With theme malware on the rise, many users are left wondering where the safest place to find free WordPress themes is, or how to protect themselves from potentially dangerous themes.
Without a doubt, the best place to find free WordPress themes is the official WordPress Theme Directory. Themes can be submitted to the directory by almost any author, but the themes are thoroughly checked for quality and safety by a team of dedicated volunteers. With over 1,200 free themes and a handy tag filter interface, you’d have a hard time not finding the perfect theme for your blog.
There are certainly other places to find free themes, like Theme Lab, but how can you be sure that the theme you downloaded is safe? If you plan to download themes from anywhere but the official WordPress Theme Directory, you should install both the Exploit Scanner and Theme-Check plugins.
Run the Exploit Scanner plugin immediately after installing the theme. If it finds any results for the theme files in the “Level Severe” category, just delete the theme and find another. If the Exploit Scanner gives it a pass, activate the theme and run the Theme-Check plugin. If the Theme-Check plugin gives the theme a pass, you should be good to go.
If you are ever uncomfortable with any of the results from the Exploit Scanner or Theme-Checker plugins, delete the theme and find another.
It’s generally safe to download and install a free theme from the actual developer’s site, but you should still run both plugins just to be sure.
Theme malware is a serious issue. By installing a free theme from any source except the official WordPress Theme Directory, you could be unknowingly running spam ads, subjecting your visitors to invasive scripts, or leaving your blog open to malicious attack.
To be safe, make sure that you either get your free themes from the official WordPress Theme Directory or at least run the Exploit Scanner and Theme-Check plugins.
This is the second entry in our hopefully long-running WordPress FAQ series. What did you think, and what questions would you like us to answer next?
The trunk version of Theme-Check can test *any* installed Theme, not just the *active* Theme. So, it can be used to test a new Theme *before* installation. Checking untrusted Themes for malware *before* activation is *highly* recommended.
(The trunk version of Theme-Check should get tagged very soon – at or before the release of WordPress 3.1.)
I don’t get it? Why download from ThemeLab? 99% of the themes looks like horrific 2005 blog themes just like the official WordPress Theme Directory.
Thanks for this straightforward tutorial. I’ve been looking at new themes for a while and am glad I haven’t installed any recently given the latest developments. Will be sure to test any new themes with the recommended plugins though (in the right order)
Although, the WordPress Theme Directory is touted as the absolute safest source of WordPress Themes, using the search bar in your search for themes at WordPress Extend can potentially be Very Dangerous. At the end of every page of your search, you are advised to try your search at Google. This causes WordPress to be the number 1 supporter of searching for WordPress Themes at many location which may be unsafe!
Try: http://wordpress.org/extend/th.....buddypress and look at the bottom of each page.
* Use of the New Tag and Filter Interface seems to be a much safer option for now *
Thank you. This was needed. Telling people they can only download from the limited selection at wordpress.org is simply unrealistic when Google is dangling so many alternatives in front of them, so it’s good to know there are plugins which can help safeguard their blogs.
This is why I tend to create my own themes. I know they are safe then. I’ve read way too many forum threads and blog posts about theme malware.
Seriously, learn how to write your own. It’s not too late to learn how to do it yourself, and it gets a lot easier with practice.
I didn’t know themes can be so “dangerous”. I am using Atahualpa and I am pretty satisfied with it. If there is something wrong with it, I am sure not aware of it.
Thanks for the warning, I sure will pay more attention to the safety of my blog.
I personally can’t stand the Theme Directory for the simple reason that the theme viewer does a really poor job of demoing the themes. Particular for any that have special features like sliders, etc. When I demo a page I want to see it in a full window and the way it was intended to be used.
That and there really are not that many good looking themes in the directory. All of the ones that catch my eye are elsewhere.