Themes & Security

[ad_1]

We see it mentioned all the time that outdated core, themes, and plugins are among the top causes of security breaches.

I’m curious as to what it is about an outdated theme in particular that raises concern. I ask this as someone interested in developing custom themes.

If, for instance, I create a very minimal theme using standard hooks and well-formed php/js, is there anything in particular that should compel me to update my theme?

[ad_2]
6 Comments

  1. Did you use a theme from anybody else? If so, update it to the latest version so that they can fix security issues in the theme.

  2. If you happened to make a theme with zero bugs then there would be no reason to update for security purposes. It’s just unlikely that any functional software is written without bugs.

    The more complex the theme or plugin is, the more important it is to keep up to date, generally speaking.

  3. The main way malware can infect a site is if there is anywhere in the site that accepts user input – if you don’t sanitize the input correctly, XSS attacks occur (WordPress Core itself had one this week!).

    The other main attack point is privilege escalation i.e. where a user role checked doesn’t occur, and someone is able to perform an operation that they shouldn’t be allowed to.

    A standard, basic theme that you made yourself likely wouldn’t contain these sorts of features, so there wouldn’t be anything to update. It’s the “kitchen sink” themes (like those on ThemeForest) that require constant updates, especially those that comes with plugins like Elementor, WPBakery, RevSlider – the big 3 culprits for sec vulns.

  4. Developers usually update their themes for 1 of 3 reasons… 1) adding new features, 2) updating core version compatibility, and 3) patching security vulnerabilities.

    If you write your own theme and have no desire to add new features and haven’t discovered any vulnerabilities in your code, then you don’t need to update. Obviously, assuming your code doesn’t contain vulnerabilities is exactly how bad things happen. Core versions change regularly so it’s definitely possible you may have to make changes when new core versions of WP come out if you make use of a hook that gets deprecated for example.

    I consider a plugin ‘old’ if it hasn’t received an update in 6-12 months because there are enough core updates of WP during that time, that even a lazy developer could take the small effort to update the compatibility information in the theme with little effort. It’s safe to assume (in my opinion) if they’re not even doing this much, they’re not paying much attention to the rest of the plugin/theme.

  5. Skeleton themes shouldn’t need any security updates. The theme vulnerabilities come from large themes that have a lot of custom code for the different theme options, features etc.

  6. What u/antonyxsi said. A “clean” theme written with only HTML, CSS, a little JavaScript using no or *extremely* basic libraries plus standard WordPress functions is probably going to be fine. Low though still not zero chance of vulnerabilities.

    The issue comes up more with “premium” themes that include massive, complex functionality. Up to and including bundled commercial plugins. The very big problem being that if a vulnerability is found in, say, WPBakery or Slider Revolution then *even if you catch it and want to update* you’ll still have to wait till the theme vendors issue the update. (Assuming the vendors haven’t done out of business or abandoned the theme. See WooThemes Canvas, for instance.)

    And of course a lot of the ~~suckers~~ ~~newbies~~ who buy that kind of shovelware theme may not even know to run updates.

    Either way, if a vulnerability shows up in In maintained code hackers will take advantage of

    A similar pro problem can show up with a particular kind of custom built “agency” sites where they promise all kinds of sophistication and, especially, none of those “risky” and “bloated” plugins but then… add rafts of substandard, out of date, poorly understood code and dependenciesburied in theme folders and launched from functions.php.

    These may benefit from “security through obscurity” but if a dependency becomes vulnerable then the site will become vulnerable.

 

This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer