Sucuri Blog

Website Security News

Keeping Your WordPress Themes Updated

We talk a lot about keeping WordPress and the plugins you use updated. That’s great and all, but you also have to remember that it doesn’t stop there, you have to keep your themes updated as well.

Recently we found that some very old versions of the Headway theme (versions 1.6.3 to 1.6.6) have a security vulnerability that was fixed over a year ago. However, there are still a large number of sites running these old versions, and we’re seeing cases where the sites are being compromised.

We feel this adds a lot of validity to what we’ve been saying for a long time – Security is a process, and you have to keep your sites updated, secured, and monitored. If you forget about one little piece, like updating your plugin or theme, it can be used against you in a big way!

Like any software, the longer it sits, the larger the risk of it being exploited. It is imperative that you upgrade your software when a patch comes out. If not, you’re putting your site, business, and ultimately your users at a higher risk than needed. Ultimately it’s your responsibility.

If you’re running Headway 1.6.3-1.6.6 and have not updated, you need to get it up to date immediately. The issues that were found with the release were patched well over a year ago, and notifications were sent via administrative alert.

Update (03/08/11): Check out the latest post on the Headway Themes blog recommending that everyone upgrade.

In ending, it’s about mitigating risk. Make sure you’re doing your part by keeping ALL of your software up to date!

About Dre Armeda

Dre Armeda was Sucuri’s founding CEO and Co-Founder who helped start up the company in 2010. Today, Dre is Sr. Director of Technical Program Management and serves as Head of Technical Program Management (TPM) for GoDaddy's Partners Business. As head of TPM, Dre leads the PMO and Program Delivery Teams, ultimately driving all the program management functions and supporting our partners. When Dre isn't executing strategic initiatives at GoDaddy, you can find him on the mat training in Jiu Jitsu as a Carlson Gracie brown belt. Connect with Dre on Twitter.

Reader Interactions

Comments

  1. Thanks Dre for your great post.  We certainly take security serious at Headway Themes.  And that is just one reason we have pushed out 13 updates since 1.6.3.  

    Your statement that “security is a process” is spot on.  While we push out updates, our users need to heed the advice given and keep their teams and framework up to date.  Just like they need to update WordPress.

    We are pushing out Headway 2.0.12 today which also includes a security fix for Headway and an update for the bug you mentioned with TimThumb.  

    Thanks again for keeping all of us aware of the importance to be diligent in keeping things up to date.

  2. How can you make a theme that you created update from a server? I want the theme to be able to be updated when you go to the theme panel. We created a theme and have it running on 30+ sites, whenever I make a change it has to be uploaded to all of the sites.

    Any idea on how to make this custom theme updatable?