Recently, Automattic and WordPress decided to clean up the WordPress Themes Viewer, removing all the “sponsored Themes” from its database.
There has been a lot of debate over the definition of a sponsored WordPress Theme. In theory, any WordPress Theme design which was “paid” for development and construction is a sponsored Theme. Those aren’t the problem.
The WordPress Themes that were stuffed full of ad links, company links, and code that generated ads and more nasty stuff are the trouble-makers. These are the WordPress Themes that have now been removed from the WordPress Theme Viewer, the official source for WordPress Themes, and slapped with the generalized term “sponsored”, though this is an inappropriate label. I’d call them evil WordPress Themes as their intent is for greed and trouble.
There are many places where you can find WordPress Themes and templates, free or paid, which may or may not include evil “sponsored” links. And how would you know?
Indeed, some evil Themes have been found in unofficial Theme distributors, as I reported in the most recent WordPress Wednesday News on the Blog Herald.
Your WordPress Theme May Be Vulnerable to Security Flaws and Errors
Added to this worry is the announcement by Blog Security of their “Top 10 Vulnerable WordPress Themes”, a list of Themes which feature some of the common WordPress template flaws.
These are not evil deeds and links but design and code elements within a WordPress Theme that make it vulnerable to hacking, defacing, and even entering your blog’s Administration Panel. These are most often found in Themes due to ignorance by the designer who uses code found in other WordPress Themes, not knowing there are errors or flaws in the code. Rarely are these put there on purpose, but it still puts your WordPress Theme at risk.
This isn’t limited to newly downloaded WordPress Themes. Most of these security and structral flaws are found in older Themes which haven’t been updated as these issues were revealed. If you are using an older WordPress Theme, contact the original author for an update. If you designed your own, you may have copied in code that makes your Theme vulnerable, so get it checked.
Blog Security offers a “WordPress Theme Scanner” which is designed to check your WordPress Theme to see if it has some of these common vulnerabilities. According to the documentation, it searches for:
- WordPress Version Check (currently supports 7 version checks). Future releases will include a file existence version check, for those blogs that have removed their version details.
- Tests the WordPress theme template for basic XSS vulnerabilities.
- Enumerates WordPress Plugins. Future releases will perform additional tests in this area.
If you choose to download Themes from “unofficial” sites, take care. These are not the responsibility of WordPress or Automattic. Download these Themes at your own risk. I recommend that if you cannot find a WordPress Theme from the official sites, you check the code thoroughly before using, or have someone do it for you. And consider testing them against the scanner.
And take care with all WordPress Themes you are using and pass your WordPress blog and Theme through the Blog Security WordPress Scanner Plugin to help it detect possible security flaws, especially if your WordPress Theme is more than a few months old.
Site Search Tags: wordpress themes, wordpress news, wordpress tips, vulnerable wordpress themes, theme security, theme errors, theme flaws, sponsored themes, evil themes, link spam, theme advertising, theme ads, theme spam, wordpress theme viewer
Subscribe Via Feedburner Subscribe by Email
Copyright Lorelle VanFossen, member of the 9Rules Network, and author of Blogging Tips, What Bloggers Won't Tell You About Blogging.