Melbourne: How can you spot trustworthy themes and plugins? There are a few telltale signs. Here are some ways you can identify reliable themes and plugins so you can be rest guaranteed the code is of good quality and, more prominently, safe.
Trust the WordPress Directory
WordPress plugin directory consists of a rich and plentiful collection of free themes and plugins. The big thing about the directory is that it is maintained and regulated by an expert team of contributors, including people like Ipstenu who contribute directly to the WordPress core.
This maintenance is priceless as they are very fast to act on reports for unreliable content. Abusive plugins and themes are quickly removed, and the majority is reviewed before the first iteration is published.
Download Counts and Reviews
In the directory, observe the download counts. Yes, there may be a new plugin which will apparently have a low download count but, usually, a plugin with more than 100,000 downloads is impressive you can trust more.
In addition, any registered user can assess a theme or plugin and rate it out of 5. Reviews are a great suggestion of how the plugin performs on people’s sites. Reviews may also be helpful to double check on definite features, or possible clashes with other themes and/or plugins running on your site.
Read reviews that are rated 1/5. Reviewers usually rate something 1 out of 5 if a plugin is genuinely of low quality or doesn’t work, but at times a user can give something a low rating as it doesn’t work for them only, not knowing that some other disagreement may be happening. Besides, WordPress mods do check on reviews to ignore their substance.
Support Areas Are Your Friend
Each theme and plugin hosted at the directory has its own support area. Take a quick look inside to see if there are a lot of concerns and, if so, how much they could influence your own installation.
Also look at the proportion of threads labeled [resolved] as this shows the author's own activity within the area – and if evidence that support is offered and potential bug fixes are being seen to.
Another thing to watch out for is when the plugin was last updated (or at least look at whether the author is contributing to the support section).
Usually, any plugin that has not been updated in more than 2 years is a plugin you must avoid. This is mainly because WordPress, in terms of code core, has evolved a lot over that past two years and with it incorporates new functions and processes which developers need to take on to make sure it is compatible with existing versions. On June 2011, the latest version of WordPress was 3.1.3 – rather than today’s 3.5.1 (with 3.6 soon to be released).
AVOID Downloading Free Themes
This rule does not have to apply to free themes in the WordPress directory that have already satisfied the trust mentioned above – Here we are referring to themes obtainable on the web in general. Don’t trust these themes. The code could contain anything, and could be unsafe to your site both in terms of security and performance.
Basically, it would be very easy for anybody to build a simple WordPress theme and code it in such a way that they could have your whole installation (including pages, posts, usernames and general login credentials) easily emailed to them – or someone could manage a simple script on the site that sends details about every visitor to your site.
Another thing to avoid is attempting to find a free version of a premium theme or plugin. It’s easy enough to search for “[theme name] WordPress theme download free” and find what you want, but that zip file could have been forked by anyone. This was tested once by procuring a premium theme and then downloading one on the web offered for free. The difference between the two was small, but enough to raise concerns.
base64_decode is Your Enemy
The main cause of hidden abusive scripts can be found by searching all of your theme or plugin files for "base64_". This function has clear honest intentions but is used extensively within WordPress themes and plugins for dishonest means. This function is used by developer to put in encoded scripts without your being able to find them as easily.
For instance, let's say someone wants to include the following script into your theme:
The dodgy function they can produce is:
$str = base64_decode('PHNjcmlwdCB0eXBlPSJqYXZhc2NyaXB0IiBocmVmPSJodHRwOi8vZG9kZ3kuY29tL3Nj
Hidden well, right? To make sure you have none of these scripts running, remove all instances from all your plugin/theme files. If you are not sure in removing this, then at least contact the plugin/theme developer and ask how and why it's being used.
N.B. This function is not limited to WordPress. On 25th June this function was removed from a Magento installation. Be careful as this script was a blatant hack from an old installation which was recently controlled over.
Test the Developers
A few months back a WordPress theme was purchased from a well-known premium theme directory. The theme itself didn't work very well as soon as the simplest of edits were made.
Upon further inspection it was found that the simplest of requirements set out by WordPress were ignored. The developer had numerous themes so decided to buy another just to test and turned out that the same rookie mistakes were being adopted in both themes.
WordPress created these necessities so that minimal conflicts and errors would occur, and yet this is all too common when the themes don't obey with WordPress' own rules.
One Simple Test
Instead of this:
wp_register_style('random-css-style', get_template_directory_uri() . '/css/random-style.css'); wp_enqueue_style(' random-css -style'); wp_enqueue_script('functions-script', get_template_directory_uri() . '/js/functions.js');
The functions wp_enqueue_style() and wp_enqueue_script() are easy to implement, and basic required functions within the core code. If this isn't implemented correctly, you ought to automatically doubt the rest of the code.
Read more: WordPress Theme Development