In June 2022, WordPress.org’s Themes Team began strongly urging theme authors to switch to locally hosted webfonts, following a German court case, which fined a website owner for violating the GDPR by using Google-hosted webfonts. For years, theme authors have been enqueuing Google Fonts from the Google CDN for better performance, but this method exposes visitors’ IP addresses.
The Themes Team warned that guidelines regarding locally hosting fonts will be changing imminently and many theme authors moved to comply before it becomes a requirement.
A ticket for bundling Google fonts with WordPress’ legacy default themes had patches and was on track to be included in WordPress 6.1 in November. WordPress contributor Hendrik Luehrsen requested more eyes on the ticket, saying it “directly affects the core WordPress audience in Germany.” He reported that users in Germany were still getting emails threatening fines for using fonts loaded from Google.
WordPress core committer Tonya Mork suggested exploring releasing the updated version of each theme separately from WordPress 6.1.
“When each theme is ready, release it to wp.org’s theme repo,” Mork said. “Users can then update to get locally hosted fonts ahead of when WP 6.1 is released.”
This changed the direction of the ticket and with more scrutiny, contributors found the patches could use some more work.
“Creating new theme versions for this specific change could be good when they are ready,” Stephen Bernhardt said. “Using locally hosted fonts is already recommended, but we need to fix our own themes before we can make this a requirement for others.” He submitted a list of problems and potential improvements after reviewing the patches, and contributors are working on a better approach.
WordPress core committer David Baumwald changed the milestone to 6.2, as Beta 2 for 6.1 was released yesterday and the ticket still needs a final direction and patch.
“While I understand the issue, this is nonetheless sad to see,” Luehrsen said. “This is still a serious issue in Germany (and other GDPR territories), as users with active Google Fonts are currently getting targeted by people exploiting the law.”
Luehrsen took to Twitter to comment on his disappointment with the ticket missing the window for 6.1.
“This is the reason why WordPress will probably lose relevance,” he said. “Real users get hurt here, but they are in GDPR territories and this does not seem to be important.
“Could I have done more? Probably. But it is somewhat sad to see how quickly the momentum on that ticket fizzled out. If Squarespace, Wix and sorts start marketing privacy against WordPress, we’re screwed in GDPR countries.”
In the meantime, those who are using WordPress’ default themes can use a plugin like Local Google Fonts or OMGF | GDPR/DSVGO Compliant, Faster Google Fonts to host fonts locally.
Users can also switch to Bunny Fonts, an open-source, privacy-first web font platform with no tracking or logging that is fully GDPR compliant. Bunny Fonts is compatible with the Google Fonts CSS v1 API so it can function as a drop-in replacement. The Replace Google Fonts with Bunny Fonts plugin makes it easy for users to do that without editing any theme code.
Contributors are working on having fully GDPR-compliant WordPress default themes ready for WordPress 6.2, expected in early 2023.