WordPress Theme Security Review Service

As part of our Plugin Vulnerabilities service, we have done many security reviews of WordPress plugins and found plenty of security issues during those. While WordPress themes have less possibility of major security issues than plugins, for those seeking to make sure their website is secure as possible, getting a security review of it can provide you an additional assurance.

Having a security review of a theme you use done probably makes the most sense for those with websites that are high profile and likely targeted by hackers, websites that handle sensitive data, and websites that allow the public to create WordPress accounts since one area of poor security with themes involves allowing any logged in users to access functionality only intended for high-level users.

If you already use our service, you can get some idea if a theme is of greater need for a security review by uploading it through plugin upload option of our Plugin Security Checker.

After completing the review, we will provide you with the results and attempt to work with the developer to fix any security vulnerabilities or other security issues identified. After the developer has had sufficient time to resolve those, we will publicly disclose the results.

What is Included in the Review?

We currently do theme reviews using the same checks that we included when reviewing plugins. With our reviews we are not reviewing every single line of code in the plugin or guaranteeing that it is free of all possible security issues, as the first part of that likely would produce poor results and the latter is unlikely to be possible to really accomplish. Instead, we focus on manually checking for specific issues determined by our years of dealing with WordPress plugin security. We check for known high risks issues, which are likely to be exploited if they are discovered based on everything we have seen over the years. We also check to make sure that the plugins are performing proper security hardening and security checks, which in addition detecting vulnerabilities that exist now, would limit other types of vulnerabilities from being exploitable if they existed, even if the relevant code is added to the plugin after the review is done. We also try to check for less serious issues that other security providers are known to falsely claim to be vulnerabilities.

The following items are checked for:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
  • Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the theme and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the theme
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the theme’s shortcodes
  • Security issues with functions accessible through any of the theme’s blocks
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with functions accessible through the admin_post action
  • Security issues with import/export functionality
  • Security issues with usage of the is_admin() function
  • Security issues with usage of the add_option(), delete_option(), and update_option() functions
  • Security issues with usage of the update_user_meta() and wp_update_user() functions
  • Security with usage of determine_current_user filter
  • Security issues with usage of the wp_set_current_user(), wp_set_auth_cookie() and wc_set_customer_auth_cookie() functions
  • Security issues with usage of the reset_password() and wp_set_password() functions
  • Security issues with usage of the extract() function
  • Lack of IP address validation
  • Proper usage of sanitize_callback when using register_setting() to register settings
  • Existence of register_uninstall_hook or uninstall.php file that removes any WordPress options and database tables added by the plugin
  • CSV injection
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Price

US$250

Contact Us

To order a review or if you have any questions about the service, please contact us and we will promptly get back to you.