3 {{ upvoteCount | shortNum }}
3 {{ upvoteCount | shortNum }}

Are some WordPress themes more secure than others?

by James Liberty
3 replies
And if so, how do I find a secure one?
#secure #themes #wordpress
  • Profile picture of the author bettersocial
    The core WordPress code remains the same across themes, so unless you've purchased your theme from a particularly bad developer, all themes should have nearly equal security.

    That said, I don't really trust WordPress' built-in security. Just now I got a notification from WordFence that they blocked an IP address that was trying to get into my site.

    Here's what you can do to enhance security:

    1. Install WordFence

    2. Move to a more secure host. Most managed Wordpress hosting services are very good. I personally recommend Synthesis from the Copyblogger guys.

    3. Install wp-db-backup and schedule backups of your database, preferably on Dropbox/Drive

    4. Most don't do this, but I recommend it highly: set up an Amazon S3 account to store and deliver all your media. You'll save tons of bandwidth and ensure better safety
    Signature
    --->>> Make $$$ Sharing Images on Twitter - With NO Website, NO Investment! <<<---
    {{ DiscussionBoard.errors[10559184].message }}
    • Profile picture of the author kilgore
      Originally Posted by bettersocial View Post

      The core WordPress code remains the same across themes, so unless you've purchased your theme from a particularly bad developer, all themes should have nearly equal security.
      This is just flat out wrong. Themes can be well written and themes can be poorly written. They can easily contain bugs, security holes or even malicious code.

      For instance, the website WPScan (https://wpvulndb.com/) keeps a list of known Wordpress Core, Plugin and Theme vulnerabilities. Here are a few they mention:
      • ElegantThemes - Privilege Escalation
      • Builder Theme <= 1.4.0 - PrettyPhoto DOM Cross-Site Scripting (XSS)
      • Multiple Themes - Privilige Escalation
      • Salem Theme <= 1.5.5 - PrettyPhoto DOM Cross-Site Scripting (XSS)
      • Salient Theme <= 4.9 - DOM Cross-Site Scripting (XSS)
      And it should be reiterated that these are only the vulnerabilities that this site knows and has posted about. And I really have no idea about how comprehensive this site is -- there could be (and almost certainly are) many, many more vulnerabilities in Wordpress Themes than are listed on this site.

      As to how to find secure themes, ideally you do a comprehensive audit of the code looking for possible bugs, vulnerabilities or malicious code. But this not being an ideal world, you probably don't have the time or resources for that. So instead the best you might be able to do is to do some research. Is the plugin actively maintained? How responsive are the developers? Does it come with support (paid, a forum or whatever)? How many users does it have? Have others had issues? If so, how frequent are they? How fast did they fix them? How serious were they?

      And of course, once you're using a theme make sure you keep it up to date! Even the best developers make mistakes -- and beyond that new vulnerabilities are constantly emerging that nobody had even thought of.
      Signature
      {{ DiscussionBoard.errors[10559214].message }}
    • Profile picture of the author lanserno
      Originally Posted by bettersocial View Post

      The core WordPress code remains the same across themes, so unless you've purchased your theme from a particularly bad developer, all themes should have nearly equal security.

      That said, I don't really trust WordPress' built-in security. Just now I got a notification from WordFence that they blocked an IP address that was trying to get into my site.

      Here's what you can do to enhance security:

      1. Install WordFence

      2. Move to a more secure host. Most managed Wordpress hosting services are very good. I personally recommend Synthesis from the Copyblogger guys.

      3. Install wp-db-backup and schedule backups of your database, preferably on Dropbox/Drive

      4. Most don't do this, but I recommend it highly: set up an Amazon S3 account to store and deliver all your media. You'll save tons of bandwidth and ensure better safety
      not sure about this part you said " core WordPress code remains the same across themes"

      I would like to add few more simple things to have on mind;

      - Change your password often (and make it good)
      - Disable file editing ( by default wordpress dashboard allows admin to edit php files (plugin and theme files)... this might be the first target for an attacker if he menage to log in more informations "how to secure wordpress site and how to disable file editing you might find HERE


      Hope that helps,

      Filip.
      Signature
      Powerful 9 Creative Traffic Strategies That Will Skyrocket Traffic On Your Site. Grab it now - FREE Download
      {{ DiscussionBoard.errors[10559220].message }}

Trending Topics