Independent Digital

Creating and managing dynamic websites using Php, MySql, HTML and Wordpress with a bit of PEAR on the side

Entries Comments



Email This Post    Print This Post   

WordPress themes are a security risk!

25 February, 2008 (20:09) | Blogging, Themes, Wordpress | By: clive


WordPress themes can be dangerous as far as security is concerned so be very careful when you install any theme. Before downloading any theme consider:

  1. Is the download site official, avoid 3rd party download sites? If it is not an official site nor the authors site, then check the code carefully.
  2. Is it the latest version?
  3. Are you running the latest version of WordPress?
  4. Do research. Check the net to see if there are any security issues concerning the theme that you want to download.

So what are the security issues when using WordPress themes? There are 2 ways that themes can become a risk:

1. The first is when someone intentionally ADDS code to the theme. This could be code which ads a link to the theme. When you display the website using that theme, links are displayed but are probably not visible (see article on spamdexing). The person that included the code is hoping to increase the number of links to his website so that his Google ranking increases. Unfortunately Google will then pick this up and remove your site from their search engine. A double whammy! Quite innovative considering the number of sites using the popular themes. They also imbed code that will allow the mailing of scripts for spam (see artcicle on spam and how to deal with it), phishing or random ads to be served.


2. The second is usually unintentional. The theme author has code in their theme which is not secure and allows a cracker (see article on Search Engine Optimization) to infiltrate the website using the theme. A common example, known as cross-site scripting (XSS) is the use of PHP_SELF without pre-pending htmlspecialchars:

form id="searchform" method="get" action=
"<?php echo $_SERVER['PHP_SELF']" ?>"

This form allows the use of HTML characters when getting the URL of the user. A secure version would include the PHP function, htmlspecialchars() as seen below:

form id="searchform" method="get" action=
"<?php echo htmlspecialchars($_SERVER['PHP_SELF'])" ?>"

This problem is usually seen in the:

  • 404 page
  • search page
  • header page

Here are 2 good articles on cross site scripting:

Only download your themes from the official WordPress Theme Viewer or directly from the authors’ site.

Want to be notified of any new posts?

Your email:  
Subscribe Unsubscribe  

Checkout these related posts

« WordPress plugins are a security risk!
Scan your WordPress site with Goolag to detect and fix security holes. »

Comments

Pingback from WordPress, updated but still hacked? | Independent Digital
Time: June 26, 2008, 2:17 pm

[...] perfectly, I downloaded a new copy of my chosen theme from a legitimate site (see article on themes are a security risk) and installed this in the Themes [...]

Write a comment