Data From Theme Reviews Shows Authors Need More Education on Developing Secure WordPress Themes

Last week, we highlighted the progress being made by the Theme Review Team in clearing out a 1K+ review backlog. In an effort to determine common problems with themes discovered by reviewers, Carolina Nymark, a member of the Theme Review Team, reviewed 100 tickets from 531 themes that were closed and marked not approved between December and February. Nymark cautions that the data does not assure statistical accuracy and is not representative of the entire directory.

Her assessment shows that the most common problems discovered by reviewers were:

  • Missing escaping or using the wrong functions: 23 themes
  • Text that is not translation ready: 21 themes
  • Missing prefix: 20 themes
  • Scripts or styles are not enqueued: 18 themes
  • PHP notices, errors or warnings: 12 themes
  • Style tags does not correspond with theme functionality, or are deprecated: 10 themes

Nymark also reviewed 100 out of 177 new themes that went live between December and February. Out of these themes, the most common problems were:

  • Missing escaping or using the wrong functions: 51 Themes
  • Text that is not translation ready: 44 Themes
  • Missing prefix: 39 Themes
  • Missing license or copyright information for included assets: 34 Themes
  • Unused code or files: 25 Themes
  • PHP notices, errors or warnings: 20 Themes
  • Missing sanitization, or using the wrong functions: 18 Themes
  • Options in the customizer that are not working: 18 Themes

Last Friday, Jose Castaneda, Ulrich Pogson, and Nymark participated in a voice chat with Matt Mullenweg, co-creator of the WordPress project, to discuss the future of the theme directory. The team discussed ideas around automation, improving the theme preview experience, and content portability. One of the experiments Mullenweg proposed is to remove the manual review process and rely more on user feedback. Feedback could include, tags, reviews, and other meta data.

“As we are not sure if the process will function without manual reviews, we will start working on getting better user feedback on themes,” Pogson said. “Once we have a good infrastructure in place we can experiment with how the repository reacts with no manual reviews.

“We discussed the process we would go about making decisions on changes to the theme repository and came to the consensus that a direct democracy is too fragile and representative democracy would be a better solution.”

Security, code errors, and prefixing, were also mentioned in the conversation as the most common issues encountered with themes. The team was given a series of tasks to complete and will report the results to Mullenweg at a later date.

New Theme Check Plugin Will Detect Common Security Issues

The Theme Handbook doesn’t have a chapter on security but it does link to a series of articles on writing secure themes in the resources section. Justin Tadlock, Key Reviewer, says work is underway on a new Theme Check plugin that will automatically detect security issues commonly seen during the manual review process. These include escaping and data sanitization.

“If we could get the greater theme developer community to pitch in and help get this finished, it would be awesome,” Tadlock said. “Even outside of WordPress.org, ThemeForest and commercial theme shops could really use this.”

Members of the TRT are testing the plugin behind the scenes and are working to eliminate false-positives. The best way to get involved in the project is to view the Issue tracker and submit pull requests. Once the new theme check plugin is live, it will give authors another tool at their disposal for developing more secure WordPress themes.

There are 27 comments

Comments are closed.