{"id":337167,"date":"2026-07-10T11:24:17","date_gmt":"2026-07-10T11:24:17","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/kipphard-gdpr-web-fonts\/"},"modified":"2026-07-10T13:22:05","modified_gmt":"2026-07-10T13:22:05","slug":"kipphard-gdpr-webfonts","status":"publish","type":"plugin","link":"https:\/\/su.wordpress.org\/plugins\/kipphard-gdpr-webfonts\/","author":23523872,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"0.4.5","stable_tag":"0.4.5","tested":"7.0.1","requires":"6.4","requires_php":"7.4","requires_plugins":null,"header_name":"Kipphard GDPR Web Fonts","header_author":"Andr\u00e9 Kipphard","header_description":"Scans your rendered HTML for external requests (Google Fonts, Analytics, YouTube, Maps, Gravatar, reCAPTCHA \u2026) that transfer personal data to third parties, and provides actionable GDPR fixes. Honest scan \u2014 no cookie-banner overlay.","assets_banners_color":"fce2d5","last_updated":"2026-07-10 13:22:05","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/kipphard.com\/products\/dsgvo-webfonts","header_author_uri":"https:\/\/kipphard.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":41,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"0.4.3":{"tag":"0.4.3","author":"kipphard","date":"2026-07-10 11:29:05"},"0.4.4":{"tag":"0.4.4","author":"kipphard","date":"2026-07-10 12:45:58"},"0.4.5":{"tag":"0.4.5","author":"kipphard","date":"2026-07-10 13:22:05"}},"upgrade_notice":{"0.4.0":"<p>Renamed to Kipphard GDPR Web Fonts; full-site scanning for everyone; unique prefixes.<\/p>","0.3.0":"<p>Shared admin design system for a consistent look. No functional changes.<\/p>"},"ratings":[],"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3602679,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3602679,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3602679,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.4.3","0.4.4","0.4.5"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3602679,"resolution":"1","location":"assets","locale":"","width":1500,"height":930},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3602679,"resolution":"2","location":"assets","locale":"","width":1500,"height":930}},"screenshots":{"1":"The dashboard: overall risk badge, detected external services grouped by risk level, with example URLs and recommendations.","2":"The settings page: quick-fix toggles (remove Google Fonts, disable WordPress emojis, replace Gravatar locally)."}},"plugin_section":[],"plugin_tags":[154545,131785,3778,396,5127],"plugin_category":[54],"plugin_contributors":[270348],"plugin_business_model":[],"class_list":["post-337167","plugin","type-plugin","status-publish","hentry","plugin_tags-dsgvo","plugin_tags-gdpr","plugin_tags-google-fonts","plugin_tags-privacy","plugin_tags-webfonts","plugin_category-security-and-spam-protection","plugin_contributors-kipphard","plugin_committers-kipphard"],"banners":{"banner":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/banner-772x250.png?rev=3602679","banner_2x":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/banner-1544x500.png?rev=3602679","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/icon-256x256.png?rev=3602679","icon_2x":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/icon-256x256.png?rev=3602679","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/screenshot-1.png?rev=3602679","caption":"The dashboard: overall risk badge, detected external services grouped by risk level, with example URLs and recommendations."},{"src":"https:\/\/ps.w.org\/kipphard-gdpr-webfonts\/assets\/screenshot-2.png?rev=3602679","caption":"The settings page: quick-fix toggles (remove Google Fonts, disable WordPress emojis, replace Gravatar locally)."}],"raw_content":"<!--section=description-->\n<p><strong>Kipphard GDPR Web Fonts<\/strong> is an honest audit tool for WordPress sites. It fetches the HTML your site actually delivers and detects external requests that transmit personal data \u2014 such as IP addresses \u2014 to third-party servers, including Google Fonts, Google Analytics, YouTube embeds, Google Maps, Gravatar, reCAPTCHA, Facebook Pixel, Hotjar, and common JavaScript CDNs.<\/p>\n\n<p>The plugin groups findings by risk level with clear, actionable recommendations. Several common issues can be fixed directly through the plugin settings without touching code.<\/p>\n\n<p><strong>What this plugin does:<\/strong><\/p>\n\n<ul>\n<li>Scans your whole site: the homepage plus all published pages and posts (capped at 200 URLs per run purely as a performance safeguard)<\/li>\n<li>Detects 14 categories of known external services: fonts, analytics\/tracking, video embeds, maps, avatars, CAPTCHAs, social-media pixels, CDN scripts, and more<\/li>\n<li>Classifies every finding by risk level (High \/ Medium \/ Low) with a concrete recommendation<\/li>\n<li>Shows example URLs for each detected external request<\/li>\n<li>Free quick fixes: remove Google Fonts (strips external <code>&lt;link&gt;<\/code> tags and <code>@import<\/code> rules \u2014 see the FAQ for the WordPress 6.9 requirement), disable WordPress emoji scripts (removes the <code>s.w.org<\/code> request), replace Gravatar with a local SVG placeholder<\/li>\n<li>No tracking, no external requests from the plugin itself \u2014 everything runs locally on your server<\/li>\n<\/ul>\n\n<p><strong>What this plugin does NOT do:<\/strong><\/p>\n\n<p>This plugin is <em>not a cookie-banner overlay<\/em> and does <em>not<\/em> claim automatic GDPR compliance. The scan is static: requests triggered dynamically by JavaScript after page load may not appear in the delivered HTML and will therefore not be detected. A complete privacy audit additionally requires browser developer tools or a specialised service.<\/p>\n\n<p>This plugin does not replace legal advice. Use it to identify and reduce external requests; have a lawyer or data-protection officer review your specific situation.<\/p>\n\n<p><strong>About the Google Fonts ruling:<\/strong> On 20 January 2022 the Munich Regional Court I (LG M\u00fcnchen I, Az. 3 O 17493\/20) ruled that embedding Google Fonts without visitor consent violates the GDPR because the visitor's IP address is transmitted to Google servers in the USA. This plugin helps you detect and remove such requests.<\/p>\n\n<p><em>Hinweis (DE): Dieses Plugin ist ein ehrliches Datenschutz-Analyse-Werkzeug f\u00fcr WordPress-Seiten. Es scannt das gerenderte HTML auf externe Anfragen (Google Fonts, Analytics, YouTube, Gravatar u. v. m.), die personenbezogene Daten an Dritte \u00fcbertragen, und bietet direkte Schnell-Ma\u00dfnahmen. Die Benutzeroberfl\u00e4che ist auf Deutsch verf\u00fcgbar.<\/em><\/p>\n\n<h3>External services<\/h3>\n\n<p>This plugin does <strong>not<\/strong> connect to any third-party or external service, and it sends no data off your server.<\/p>\n\n<p>To analyse your site it fetches your own published URLs over HTTP \u2014 restricted to your own host by an SSRF safeguard \u2014 and parses the returned HTML locally on your server. The service domains referenced in the plugin code (Google Fonts, Google Analytics, Facebook, jQuery\/CDN hosts, Font Awesome, etc.) are <strong>detection signatures<\/strong> the scanner searches <em>for<\/em> inside your own HTML; the plugin never loads, embeds or contacts them.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>kipphard-gdpr-webfonts<\/code> folder to <code>\/wp-content\/plugins\/<\/code>, or install it from the Plugins screen in your WordPress admin.<\/li>\n<li>Activate the plugin through the \"Plugins\" menu in WordPress.<\/li>\n<li>Go to <strong>GDPR Webfonts \u2192 Dashboard<\/strong> and click \"Start scan\".<\/li>\n<li>Review the results, then go to <strong>GDPR Webfonts \u2192 Settings<\/strong> to enable the desired quick fixes.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20make%20my%20site%20automatically%20gdpr-compliant%3F\"><h3>Does this plugin make my site automatically GDPR-compliant?<\/h3><\/dt>\n<dd><p>No. This is an audit tool, not a compliance overlay. It shows you which external requests your site makes and provides recommendations, but the actual work \u2014 hosting fonts locally, obtaining consent, replacing services \u2014 has to be done by you or your development team. When in doubt, consult a data-protection professional or lawyer.<\/p><\/dd>\n<dt id=\"how%20many%20pages%20are%20scanned%3F\"><h3>How many pages are scanned?<\/h3><\/dt>\n<dd><p>All of them: the scan covers your homepage plus every published page and post. Very large sites are capped at 200 URLs per run \u2014 a performance safeguard, not a feature limit.<\/p><\/dd>\n<dt id=\"is%20any%20data%20sent%20to%20external%20servers%20during%20a%20scan%3F\"><h3>Is any data sent to external servers during a scan?<\/h3><\/dt>\n<dd><p>No. The plugin fetches your own URLs internally over HTTP and analyses the returned HTML locally. No data is transferred to any third party.<\/p><\/dd>\n<dt id=\"why%20does%20the%20scan%20not%20detect%20all%20external%20requests%3F\"><h3>Why does the scan not detect all external requests?<\/h3><\/dt>\n<dd><p>The plugin analyses the HTML that your server delivers on initial load. Requests triggered later by JavaScript (for example on scroll or click) are not visible in the static HTML and are therefore not detected. For a complete picture, also check your browser's Network tab.<\/p><\/dd>\n<dt id=\"why%20does%20removing%20google%20fonts%20need%20wordpress%206.9%3F\"><h3>Why does removing Google Fonts need WordPress 6.9?<\/h3><\/dt>\n<dd><p>Removing a font reference that a theme has hard-coded into its templates, or written as an <code>@import<\/code> rule inside a <code>&lt;style&gt;<\/code> block, means rewriting the finished HTML page. WordPress 6.9 introduced a standard way for plugins to do that \u2014 the template enhancement output buffer \u2014 and this plugin uses it rather than opening an output buffer of its own, which is unreliable when several plugins do it at once.<\/p>\n\n<p>On WordPress 6.4 to 6.8 the quick fix still removes Google Fonts stylesheets that were enqueued through WordPress (the common case) and the <code>preconnect<\/code> \/ <code>dns-prefetch<\/code> hints. Hard-coded <code>&lt;link&gt;<\/code> tags and <code>@import<\/code> rules are left in place; the scan report continues to list them so you can remove them from your theme by hand.<\/p><\/dd>\n<dt id=\"why%20is%20google%20fonts%20classified%20as%20%22high%20risk%22%3F\"><h3>Why is Google Fonts classified as \"High risk\"?<\/h3><\/dt>\n<dd><p>On 20 January 2022 the Munich Regional Court I (LG M\u00fcnchen I, Az. 3 O 17493\/20) ruled that embedding Google Fonts without visitor consent violates the GDPR, because the visitor's IP address is transmitted to Google servers in the USA without a legal basis. This plugin flags that risk and lets you remove the external requests entirely.<\/p><\/dd>\n<dt id=\"the%20scan%20fails%20or%20returns%20no%20results.%20what%20can%20i%20do%3F\"><h3>The scan fails or returns no results. What can I do?<\/h3><\/dt>\n<dd><p>Make sure your site is reachable from itself \u2014 no \"coming soon\" mode, no HTTP authentication. The plugin fetches your own URLs internally over HTTP. Also verify that the PHP <code>dom<\/code> and <code>libxml<\/code> extensions are available on your server.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.4.5<\/h4>\n\n<ul>\n<li>Fixed: the \"Free version\" information card was shown on the settings page even in the Pro plugin, where it does not apply.<\/li>\n<\/ul>\n\n<h4>0.4.4<\/h4>\n\n<ul>\n<li>Fixed: the bundled German translation now loads. WordPress only auto-loads translations shipped as language packs, so the de_DE catalog included with the plugin was never used; it is now loaded explicitly.<\/li>\n<\/ul>\n\n<h4>0.4.3<\/h4>\n\n<ul>\n<li>Fixed: admin styles and scripts now load on the Settings page. The submenu hook suffix is derived from the menu title, so the previous check never matched and the page rendered unstyled.<\/li>\n<\/ul>\n\n<h4>0.4.2<\/h4>\n\n<ul>\n<li>The plugin no longer opens an output buffer of its own. Rewriting the rendered page now uses the template enhancement output buffer that WordPress 6.9 provides, so the output-buffer stack is left entirely to WordPress core.<\/li>\n<li>The WordPress.org build contains no licensing code of any kind. Removal of Google Fonts from enqueued stylesheets and resource hints is unchanged on all supported versions.<\/li>\n<\/ul>\n\n<h4>0.4.1<\/h4>\n\n<ul>\n<li>Output-buffer handling hardened; added an \"External services\" documentation section.<\/li>\n<\/ul>\n\n<h4>0.4.0<\/h4>\n\n<ul>\n<li>Renamed to Kipphard GDPR Web Fonts. Full-site scanning is available to everyone (no page-count limit). All internal option\/hook\/action names now use a unique plugin-specific prefix. The free version contains no license-gated code; automatic scheduled scans are available as a separate Pro plugin.<\/li>\n<\/ul>\n\n<h4>0.3.0<\/h4>\n\n<ul>\n<li>Shared Kipphard admin design system for a consistent, theme-safe look in the WordPress admin.<\/li>\n<\/ul>\n\n<h4>0.2.0<\/h4>\n\n<ul>\n<li>English source baseline with a German (de_DE) translation.<\/li>\n<\/ul>\n\n<h4>0.1.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>Detects 14 categories of external services: Google Fonts, Analytics\/Tracking, YouTube, Maps, Gravatar, reCAPTCHA, Facebook Pixel, Hotjar, Font Awesome, JS CDNs, WordPress emojis, and more.<\/li>\n<li>Risk classification (High \/ Medium \/ Low) with actionable recommendations per service.<\/li>\n<li>Quick fixes: remove Google Fonts, disable WordPress emojis, replace Gravatar with a local SVG placeholder.<\/li>\n<li>SSRF protection: only URLs on your own host are scanned.<\/li>\n<li>No external dependencies, no tracking.<\/li>\n<\/ul>","raw_excerpt":"Scans your rendered HTML for external requests (Google Fonts, Analytics, YouTube, Gravatar \u2026) that transfer personal data, and provides GDPR fixes.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/337167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=337167"}],"author":[{"embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/kipphard"}],"wp:attachment":[{"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=337167"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=337167"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=337167"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=337167"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=337167"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/su.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=337167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}