Skip to content Skip to sidebar

Home Support English Support [Feature Request] Stop loading JS/CSS externally, but include them in the plugin

[Feature Request] Stop loading JS/CSS externally, but include them in the plugin

This thread is resolved. Here is a description of the problem and solution.

Problem:
The client reported that the WPML plugin is loading JavaScript and CSS files externally, which they believed to be against WordPress plugin guidelines and raised concerns regarding privacy policy compliance and potential security risks.
Solution:
We explained that the WordPress Plugin Guidelines cited do not apply to WPML as it is not hosted on the official WordPress.org directory. The external scripts are served from our own domain and are part of WPML's service infrastructure, ensuring they comply with our privacy policy and do not conflict with data protection laws like GDPR. Regarding security, while acknowledging the theoretical risk if our servers were compromised, we maintain that the assets are securely served via HTTPS from our controlled infrastructure, balancing flexibility and security effectively. We decided not to bundle JS/CSS with the plugin at this time.

If this solution does not resolve your issue or seems outdated, we recommend checking related known issues at https://wpml.org/known-issues/, verifying the version of the permanent fix, and confirming that you have installed the latest versions of themes and plugins. If further assistance is needed, please feel free to open a new support ticket at our support forum.

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

Tagged: ,

This topic contains 5 replies, has 0 voices.

Last updated by Lucas Vidal de Andrade 3 weeks ago.

Assisted by: Lucas Vidal de Andrade.

Author Posts
October 15, 2025 at 9:24 am #17486183

desireeM

Background of the issue:
Since recent versions, the plugin tries to load some JS/CSS externally, e.g. hidden link

Not only is this against against WordPress' plugins guidelines https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#8-plugins-may-not-send-executable-code-via-third-party-systems
>all non-service related JavaScript and CSS must be included locally

It also causes issues with privacy policy (even if only in wp-admin, to ensure compliance with employment laws) as well as potential security issues.

Symptoms:
The plugin is loading JS/CSS externally, which causes issues with privacy policy compliance and potential security issues.

Questions:
Bundle all the JS/CSS with the plugin again instead of loading it externally unnecessarily
October 15, 2025 at 9:52 am #17486445

desireeM

Just realized that the file I sent in the chat is not correct, it is in sitepress-multilingual-cms/classes/menu/ams-ate-console/AbstractConsoleSection.php return $this->endpoints->get_base_url( WPML_TM_ATE_AMS_Endpoints::SERVICE_AMS ) . 'https://cdn.wpml.org/mini_app/dashboard.js'; and return $this->endpoints->get_base_url( WPML_TM_ATE_AMS_Endpoints::SERVICE_AMS ) . 'https://cdn.wpml.org/mini_app/run.js';
October 15, 2025 at 12:16 pm #17486997

Lucas Vidal de Andrade
WPML Supporter since 11/2023

Languages: English (English )

Timezone: Europe/Vienna (GMT+01:00)

Thanks again. I was able to check the file and verify that's indeed external. I've escalated that to get a second opinion and will keep you updated. It might take a few days to receive feedback on that.
October 17, 2025 at 7:49 am #17493033

Lucas Vidal de Andrade
WPML Supporter since 11/2023

Languages: English (English )

Timezone: Europe/Vienna (GMT+01:00)

Hey there,

I received feedback from our devs. I'll summarize it based on each keypoint:

1. WordPress Guidelines: the WordPress.org guideline you linked applies specifically to plugins hosted and distributed through the official Plugin Directory. Since WPML is distributed independently, that particular rule does not apply rigorously to the WPML plugin.

The script in question — hidden link, is part of WPML’s own service infrastructure (AMS/ATE) and is loaded from our controlled domain. It is not a third-party library or an ad/analytics tracker. Because of this:

2. Privacy: that script does not collect or transmit user data beyond what is necessary to operate WPML services. For employment law or GDPR compliance, the important point is that the asset comes from WPML’s own service endpoint, not from an unrelated third party.

3. Security: Loading assets from WPML’s own domain does not introduce a new risk by itself. As with any remote resource, the main consideration is whether the domain is under our control (it is) and whether connections are encrypted (they are, via HTTPS). Unless the site already has another vulnerability that allows malicious injection, this is not a security concern.

I hope this address your concerns, and explains why the script is loaded that way. If you have noted any other script that you thinks falls outside what's been described here, please let me know.
October 24, 2025 at 2:51 am #17514380

desireeM

>The script in question — hidden link, is part of WPML’s own service infrastructure (AMS/ATE) and is loaded from our controlled domain. It is not a third-party library or an ad/analytics tracker.

And why can it not be bundled/shipped together with the plugin?
Unless you dynamically change the content of this script - which would make it insecure - there's no technical reason to not bundle it with the plugin.

2) afaik this is wrong, especially when the user is located in the EU but WPML's server is located in the US

3)
>3. Security: Loading assets from WPML’s own domain does not introduce a new risk by itself.

This is totally wrong. What if any of (the code on) your servers suffer a security breach and an attacker modifies the .js file you serve with malicious code? Suddenly it is spread to all WPML users.
This isn't secure.
It would be secure, if you loaded the script with file integrity/SRI to guard against this kind of attacks. But the SRI would obviously have to be part of the plugin, which then begs the question: why not just bundle the JS with the plugin right away?

Anyway: especially, with the recent supply-chain attacks shown in npm, this is a massive security risk.
November 4, 2025 at 8:35 am #17544230

Lucas Vidal de Andrade
WPML Supporter since 11/2023

Languages: English (English )

Timezone: Europe/Vienna (GMT+01:00)

Thank you very much for taking the time to provide such a thorough explanation of your concerns regarding the external loading of JS/CSS files from our AMS/ATE service.

We’ve carefully reviewed the points you raised, including:

WordPress Plugin Guidelines – The guideline you referenced applies to plugins hosted on the official WordPress.org directory. Since WPML is distributed independently, this rule does not apply to us. Additionally, the assets in question are part of WPML's own service infrastructure, not third-party resources.

Privacy Implications – The external script is served from our own domain and does not collect or transmit user data beyond what’s required to operate WPML services. This setup is aligned with our privacy policy, and we do not see any direct conflict with data protection laws such as GDPR in this context.

Security Risks – We understand the hypothetical risk you described — namely, that if our servers were compromised, malicious code could be served to users. While this is a valid consideration, it is a very specific and theoretical scenario. Given the significant architectural effort required to change this, and the fact that these assets are served securely via HTTPS from our own controlled infrastructure, we believe the current approach strikes the right balance between flexibility and security.

We truly appreciate your detailed feedback, and while your concerns are noted, we’ve decided not to make changes in this area at this time.

Thank you again for your understanding, and please feel free to reach out if you have any further questions.