Google fonts are used in most wordpress themes nowadays. Unfortunately you can’t easily block them via theme settings most of the times.
There are some plugins like OMGF that can help but you can never be 100% sure that some random plugin loads fonts from google’s servers – and it doesn’t work with every theme. This became a huge problem in Germany because of a court ruling that allows random people to fine you for 100€ because you violated their privacy.
Don’t get me wrong, from a data privacy standpoint this is 100% correct but it essentially means you can surf the web and fine every german website for 100€ because they are using google fonts.
How to make sure no Google Fonts are loaded by accident?
To make sure nothing gets loaded by wordpress or any plugin / theme I reasoned that blocking it by the lowest possible level -the webserver – might be the best solution.
htaccess code to block Google Fonts in Apache
Simply put the following code into your .htaccess file and no fonts whatsoever will be able to load from external sources.
# Disable loading of google fonts and other external font sources <IfModule mod_headers.c> Header add Content-Security-Policy "font-src 'self';" Header add X-Content-Security-Policy "font-src 'self';" Header add X-Webkit-CSP "font-src 'self';" </IfModule>
Just make sure to clear any static html cache if you are using any.
Code to block Google Fonts in nginx
Simply put the following code into your server block in nginx file and no fonts whatsoever will be able to load from external sources.
# Block loading of google fonts and other external font sources add_header Content-Security-Policy "font-src 'self' data:;"; add_header X-Content-Security-Policy "font-src 'self' data:;"; add_header X-Webkit-CSP "font-src 'self' data:;";
Why block fonts via webserver?
Some of my clients websites simply drove me insane because some themes and plugins loaded fonts in the weirdest places. Even after setting up the website with local fonts and setting up the CSS sometimes some fonts still got loaded from google’s server, albeit not needed.
Sure you can search and comment out the relevant code in a theme / plugin but this will break your ability to update to future versions without having to apply those changes again – so blocking it completely is just super convenient.