Why WordPress Premium Themes is a safety risk

Jan Hornung Last updated 23.01.2020
5 Min.
N02 PremiumThemes

The common practice of including Plugins in premium Themes can put your WordPress site to a major security risk. However, the problem can hardly be avoided at present - the user is asked.

In 2014 and 2015, massive security vulnerabilities were discovered in two of the most popular Plugins ever: both Slider Revolution [1] (sold almost 75,000 times on Envato ), and the Visual Composer [2] (sold nearly 100,000 times on Envato) were affected. However, the vulnerabilities themselves were not the main problem. The developers reacted quickly and provided appropriate updates. But for some customers of Premium Themes, who use the two Plugins as part of so-called Plugin bundles, i.e. plugin constellations integrated by default in the Themes , this measure was useless. They bumbled through the net with these security gaps for a long time. Because not all Themes allow an automatic update in all cases.

Double dependence of users

Users of Premium Themes are dependent on two parties for security-relevant plugin updates: the Plugin- and the theme manufacturers. So it can happen that the plugin manufacturer reacts quickly and closes the security gap, but the Theme does not automatically implement these changes. This is because plugin updates are not always easily compatible with the rest of a Themes . The interaction of the premium Themes with the new plugin version usually has to be tested first. The reaction speed of the theme manufacturers is therefore the critical component in the update process and determines how long users have to live with security gaps[3].

But: Bundles are also problematic for the providers themselves

In practice, this responsibility is also a burden for the theme manufacturers. On the one hand, they have to inform their customers about the security gap and its significance. In the case of Visual Composer, the marketplace provider Envato and the plugin manufacturer wpbackery reacted in an exemplary manner: All customers were contacted via mail and recommended to update at their own risk[4]. On the other hand, the manufacturer has to spontaneously test the compatibility of the Premium Themes with the new plugin version, possibly establish it first or even develop a provisional solution and make it available to the customers.

Tying up such plugin bundles thus causes problems for providers and customers. However, since the bundle principle has many advantages, such as fast integration of complicated additional functions and convenient operation for the customer, the problem will probably persist for some time. It is therefore important that site operators are aware of this danger and know how to deal with it.

Despite exemplary reaction: Reactive action by manufacturers does not solve the problem

Even though Envato and wpbakery reacted quickly in the case of Visual Composer, the case still shows the limits of the reactive strategy and makes it clear that the existing practice actively accepts security vulnerabilities. Reactive behavior of theme manufacturers and marketplace providers - no matter how well coordinated - does not necessarily provide a high standard of security and functionality. This is because emails can end up in spam filters, social media posts can be overlooked and in-app messages can be lost. Thus, there is an unnecessary risk for site operators to have an insecure Plugin in operation for a longer period of time.

However, the reactive approach of the manufacturers harbours a second danger. Namely, if the site operator is not the licensee of the premium Themes . This is a quite common constellation, for example in the case of commissioned work by web designers. If the web designer and the site owner are not in contact, it can even happen that those affected do not find out about the security vulnerability. This practice produces masses of websites whose owners and administrators have no access to theme-internal updates. Even professionally maintained sites can thus use outdated and vulnerable Plugins .

So a reactive approach by theme manufacturers and marketplace providers ignores an important part of the reality of web design.

Proactive approach is expensive

Now the question arises why the Plugin bundle is not simply always updated automatically. The answer lies in the complexity of the premium Themes. The developers design Themes with extensive additional functions, such as visual editing interfaces, sliders, form fields and so on. Until the premium Theme is put together and runs smoothly dozens of test series have to be completed. It is similar with updates of the installed Plugins: Each new version can endanger the overall functionality of the Themes and in the worst case make the whole website unusable. For e-commerce providers in particular, such a downtime can mean enormous monetary losses and lasting damage to their image.

Compatibility tests therefore consume a lot of time and money, which deprives theme developers of the incentive to be proactive and explains their sometimes reactive behavior. As Scottish blogger Kevin Muldoon notes, the marketplaces don't encourage regular, random update testing either. For example, vendors could work with trust programs, Muldoon says. In the end, it's up to each theme vendor to decide which update strategy to follow. And of course, one should not forget that premium Themes exists whose support has been completely discontinued.

Possible solutions: Premium updates also for users and new quality standards

In his blog article, Muldoon suggests an optional update option for theme-internal Plugins in WordPress itself. The user could then update the respective Plugin to the latest version directly after the update is released, but also assumes liability for possible incompatibilities with the selected Theme. Entering the license key would only be necessary when activating Plugins , updates could also be made without a license. The user would also be informed about new and particularly important updates directly in WordPress . The intermediate step via theme manufacturers or marketplaces, who first have to inform their customers, would thus be eliminated.

The incentive programs mentioned by Muldoon could also be a solution if they establish the proactive update policy of the theme manufacturers as a prominent, new security aspect. In this way, regular compatibility tests could become a completely new quality criterion of the paid Themes .

Conclusion: The user is in demand

In any case, however, this problem is a matter for the user: one must be aware that bundlePlugins can represent a security problem and find a possible workaround. For example, the owner of a website can purchase licenses for the corresponding Themes himself or rely on a host that carries out the corresponding updates [5].

Even when selecting the premium Themes itself, some important security aspects can be taken into account. If you know the update policy of the theme manufacturer and the used Plugins, you can usually already give a solid estimate of the problem vulnerability of the Themes .

Here too, there is no such thing as 100% certainty. However, the risk can be significantly reduced with conscious selection.

This situation shows very well how the advantages and disadvantages of the modular structure of WordPress are connected. Since this problem area is large and diverse, we are looking forward to your input: Have you ever had problems with Premium Themes, plugin updates or similar? Let us know and help the community to be better prepared in case of emergency.

Links

1]: Explanation of the security vulnerabilities of the Plugin Slider Revolution: https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

[2]: Explanation of the security vulnerabilities at Plugin Visual Composer : https://forums.envato.com/t/visual-composer-security-vulnerability-fix/10494

[3]: This is also emphasized by providers like Envato in their customer notes on corresponding security vulnerabilities: https://forums.envato.com/t/visual-composer-security-vulnerability-fix/10494.

[4]: The Scottish blogger Kevin Muldoon has written a detailed article about this problem and commented on Envato's approach as well as calling for an automatic update function for bundle-Plugins : http://www.kevinmuldoon.com/packaged-wordpress-plugins-automatic-updates/.

5]: Especially if web designers work closely with the respective hosters, i.e. have the necessary information for plugin updates, an effective and fast update process can be established.

RAIDBOXER from the very start and our Head of Support. He loves talking about PageSpeed and website performance at BarCamps and WordCamps. The best way to bribe him is with an espresso – or a Bavarian pretzel.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.