Today saw a fantastic post from Siobhan over at WPMU about why you should never rely on google search results when it comes to downloading WordPress themes. Seriously guys, this post is a first class education for anyone who downloads and plays around with WordPress themes – free or premium – and the things you need to be on the lookout for. I knew that dodgy practices were widespread but the findings of Siobhan’s research are astonishing. 8 of the top 10 sites in Google’s search results for “free wordpress themes” contained encrytped dodgy code and/or very poor theme standards.
Google gets over 200,000 searches per month for the phrase “free wordpress themes” (as estimated by Google Adwords traffic estimator). Clearly, this is an extremely popular search phrase. If we are to assume that a good percentage of people searching this phrase don’t look beyond the top 10 results (and search behaviour statistics would suggest 40% of people don’t even look beyond the first result) then I think it’s safe to assume that a LOT of people are running WordPress themes that contain crappy, dodgy or worst case scenario – incredibly dangerous code – on their self hosted WordPress sites.
I think this is an incredibly concerning situation that I feel needs to be rooted out at the source – the WordPress theme uploader. It’s reasonably safe to assume that WordPress themes contained in the official theme directory are safe. But the uploader at the moment will pretty much let anyone install any kind of theme they want – regardless of the source. There are no built-in scans to check the integrity of the theme being uploaded and therefore this allows the market for dodgy themes to flourish as those pawning these dodgy themes know that your average WordPress user has no idea how to check the integrity of the WordPress theme they are installing. Given we already have some excellent automated tools which do a fantastic job of partially automating these integrity checks, I think it’s high time that the WordPress dev team do something about this and incorporate and extend these tools right into the WordPress core – it’s now too important not to have these in core. I wouldn’t imagine it would be too difficult to significantly improve the protection of the millions of WordPress self hosted sites out there by implementing a beefed up theme uploader.
Anyway, if you have 10 minutes to spare go check out Siobhan’s post. Great work Siobhan!