Keeping Your WordPress Themes Updated

August 2, 2011Dre Armeda

We talk a lot about keeping WordPress and the plugins you use updated. That’s great and all, but you also have to remember that it doesn’t stop there, you have to keep your themes updated as well.

Recently we found that some very old versions of the Headway theme (versions 1.6.3 to 1.6.6) have a security vulnerability that was fixed over a year ago. However, there are still a large number of sites running these old versions, and we’re seeing cases where the sites are being compromised.

We feel this adds a lot of validity to what we’ve been saying for a long time – Security is a process, and you have to keep your sites updated, secured, and monitored. If you forget about one little piece, like updating your plugin or theme, it can be used against you in a big way!

Like any software, the longer it sits, the larger the risk of it being exploited. It is imperative that you upgrade your software when a patch comes out. If not, you’re putting your site, business, and ultimately your users at a higher risk than needed. Ultimately it’s your responsibility.

If you’re running Headway 1.6.3-1.6.6 and have not updated, you need to get it up to date immediately. The issues that were found with the release were patched well over a year ago, and notifications were sent via administrative alert.

Update (03/08/11): Check out the latest post on the Headway Themes blog recommending that everyone upgrade.

In ending, it’s about mitigating risk. Make sure you’re doing your part by keeping ALL of your software up to date!

About Dre Armeda

Dre Armeda, CISSP is Co-Founder at Sucuri Inc, and head of Business Development through acquisition by GoDaddy. After a successful acquisition last year, Dre now heads the Enterprise Sales and Partnerships Group for GoDaddy’s Website Security business unit. He is a Navy veteran that fell in love with security and making stuff for the web. On his off time, you’ll find Dre hanging out with his 5 daughters, on the mat practicing Brazilian Jiu-Jitsu, and crawling rocks with his crazy Jeep in Big Bear! Sometimes while eating tacos while watching the Angels or the Chargers. Dre speaks at various events every year about security, marketing, and business. You can follow him on his site armeda.com or on Twitter @dremeda

Comments

Grant Griffiths

August 3, 2011

Thanks Dre for your great post. We certainly take security serious at Headway Themes. And that is just one reason we have pushed out 13 updates since 1.6.3.

Your statement that “security is a process” is spot on. While we push out updates, our users need to heed the advice given and keep their teams and framework up to date. Just like they need to update WordPress.

We are pushing out Headway 2.0.12 today which also includes a security fix for Headway and an update for the bug you mentioned with TimThumb.

Thanks again for keeping all of us aware of the importance to be diligent in keeping things up to date.
carsoholics

May 9, 2012

How can you make a theme that you created update from a server? I want the theme to be able to be updated when you go to the theme panel. We created a theme and have it running on 30+ sites, whenever I make a change it has to be uploaded to all of the sites.

Any idea on how to make this custom theme updatable?

About Dre Armeda

Reader Interactions

Comments