With the exception of known, serious security vulnerabilities, WordPress theme updates are not included as part of our Managed WordPress support service.
- General, non-security related theme updates are the responsibility of the customer
- WP NET recommends that customers keep their WordPress theme(s) up-to-date
- Critical security patches and updates for WordPress themes may be installed by WP NET (details below)
- Please review our WordPress Plugin Update Policy and our WordPress Core Update Policy
WordPress Theme Updates and Security
Generally speaking, publicised security issues with WordPress themes are relatively rare (compared to security issues with plugins) but that doesn't mean that themes are any less susceptible to security vulnerabilities. In fact, the reason for this is that plugins often have a much larger user-base and are subject to a greater degree of scrutiny.
Plugins in the WordPress.org Plugin Directory are reviewed by the WordPress security team, the plugin author(s), curious independent developers and users. By comparison, most WordPress sites use "premium" themes that are not included in any public repository and so are not subjected to the same level of scrutiny.
Having said that, most reputable theme authors do take security very seriously and many invest some of their earnings from theme sales in having their themes reviewed by third-party security services to help identify problems and give their customers some degree of assurance.
WP NET recommends that customers only purchase themes from reputable sources that clearly state their policies regarding on-going support and updates for their themes.
Unlike WordPress plugins, where users may have a mix of free and premium plugins installed, the situation with WordPress themes is quite different.
Many premium themes do not include any built-in automatic update functionality and therefore need to be updated manually, by uploading the theme files to the server, replacing the existing files. Some theme authors do provide automatic updaters, and thankfully this is becoming more common, but it is still far from the norm. In most cases, enabling automatic theme updates requires that the customer enter a license activation code somewhere in the WordPress Admin, if this is not done, the site will not be able to install udpates via the auto-updater.
If a security issue is discovered with a theme - and an update is made available - WP NET often can not install the patched version, because we have no access to the update. So, in these cases we have no choice but to contact the customer and advise them of the issue and recommended course of action, but it is up to the customer to actually obtain and install the update.
To further complicate matters, some users modify their themes, which means that if an update is installed the changes the user has made will be lost. Applying customisations to a theme should always be done by way of a WordPress child-theme, but many users still do not do this. This is one of the reasons that theme authors are sometimes reluctant to provide automatic updates for their themes - if a customer has customised it, the auto-updater will overwrite their changes, and the theme author is subsequently contacted by a disgruntled customer.
To summarise, if a serious security vulnerability is discovered in a WordPress theme used by our customers:
- If an auto-updater is available and authorised on the site, we will notify the customer and request that they install the update as soon as possible
- If we get no response in a reasonable amount of time and we deem the risk from the vulnerable theme to be significant, we will install the update
- If we are able to obtain a patched version, we may manually install the theme update for the customer (depending on the deemed level of risk from the vulnerable theme)
- If we have no means by which to obtain a patch update for the theme (or none is available) we will contact the customer and request that they urgently contact the theme author and request a patch
- If and when the author provides a patch update, the customer should install the update
DISCLAIMER: WP NET accepts no responsibility for any data-loss, site defacement or other malicious activity that may occur due to a website compromise as a direct result of an exploited WordPress plugin or theme.
WordPress Default Themes
Each year, WordPress released a new default theme. The WordPress default themes are named for the year that they are released, i.e. Twenty Ten, Twenty Eleven etc.
The WordPress default themes are very rarely used by any of our customers, and in fact, having hundreds of copies of Twenty Twelve on our servers is a bit of a nuisance and needlessly occupies disk and backup space.
Due to the fact that WordPress default themes are carefully reviewed by the WordPress security team and the WordPress community, and the very stable nature of their occasional updates - WP NET will deploy updates for WordPress default themes. We do this to ensure compatibility with whatever version of WordPress core you happen to be running and to maintain security and bugfixes in the default themes.