Most bloggers and webmasters who use WordPress understand that you need to keep their core files up to date and also update any plugins that they may have. Fortunately, WordPress makes the process of doing so very easy and painless, usually just a click away, and most users seem to do it without thinking about it.
To drive this point home, prominent WordPress core developer Mark Jaquith said in a recent talk at WordCamp Phoenix 2011 that “The themes of today are pretty much like plugins in terms of what they can do.”
In short, the functionality of themes and plugins overlap greatly as even “basic” themes include additional elements that manipulate WordPress by adding new options and settings.
However, while all of this new functionality is a great thing for bloggers, especially those who want to easily design a great site, it’s bad news for security. WordPress themes are a potential security risk, just as with any plugin, and they require maintenance and testing to make sure they are still safe.
Unfortunately, few people give their themes such weighty consideration, possibly leading to major problems down the road.
The pitfall to this issue is actually fairly straightforward. Since WordPress themes can run code in a way very similar to plugins, they can also create security issues very similar to plugins. This includes both issues for the WordPress installation and, potentially, issues for visitors of the site.
However, many bloggers still think of their themes as nothing but a collection of static HTML and CSS, even though themes often times add settings, manipulate the database and take other actions that clearly show their power.
To make matters worse, unlike with plugins, most bloggers do at least a modest amount of customization to their themes. This greatly complicates the process of updating them as any update would, without precautions, overwrite the changes and require the editing process to start all over again.
In short, even though themes often contain the exact same security issues as plugins, they are often much more difficult to update and many bloggers aren’t aware that they even should.
Because of this, notifications in WordPress that you should update a theme often go unheeded, even when there are serious security issues. This leaves many bloggers vulnerable to attack and can cause one’s blog to be compromised.
This, in turn, can have very dire consequences, especially if an outside attacker finds away to exploit the vulnerability and run unauthorized code. This can let them manipulate the site and make alterations to it at will, including use it for phishing attacks, to distribute malware or just generally cause havoc.
It’s a pitfall no blogger should risk falling into.
How to Avoid it
The first key to avoiding this pitfall is being aware of it. Understanding just how much scripting and how much potential danger is in and treating it with the appropriate amount of weight is critical to not leaving yourself open.
The second key, obviously, is better coding practices from theme developers. Theme developers should, generally, follow the same coding practices as plugin developers, a point Jaquith was making in his talk, and should use the same APIs for security reasons.
However, neither of these issues prevent themes from having security holes and neither address the ugly mess that can be updating themes. As discussed above, user customizations can make updating a theme a nightmare, forcing one to go back through and re-implement the changes they made.
The solution to this problem is child themes. Child themes are themes that get all of their functionality from their parent theme but keep the user customizations within their files. This means that all of the coding and potential security issues are in the parent theme while the user changes are in the child, making it possible to update the parent theme, fixing any security issues, without losing any of the changes.
The idea is remarkably simple and has been used widely by various WordPress theme frameworks, such as Genesis, to make it easier to change the look and feel of a site while keeping the main framekwork easy to update. This is why Automattic and the core developers of WordPress recommend this approach.
Unfortunately though, few themes make active use of child themes nor do they encourage their users to do so. However, it is very trivial to create a child theme for your site and should not add much to your development time if done correctly.
In short, if you are setting up a new site with a new theme, it is crucial to both be aware of the danger that insecure themes can create and take the steps to make sure that your theme is easily updated, namely using a child theme. If you do that, your site will be a great deal more security and likely have fewer issues with security.
Of course, all of this is just a small part of the theme security picture. For example, the biggest theme security risk currently is not the installation of an unintentionally insecure theme, but using a theme with malicious code built into it deliberately.
This is why you should only use themes either from the WordPress Theme Gallery or directly from trusted third-party providers, not from intermediary download sites. Not only does this ensure that the code is clean, but it also ensures you can easily update the theme later.
Similarly, you may want to use a plugin like Theme Authenticity Checker (TAC), which scan theme files and look for malicious code. Though these plugins are far from perfect, they may help you vet new themes you put on your site and let you know if your theme has been altered without your knowledge.
In the end though, it’s past time for WordPress users to get serious about theme security, at least as serious about it as they are plugin security. The difference between the two is so minimal now, that ignoring the security of themes is foolish and very likely to land your site in serious trouble down the road.