There’s a huge problem with the way many WordPress themes are currently built, marketed, and sold.
The ecosystem is beginning to change, ever so slowly, but major changes need to be made for the good of the WordPress platform, theme marketplaces, and the agencies and clients that rely on themes.
Over 1000 WordPress themes have been affected by this security exploit, which allows attackers to take control of your entire website. A list of affected themes can be found on the ThemeForest site. Themes that have already performed necessary security updates are also listed.
How and Why This Happened
Updating WordPress core, themes, and plugins is normally not a big issue. You log in, you see what updates are available, you update everything and life goes on as normal. Many theme and plugin authors know ahead of time what sorts of changes are coming to WordPress core, and are able to plan accordingly. Plugins that are installed separately can be updated by site administrators as those updates are released. Here’s where a big part of the problem lies.
Some theme authors either bundle free plugins or use a developers license to bundle premium WordPress plugins in their themes, especially in theme marketplaces like Envato. Theme purchasers are then reliant on theme authors to first update the plugin in their theme; secondly, notify all of their customers to the update; and lastly make sure that everyone has an opportunity to follow through with the update. That’s more steps than simply logging in and updating the plugins, and a lot more places where security can fail.
Many site owners don’t have the resources or inclination to keep up with updating WordPress core or plugins, even when those are one-click automated in the admin area. How is it reasonable (or ethical) to make it more difficult to install updates that are critical to security and functionality? This sentiment is echoed below by a ThemeForest user:
“This is why I absolutely hate themes that pack every known popular plugin into their theme, ok it saves me $15 buying the plugin but I am at the authors mercy when they fix issues / updates to the plugin as I don’t get my own purchase code.
— Gareth_Gillman (on the ThemeForest forums)
The beauty of separating plugins from themes is that if a plugin breaks something, you can simply deactivate it. When plugins are baked into the theme, you can’t do that. You have to change the theme itself, or rely on the developers to update the entire theme to reflect the plugin.
When Custom Post Types Are Theme Dependent
Custom Post Types that are built into a WordPress theme are also not portable. This means that if you ever want to change the theme of the site, much of the content will need to be redone from scratch. Custom Post Types are just specialized Posts that have their own set of metadata. In the database, Posts have a
post_type equal to
post_type for Custom Post Types can be named anything, but they must have a unique name. Many themes with built-in functionality and many plugins create Custom Post Types to get stuff done.
But here’s the major difference between using a theme bundled with plugins and a more flexible theme, where the plugins are added separately.
With the plugin-bundled theme, some of your data is tied to the theme itself. Changing those themes means that those theme-dependent Custom Post Types are not going to travel to the new theme. Imagine you own a site where you’ve spent the last two years publishing portfolio pages or case studies. ON your current theme, Portfolio CPTs might have a
'portfolio'. In another theme, the Portfolio CRT might have a
this_theme_portfolio. Even if you wanted to change themes, suddenly you’re looking at a ton of work to rewrite all of those pages in your new theme.
This means your website is locked into a particular theme, because redoing existing pages, and redirecting old links is more work than simply keeping your existing theme. Maybe that’s a huge side benefit for theme authors, but it creates a problem for site owners.
The better way to do things is to decouple all the data in your pages from the theme itself. This way, you can always change themes whenever you need to without losing all your information. This also allows site owners to freshen up their site every couple of years. Separating structure from presentation has long been a philosophy of web development, and something that early web standards pioneers fought arduously for. From a practicality standpoint, having portable information offers a lot more flexibility for both the client and the developer in the WordPress ecosystem.
If Theme Dependencies Are Bad, Why Is It So Widespread?
To answer this question, we need to look at the target market for WordPress themes, and what each audience segment is looking for. The two groups that buy themes are 1) web design companies looking to build sites for site owners, and 2) site owners that are building a site on their own or with a developer. Developers are looking for something that meets most of their needs, so development time meets their client’s budget. Site owners flying solo are looking for something that does 99% of what they need, so they can get their site online without much outside assistance.
Because theme marketplaces are competitive, the themes that include the most bells and whistles usually end up making the most sales. Themes with 17 sliders, 3 contact forms, and 9 events calendars baked in end up on the front page of the marketplace, so everyone else selling themes there does likewise. Long-term site maintenance, security and providing support become secondary considerations to making sales.
Up until the last year or so, I probably wouldn’t have thought twice about using a theme with plugins baked in. But the stark reality is that some sites are maintained regularly, and many are not. While all WordPress sites should be checked for updates to core, plugins, and themes on a regular basis, hundreds of thousands are not. The Slider Revolution security fiasco should make everyone realize that there are a lot of vulnerable sites out there in the wild, that are not moving any closer to being maintained or secured.
Part of the problem lies with the developers in the WordPress ecosystem who have accepted this state of affairs and just let it continue. Five years ago, there weren’t as many options for finding collections of production-ready themes. There were not as many independent theme shops as there are today. The old version of ThemeForest became the default model of how we imagined things should be. Developers could sell their themes to a larger audience then they could on their own, but in order to make sales, they would have to add all the functionality needed to publish a site in a day or two — thus plugin bundling began.
Freelancers, agencies, and studios that needed to develop a site quickly and on budget still rely on ThemeForest and other marketplaces to find themes that are 90% of what they need for a particular site. But doing extensive research on themes and theme authors also takes time, and that isn’t always a luxury that web designers have, so themes with bundled plugins slip through the cracks.
Part of our culpability stems from the fact that few of us questioned why this became an industry-wide standard in the first place. Because we saw everyone else doing the same things — buying and creating themes with functionality tied directly to the theme — we never thought twice about doing the same.
What The Future May Look Like
To their credit, ThemeForest began changing their theme submission guidelines in late 2013, but there is still a long way to go in the overall WordPress theme ecosystem. As a community, we should agree to only develop, use, and recommend themes that make functionality and data portable and theme independent. If themes bundle plugins, then the theme author needs to maintain updates to the overall theme and have a reliable system for informing customers of updates. Only the plugins vital to the theme should be included. This also means that bloated, multi-purpose themes would lose relevancy, and specialized themes would be encouraged.
Theme marketplaces could adhere more closely to the guidelines in the WordPress theme directory. Unbundling plugins from themes would be encouraged, as would portability of information. Changing course on huge operations like Envato take time, but whatever messages are reinforced there are the ones that will trickle down to the rest of the community and help it mature.