Authors need more knowledge on creating secure WordPress Themes

Last week, Wp Tavern highlighted the progress being made by the Theme Review Team in clearing out a 1K+ review backlog. In an effort to determine common problems with themes discovered by reviewers, Carolina Nymark, a member of the Theme Review Team, reviewed 100 tickets from 531 themes that were closed and marked not approved between December and February. Nymark cautions that the data does not assure statistical accuracy and is not representative of the entire directory.

Her assessment shows that the most common problems discovered by reviewers were:

  • Missing escaping or using the wrong functions: 23 themes
  • Text that is not translation ready: 21 themes
  • Missing prefix: 20 themes
  • Scripts or styles are not enqueued: 18 themes
  • PHP notices, errors or warnings: 12 themes
  • Style tags does not correspond with theme functionality, or are deprecated: 10 themes

Nymark also reviewed 100 out of 177 new themes that went live between December and February. Out of these themes, the most common problems were:

  • Missing escaping or using the wrong functions: 51 Themes
  • Text that is not translation ready: 44 Themes
  • Missing prefix: 39 Themes
  • Missing license or copyright information for included assets: 34 Themes
  • Unused code or files: 25 Themes
  • PHP notices, errors or warnings: 20 Themes
  • Missing sanitization, or using the wrong functions: 18 Themes
  • Options in the customizer that are not working: 18 Themes

Last Friday, Jose Castaneda, Ulrich Pogson, and Nymark participated in a voice chat with Matt Mullenweg, co-creator of the WordPress project, to discuss the future of the theme directory. The team discussed ideas around automation, improving the theme preview experience, and content portability. One of the experiments Mullenweg proposed is to remove the manual review process and rely more on user feedback. Feedback could include, tags, reviews, and other meta data.

“As we are not sure if the process will function without manual reviews, we will start working on getting better user feedback on themes,” Pogson said. “Once we have a good infrastructure in place we can experiment with how the repository reacts with no manual reviews.

“We discussed the process we would go about making decisions on changes to the theme repository and came to the consensus that a direct democracy is too fragile and representative democracy would be a better solution.”

Security, code errors, and prefixing, were also mentioned in the conversation as the most common issues encountered with themes. The team was given a series of tasks to complete and will report the results to Mullenweg at a later date.

New Theme Check Plugin Will Detect Common Security Issues

The Theme Handbook doesn’t have a chapter on security but it does link to a series of articles on writing secure themes in the resources section. Justin Tadlock, Key Reviewer, says work is underway on a new Theme Check plugin that will automatically detect security issues commonly seen during the manual review process. These include escaping and data sanitization.

“If we could get the greater theme developer community to pitch in and help get this finished, it would be awesome,” Tadlock said. “Even outside of, ThemeForest and commercial theme shops could really use this.”

Source: WP Tavern

Share this post if you like it.
Worda Team
Worda Team

Our team of WordPress professionals will help you stay on the latest WP topics, resolve any problem or issue with the WordPress website or provide useful advice. Feel free to get in touch with us. :)

Leave a Reply

Your email address will not be published. Required fields are marked *