WordPress is often considered to be the most unprotected blogging platform but this is only a half-of-true. It remains indecently free and is named as the most common and comfortable for millions of users. That’s why the number of WP-themes’ downloads is calculated in millions every day.
We’ll leave aside skepticism and note that paid platforms rarely guarantee complete security. Speaking about the WordPress we have to admit that vulnerabilities exist both in the kernel of source code itself and in themes that can contain so-called “bottlenecks”. They are often used by hackers for their unlawful purposes.
First we will consider the main problems that owners of some free (sometimes even paid templates) face, and then reveal their solution to ensure maximum security for your WP-based web-site.
1. Spam links
WP-templates’ developers usually put a back-link to their own site or web-page when creating templates.
This is the most innocuous option which is moreover most widespread including paid templates. The stipulation for removing the author’s link in the paid WP-themes is usually discussed additionally, but many web-developers insist on leaving it (for example, if the web studio initially puts their links at all sites, even governmental ones)
More danger is kept in WordPress themes that contain codes for dynamic link generation, depending on the needs of their developer. Such a mechanism is often used to promote certain sites using black SEO tools: links can be changed at any time, and sites that use the infected templates will transfer a certain weight to their donors.
Plugins are used in numerous WordPress templates making them more dynamic and user-friendly. That’s why plugins themselves are still “a gold mine” for attackers who search for WordPress vulnerabilities and use them for their insidious purposes until the developers discover these vulnerabilities, and even more so – until the user updates the installed plug-in.
Substitution of POST and GET method is, on the one hand, the most unpardonable mistake for any programmer, but on the other it is the most basic option for obtaining any data from the websites of inexperienced bloggers who will not immediately discover a flaw in their own site. We can make suppose that even experienced people do not always pay attention to the address line which first reveals the substitution.
Buttons with a “double bottom” that call two or more functions when pressed – the main one, which simultaneously masks the execution of the second function (and other) – that is masked by an attacker. All buttons are always associated with executable scripts that remain being “terra incognita” for many users.
5. Hacker codes
Hacker codes in scripts that are associated with templates. For example we’ll mention the ‘timhtumb.php’ script of automatic image scaling that is very often used when creating themes for WordPress. There once were several critical vulnerabilities in it which were subsequently removed during the update. Nevertheless, some of the templates in the network are still vulnerable due to using an old version of this script.
So there are enough problems with WordPress templates, but they can all be solved with one-finger-click.
Finally we’ll give you some useful tips:
- do not take risks downloading free templates if you are not sure of their complete security. If you have not mastered WordPress good enough yet and you want to practice first – you should try downloading and installing templates from the official WordPress.Org site;
- you must remember that some inexpensive templates can contain links to the developer’s site but this is usually prescribed in the terms of their purchase;
- more and custom-made WordPress themes in most cases are deprived of all the above-mentioned vulnerabilities, and therefore can be used without any limitation.