Summary
- Except for cases where a serious security vulnerability is known to exist, WP NET Support will not update WordPress themes unless requested via support ticket
- General, non-security related theme updates remain the responsibility of the customer
- If a security update or patch is made available by a theme author, WP NET will - where possible - install the updates (details below)
WordPress Theme Updates and Security
Generally speaking, publicised security issues with WordPress themes are relatively rare (compared to security issues with plugins) but that doesn't mean that themes are any less susceptible to security vulnerabilities. In fact, the reason for this is that plugins often have a much larger user-base and are subject to a greater degree of scrutiny.
Plugins in the WordPress.org Plugin Directory are reviewed by the WordPress security team, the plugin author(s), curious independent developers and users. By comparison, most WordPress sites use "premium" themes that are not included in any public repository and so are not subjected to the same level of scrutiny.
Having said that, most reputable theme authors do take security very seriously and many invest some of their earnings from theme sales in having their themes reviewed by third-party security services to help identify problems and give their customers some degree of assurance.
WP NET recommends that customers only purchase themes from reputable sources that clearly state their policies regarding on-going support and updates for their themes.
Premium Themes
Unlike WordPress plugins, where users may have a mix of free and premium plugins installed, the situation with WordPress themes is quite different.
Many premium themes do not include any built-in automatic update functionality and therefore need to be updated manually, by uploading the theme files to the server, replacing the existing files. Some theme authors do provide automatic updaters, and thankfully this is becoming more common. In most cases, enabling automatic theme updates requires that the customer enter a license activation code in the WordPress Dashboard, if this is not done, the site will not be able to install udpates via the auto-updater.
If a security issue is discovered with a theme - and an update is made available - WP NET often can not install the patched version, because we have no access to the update. So, in these cases we have no choice but to contact the customer and advise them of the issue and recommended course of action, but it is up to the customer to actually obtain the update.
To summarise, if a serious security vulnerability is discovered in a WordPress theme used by our customers:
- If an auto-updater is available and authorised on the site, we will notify the customer and request that they install the update as soon as possible
- If we get no response in a reasonable amount of time and we deem the risk from the vulnerable theme to be significant, we will install the update
- If we are able to obtain a patched version, we may manually install the theme update for the customer (depending on the deemed level of risk from the vulnerable theme)
- If we have no means by which to obtain a patch update for the theme (or none is available) we will contact the customer and request that they urgently contact the theme author and request a patch
- If and when the author provides a patch update, the customer should install the update
DISCLAIMER: WP NET accepts no responsibility for any data loss, site defacement or other malicious activity that may occur due to a website compromise as a direct result of an exploited WordPress plugin or theme.
WordPress Default Themes
Each year, WordPress released a new default theme. The WordPress default themes are named for the year that they are released, i.e. Twenty Ten, Twenty Eleven etc.
The WordPress default themes are very rarely used by any of our customers, and in fact, having hundreds of copies of Twenty Twelve on our servers is a bit of a nuisance and needlessly occupies disk and backup space.
Due to the fact that WordPress default themes are carefully reviewed by the WordPress security team and the WordPress community, and the very stable nature of their occasional updates - WP NET will deploy updates for WordPress default themes. We do this to ensure compatibility with whatever version of WordPress core you happen to be running and to maintain security and bugfixes in the default themes.