In light of a recent German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts, WordPress.org’s themes team is updating its recommendations for hosting webfonts. Most theme authors have been enqueuing Google Fonts from the Google CDN for better performance, but this method exposes visitors’ IP addresses.
“The themes team strongly encourages the theme authors to update their themes,” Themes Team representative @benachi said in a recent announcement. “We recommend updating by switching to locally hosted webfonts. Luckily Google Fonts can be downloaded and bundled in a theme. Bundled font files allow users to host webfonts locally and comply with GDPR.”
The Themes Team is also considering banning remotely hosted fonts moving forward and will discuss at the next meeting.
Core contributors are now working on updating all the default themes from Twenty Twelve through Twenty Seventeen to use locally hosted webfonts. The task had previously been discussed but was renewed by a recent topic in the German support forums. A user created a small website using the Twenty Seventeen theme and said he has been threatened by a site visitor who cited the German court ruling. The ruling threatens a fine of €250,000.00 for each case of infringement or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.
“While in the newer default themes fonts got added as an asset, the older default themes remained untouched,” WordPress contributor Jessica Lyschik said. “This can cause issues with users not being aware of both the legal stuff and the fact that Google Fonts are directly used in default themes.
“We think while it is still widely among plugins and other themes to use Google Fonts directly, the default themes of WordPress should be able to used risk-free and compliant with the GDPR.”
The Themes Team recommends authors refer to the Twenty Twenty-Two theme to learn how to bundle locally hosted webfont files using theme.json. Another option, for those using functions.php, is to follow the Implementing a Webfonts API in WordPress Core tutorial.
Many theme authors may not update their themes until forced to by a ban from WordPress.org. In the meantime, users might consider adding a plugin to host webfonts locally. WordPress developer Xaver Birsak has created a small single-purpose plugin called Local Google Fonts that automatically detects Google font sources and gives users the option to download them and use them locally.
This plugin checks for fonts embedded via wp_enqueue_style. Users who are embedding Google fonts via @import will need to change that before using the plugin. It currently auto downloads new font versions if available. Birsak has created it as a set-it-and-forget it kind of plugin. This may be a good option for non-technical users who have a theme that hasn’t yet been updated by the author. Local Google Fonts is available for free on WordPress.org.
Another free plugin option on WordPress.org is the OMGF | Host Google Fonts Locally plugin, which has a few additional features. It preloads fonts to reduce Cumulative Layout Shift above the fold, unloads fonts that are not used by the theme or plugins, allows users to set a fallback font stack, and will replace font-families with system fonts to speed up loading times. A commercial version offers multisite support and more advanced features.
If you’re looking for a free solution that checks for Google Fonts throughout the HTML document, instead of just enqueued stylesheets, try out OMGF.
The Pro version even checks for Google Fonts in WebFont Loader, @font-face statements, @import statements and Beta (Early Access) versions of Google Fonts.