Plugins bundled in WordPress themes have to be updated by the theme developers, leading to WordPress users being unaware of vulnerabilities within their site.
By Graeme Caldwell
Users of WordPress have come to expect a degree of functionality from themes that can’t easily be provided by theme developers alone. Elements like sliders take a lot of time and effort to code and maintain. It’s easier for a theme developer to pay another developer and incorporate their pre-built features.
There’s nothing wrong with this in principle. Code reuse is usually encouraged, particularly in the open source world where developers often build on the work of others. But in the case of WordPress themes and bundled plugins there is a problem.
When you install a plugin on your WordPress site, security updates are managed by WordPress. They appear in the plugin list. Any updates that should be applied are clearly visible. When a security patch is released, WordPress site owners are made aware through the admin interface, and they can quickly update, closing any vulnerabilities that have been found.
That can’t happen with plugins and other code that is bundled within themes. Of course, themes can be updated, but for users to update their installed theme the theme itself has to have been updated by the developer. The responsibility to update is entirely the theme developer’s. If they choose not to update the code within their theme, it will remain vulnerable to any exploits that hackers have discovered. And there’s not much the average WordPress user can do about it.
The issue caused a serious problem when a Sucuri discovered a critical bug in Slider Revolution — a popular carousel plugin that is present in hundreds of themes. WordPress users who had installed Slider Revolution on their site were able to update as normal. Users who had installed it as part of their theme had to rely on their theme’s developer to update.
Of course that wouldn’t be a problem if the theme developers did update, but many of them don’t. Encouraged by theme marketplaces, theme development has become more about cramming as many features in as feasible and creating as many theme variants as possible, rather than a concentration on decent long-term support. That’s not entirely the fault of developers; the economics of theme development are not all that they should be.
What can the average WordPress user do to reduce their exposure? Not much, short of ensuring that they buy themes without bundled plugins, which asks a lot given that the bundled plugins provide much desired functionality. I would advise that WordPress users take the time to judge the themes they buy carefully. Research the developer and their support history. Don’t buy themes that haven’t been updated in years. And buy themes with the bare minimum of built-in features. Sure, that drag-and-drop page builder looks awesome, but if you aren’t going to use it, then don’t buy a theme that includes it. The idea is to limit your site’s exposure — the surface area for attacks.
If you have some experience with WordPress and web development, it is almost certainly better to opt for a theme framework like Genesis, that doesn’t bundle plugins with its themes. It’s not difficult to install the plugins separately, and, although in the case of premium plugins you’ll have to pay extra, by doing so you establish a direct relationship with the plugin’s developer and gain control over any updates it might need.
Graeme Caldwell works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, http://blog.nexcess.net/.