A lot of people talk about security in WordPress, but they don’t always talk about security measures you can take with your theme. There are three main areas in which you should be concerned about security: where you acquire your themes from; checking for malicious code; and checking if your theme uses Tim Thumb.
WordPress Theme Security
There are a lot of themes out there and a lot of places to get them. If you are looking for off the shelf, I recommend looking at some of the major theme houses, the official WordPress theme repository, theme roundups articles from major blogs, or my post on themes. These sources generally scan themes and make sure that they don’t contain malicious code.
However, since I tend to be concerned about security, I run any theme that I’m using through the Theme Authenticity Checker. It’s a very easy to use plugin that scans for known malicious problems.
The second security measure I take is to find out if theme uses the Tim Thumb script. Older versions of this script are known to have security holes which can allow your site to be hacked. So, if the theme uses Tim Thumb, then I add the Timthumb Vulnerability Scanner plugin.
The last major step that I take is to remove unused themes. Since hackers can use weaknesses in non-active themes, I remove them. If you keep more than the one you are using around, you will need to make sure that it stays up to date and does not have any problems. For more information on updating, read my post on Updating WordPress.
Theme Authenticity Checker
Theme Authenticity Checker (TAC) is an easy to use plugin which scans all of the themes installed on your WordPress website.
Once you have installed the TAC plugin it will be available under Appearance, then TAC.
When you go to the TAC page you will see a listing of all of your installed themes and their results. You are looking for the big green labels that say “Theme Ok!”. If you don’t get these green labels, then you should be very concerned.
There may be some additional information next to a particular theme, such as the “23 Static Links Found”. This does not mean there is a problem, just that there are static links. When themes are customized they can contain static links (such as this case). If TAC thought that the static links were to malicious sources, it would notify you of that. Still, looking at the details and visually verifying that the links are fine isn’t a bad idea.
The “by Anonymous” just means that the theme author has not included an author attribute. If you know the source where you acquired this theme, then this does not necessarily mean there are any problems. If you don’t know the source is reliable, then you may be concerned.
Timthumb Vulnerability Scanner
Timthumb Vulnerability Scanner (TVS) puts itself in an unusual location, it is located in Tools.
TVS will by default set itself to scan your theme daily to make sure that your script is up to date. However, I recommend when you first install the plugin that you run a manual scan.
To manually check (or view status), go to Tools, then Timthumb Scanner. You will see a blue “Scan!” button, click it. TVS will now scan your theme and check for your version of the Tim Thumb script. The results will be displayed in “Scan Results”. You are looking for a green “Up to Date” message.
If, however, your results display a red “Vulnerable” message, you want to update your Tim Thumb script. To do so, click on the checkbox next to Status and then click on “Upgrade Selected Files”.
After running the update you will see two messages at the top of the screen. The first will tell you that the download has happened successfully and the second will tell you that the script updated successfully. After updating your Tim Thumb script, you may need to the settings for your image sliders. Sometimes the settings get reset to defaults.
Making sure that you acquire your theme from a reliable source and checking for security problems is important for any new theme you want to use. As you can see, these steps are not particularly time consuming and they can save your WordPress website! As the saying goes “trust, but verify”.