In light of a recent German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts, WordPress.org’s themes team is updating its recommendations for hosting webfonts. Most theme authors have been enqueuing Google Fonts from the Google CDN for better performance, but this method exposes visitors’ IP addresses.
“The themes team strongly encourages the theme authors to update their themes,” Themes Team representative @benachi said in a recent announcement. “We recommend updating by switching to locally hosted webfonts. Luckily Google Fonts can be downloaded and bundled in a theme. Bundled font files allow users to host webfonts locally and comply with GDPR.”
The Themes Team is also considering banning remotely hosted fonts moving forward and will discuss at the next meeting.
Core contributors are now working on updating all the default themes from Twenty Twelve through Twenty Seventeen to use locally hosted webfonts. The task had previously been discussed but was renewed by a recent topic in the German support forums. A user created a small website using the Twenty Seventeen theme and said he has been threatened by a site visitor who cited the German court ruling. The ruling threatens a fine of €250,000.00 for each case of infringement or, alternatively, six months imprisonment, if the site owner does not comply and continues to provide Google with IP addresses through their use of Google Fonts.
“While in the newer default themes fonts got added as an asset, the older default themes remained untouched,” WordPress contributor Jessica Lyschik said. “This can cause issues with users not being aware of both the legal stuff and the fact that Google Fonts are directly used in default themes.
“We think while it is still widely among plugins and other themes to use Google Fonts directly, the default themes of WordPress should be able to used risk-free and compliant with the GDPR.”
The Themes Team recommends authors refer to the Twenty Twenty-Two theme to learn how to bundle locally hosted webfont files using
theme.json. Another option, for those using functions.php, is to follow the Implementing a Webfonts API in WordPress Core tutorial.
Many theme authors may not update their themes until forced to by a ban from WordPress.org. In the meantime, users might consider adding a plugin to host webfonts locally. WordPress developer Xaver Birsak has created a small single-purpose plugin called Local Google Fonts that automatically detects Google font sources and gives users the option to download them and use them locally.
This plugin checks for fonts embedded via
wp_enqueue_style. Users who are embedding Google fonts via
@import will need to change that before using the plugin. It currently auto downloads new font versions if available. Birsak has created it as a set-it-and-forget it kind of plugin. This may be a good option for non-technical users who have a theme that hasn’t yet been updated by the author. Local Google Fonts is available for free on WordPress.org.
Another free plugin option on WordPress.org is the OMGF | Host Google Fonts Locally plugin, which has a few additional features. It preloads fonts to reduce Cumulative Layout Shift above the fold, unloads fonts that are not used by the theme or plugins, allows users to set a fallback font stack, and will replace font-families with system fonts to speed up loading times. A commercial version offers multisite support and more advanced features.
If you’re looking for a free solution that checks for Google Fonts throughout the HTML document, instead of just enqueued stylesheets, try out OMGF.
The Pro version even checks for Google Fonts in WebFont Loader, @font-face statements, @import statements and Beta (Early Access) versions of Google Fonts.
Thanks! I have updated the post to include info about this plugin.
Please don’t forget to mention Google-hosted Fonts in Plugins. Not only themes with Google-hosted Fonts are part of this problem.
I was having a talk on a podcast I was a guest on this morning and………
Going LOCAL on Fonts, emojis and other things…..will just add more files on your hosting, so many people don’t really have unlimited storage.
The ones that do…we all know unlimited storage/bandwidth is not truly unlimited storage/bandwidth, correct?
There is an advantage to hosted somewhere else. Just like we all know to not upload videos on our hosting instead go to Youtube, Vimeo, etc………
The average WOFF2 file is <25KB. If you don’t have the storage space to store a few hundred KB’s of files, then you have another, bigger problem. 😅
You should either clean up logs, stale cache, or images you no longer use. Or, find out what else it is that is eating up your storage space.
The thing I fear, though, is that theme authors will start including ALL Google Fonts with their themes, because people are supposed to have a choice, right!? In those cases you’re right, people might not have a few 100MBs left. 😱
Then at some point the whole OH EM GEE GRAVATAR thing…going local. So many elements will be forced to be local.
It all adds up. Specially when you have one of your sites with 10M+ registered users (that M is for Million by the way).
Also, I only have two fonts on my sites. First one is the twenty twenty whatever latest number, then the theme I actually use.
I do not want my WordPress database+files to be a fat bloated whale.
Well, the alternative would be to ask for prior consent to display Gravatar images, which seems kind of ridiculous IMO. So, at that point I’d just disable Gravatar altogether.
I can totally see where you’re coming from, but I also think it’s a matter of reconsidering which 3rd party services you use. Even more so on the scale you’re speaking off.
If a service isn’t absolutely, 100% critical for your website/business, then drop it! And if it is, make sure you’re certain it respects the privacy of your visitors. If it doesn’t, find an alternative!
But that’s just my perspective on the situation.
On the other hand, an updated EU-US privacy shield would be nice. That’d give us website owners a bit of breathing room. Sadly, I just don’t see that happening — at least, anytime soon…
Your email address will not be published.
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable