rather, the judgement states that the defendant must expect a harsher penalty in the event of a repeat offence. A concrete amount of the fine for this case was not specified.

    What is correct is that the plaintiff will receive compensation of €100 for the violation of his privacy.

    It is good that we now have clarity and that the WordPress community is waking up.
    I have been advising my clients to remove Google Fonts from their websites since 2018.

  7. I have been using Locally Hosted Webfonts from a long time because of the annoying bugs and privacy issues i have been doing that, i know there are not that flood of varieties but still it is much safe and smooth.

  8. I prefer the System Font Stack solution for fonts anyway. This should be the best to use. Of course, there are always projects where more creative fonts are needed. Here I also always look for themes that keep the fonts locally. But without success: 90% of the themes load Google Fonts via Google Server by default. Themes can provide them, e.g. as an option in the customizer, but it should be disabled by default.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: