In light of a recent German court case, which fined a website owner for violating GDPR by using web fonts hosted by Google, the WordPress.org Themes Team is updating its recommendations for web font hosting. Most theme authors have Google Fonts queued from the Google CDN for better performance, but this method exposes visitors’ IP addresses.
“The Themes Team strongly encourages theme authors to update their themes,” Themes Team Rep @benachi said in a recent announcement. “We recommend upgrading to locally hosted web fonts. Fortunately, Google Fonts can be downloaded and bundled into a theme. Bundled font files allow users to host web fonts locally and comply GDPR.”
The theme team is also considering disallowing remotely hosted fonts and will discuss this at the next meeting.
Core contributors are currently working on updating all default themes from Twenty Twelve to Twenty Seventeen to use locally hosted web fonts. The task had already been discussed but was renewed by a recent topic in the German support forums. A user created a small website using the Twenty Seventeen theme and said he was threatened by a site visitor who cited the German court ruling. The decision threatens a fine of €250,000.00 for each instance of violation or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through its use of Google Fonts.
“While in the new default themes fonts were added as an asset, the old default themes remained intact,” said WordPress contributor Jessica Lyschik. “This can cause problems for users who are unaware of both the legalities and the fact that Google Fonts are used directly in default themes.
“We believe that while it is still widely used among plugins and other themes to use Google Fonts directly, default WordPress themes should be safe to use and GDPR compliant.”
The Themes Team recommends authors refer to the Twenty Twenty-Two theme for how to bundle locally hosted web font files using
theme.json. Another option, for those using functions.php, is to follow the Implementing a Webfonts API in WordPress Core tutorial.
Many theme authors may not update their themes until they are forced to do so by a ban from WordPress.org. In the meantime, users can consider adding a plugin to host web fonts locally. WordPress developer Xaver Birsak has created a small, one-time-use plugin called Local Google Fonts that automatically detects Google font sources and gives users the option to download and use them locally.
This plugin checks embedded fonts via
wp_enqueue_style. Users who embed Google Fonts via
@import will need to change this before using the plugin. It currently automatically downloads new font versions if they are available. Birsak created it as a sort of set-it-and-forget-it plugin. This can be a good option for non-technical users who have a theme that has not yet been updated by the author. Local Google Fonts are available for free at WordPress.org.
Another free plugin option on WordPress.org is the OMGF | The Host Google Fonts Locally plugin, which has some additional features. It preloads fonts to reduce cumulative layout shift above the fold, unloads fonts that are not used by the theme or plugins, allows users to define a fallback font stack, and will override font families. fonts with system fonts to speed up load times. A commercial version offers multisite support and more advanced features.