Using locally-hosted Google fonts in themes

This post is a follow-up to Complying with GDPR when using Google Fonts, aiming to answer some questions that have been popping up in team meetings and social media.

Historically, WordPress themes hosted in the w.org themes repository were not allowed to use third-party resources. This included images, javascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/. files, CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site. files, webfonts, and other assets loaded from a remote server.

Google fonts was an exception to this rule because, at the time, there was no reliable way to implement locally-hosted webfonts, and typography is an integral part of a theme’s design.

Google fonts, however, can no longer be considered an exception to this guideline because of the GDPR and privacy implications.

if Google Fonts is the only allowed external resource, but we have to save it locally, can’t we use other font sources as well?

The exception for Google-fonts as an external resource predates this team’s efforts to locally host webfonts. If a theme saves fonts locally, they are no longer considered an “external resource”. As a result, themes can use any GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples.-compatible webfont, regardless of the provider used (google fonts or other webfont providers), provided that the font is bundled with the theme – or the themes implements a mechanism to automatically download the remote webfont on the site’s server.

Is the theme allowed to write the font locally? Are there limitations for where they can be written?

Yes, the theme is allowed to write the font locally. The limitation should be to not put the files somewhere they’ll be overwritten on update. If the theme bundles the font-files in its own package, then these files can be in the theme itself. If the theme downloads the webfonts and saves them automatically on the site’s server, then a location inside wp-content would be ideal (like for example wp-content/uploads/fonts or wp-content/fonts). However, if the theme does not bundle the webfonts, then it should not be writing these files in the theme’s folder itself, as that folder will get overwritten on update. Of course, placing the files inside CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. folders like wp-admin, wp-includes etc would be unacceptable.

The team created a package 2 years ago, specifically to allow locally hosting webfonts. You can read more about that package and how to use it in your themes in the post “New package to allow locally hosting webfonts“.

Should the theme using external fonts be required to call a privacy function

A theme should not be allowed to use external resources. The guidelines right now allow for remote Google fonts, but that will probably change soon. If the theme is using external assets, then yes, it should call a privacy function and ensure that these assets don’t get loaded without the user’s explicit consent.

If a theme, however, bundles the webfonts – or downloads them so they can be hosted locally, then no, it does not need to call a privacy function. The moment an asset gets downloaded to the server and is used from there instead of the third-party server, it is no longer an “external resource” and therefore requires no additional privacy implementations.

props @kafleg for proofreading this post.