Reminder to update UNUSED Wordpress Themes

All,

about 20 months ago the author of a popular picture editing plugin inadvertantly created a hole with a programming error. Within 60 days this hole was fixed, however, old themes could have had this hole. Dreamhost was wracked with this problem about 12 months ago, people who had unused themes were being hacked because the unused theme had a pluging with a bug. Last night I had someone phishing on one of my websites for HUNDREDS of themes I didn’t have, searching for ‘thumb.php’ and ‘timthumb.php’. Just a reminder to beginners at dream host, delete unused themes, and if not UPDATE EVERYTHING, since unused code, plugins and themes with bugs can kill your site EVEN IF YOUR NOT USING THEM! Delete them (preferable!) or at least update them!

FWIW, unless you add in a plugin to do otherwise, WordPress does tell you that there are themes and plugins that need updating. [em]Always[/em] update WP, themes, and plugins as soon as you can. But make a backup first.

I agree about deleting. If you’re not using a theme, you should remove it The only ‘spare’ themes to keep are TwentyEleven and TwentyTwelve (the default WP themes) so that in an emergency, you can fall back to use then

One caveat to that, @Ipstenu-DH is if a user has installed a theme that is no longer (or never was) in the WP theme collection at wordpress.org WP will not know if that theme needs an update. Not everyone gets their themes through WP and some older themes are no longer in the library.

Agree that staying 100% up-to-date is key, as is deleting (not just deactivating) unused plug-in or themes.

It’s VERY very very rare that the Theme Team deletes a theme anymore from .org (there was a huge purge a few years back, though). The last time it happened en masse was ironically when they yanked TimThumb. That’s no longer permitted in the theme repo at all now.

If you’re using a theme that is no longer in the .org repo, it’s a sign you need a new theme OR someone who knows WP like their hands to keep yours up to date. Of course, just to mess with your head, a non-updated theme/plugin doesn’t mean it won’t work with new WP. It’s all super annoyingly complex I can talk at length about it if you give me half a chance and a drink.

That sounds a bit harsh on the independent developers out there. Let’s not forget that the wp.org repo has been the primary disperser of exploitable code to date.

I disagree and would love to see a source cited on that one.

The wp.org plugin repository, I can see that being true, but not the theme repository. They’re separate entities, managed by separate teams, too. I’m actually on the plugin review team, and I can say, without a doubt, that any theme you download from WordPress.org is safe as houses. I will not say that of plugins. Every single theme is reviewed, and every change to every theme is reviewed.

If I had to pick a number one source of exploited theme code, it would be themeforest, for exactly the same reason as the wp.org plugin repo: We don’t have ongoing oversight.

I could cite your previous post.

There’s nothing ironic about the yanking; they yanked it after they realised they were dishing out exploitable code which was available to all users with just a few trusted clicks in their own admin dashboard.

Did they write it? No. Did they disperse it en masse? Yes.

Was WPORG the “primary disperser of exploitable code to date”? No

That’s what I’m disagreeing with. I think there’s another site that has that honor, alas.

http://wordpress.org/download/release-archive/
http://wordpress.org/extend/themes/
http://wordpress.org/extend/plugins/

We’re gonna have to agree to disagree here. I feel there’s another WP theme site that has the dubious honor of being the “primary disperser of exploitable code” in the WP universe.