Keeping Your WordPress Themes Updated

We talk a lot about keeping WordPress and the plugins you use updated. That’s great and all, but you also have to remember that it doesn’t stop there, you have to keep your themes updated as well.

Recently we found that some very old versions of the Headway theme (versions 1.6.3 to 1.6.6) have a security vulnerability that was fixed over a year ago. However, there are still a large number of sites running these old versions, and we’re seeing cases where the sites are being compromised.

We feel this adds a lot of validity to what we’ve been saying for a long time – Security is a process, and you have to keep your sites updated, secured, and monitored. If you forget about one little piece, like updating your plugin or theme, it can be used against you in a big way!

Like any software, the longer it sits, the larger the risk of it being exploited. It is imperative that you upgrade your software when a patch comes out. If not, you’re putting your site, business, and ultimately your users at a higher risk than needed. Ultimately it’s your responsibility.

If you’re running Headway 1.6.3-1.6.6 and have not updated, you need to get it up to date immediately. The issues that were found with the release were patched well over a year ago, and notifications were sent via administrative alert.

Update (03/08/11): Check out the latest post on the Headway Themes blog recommending that everyone upgrade.

In ending, it’s about mitigating risk. Make sure you’re doing your part by keeping ALL of your software up to date!

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • Grant Griffiths

    Thanks Dre for your great post.  We certainly take security serious at Headway Themes.  And that is just one reason we have pushed out 13 updates since 1.6.3.  

    Your statement that “security is a process” is spot on.  While we push out updates, our users need to heed the advice given and keep their teams and framework up to date.  Just like they need to update WordPress.

    We are pushing out Headway 2.0.12 today which also includes a security fix for Headway and an update for the bug you mentioned with TimThumb.  

    Thanks again for keeping all of us aware of the importance to be diligent in keeping things up to date.

  • Pingback: Headway 2.0.12 is live – Upgrade recommended | themek()

  • carsoholics

    How can you make a theme that you created update from a server? I want the theme to be able to be updated when you go to the theme panel. We created a theme and have it running on 30+ sites, whenever I make a change it has to be uploaded to all of the sites.

    Any idea on how to make this custom theme updatable?

  • Pingback: Timthumb.php Security Vulnerability – Just the Tip of the Iceberg | Sucuri()

Share This