How to Spot a Rogue or Subpar WordPress Theme

By Charles Costa

Choosing a theme for your WordPress website can be a challenge for even the most experienced developers and designers because aside from the code being increasingly complex, with paid designs, purchases often are as-is. With responsive capabilities being a crucial element of most designs today, it is important to ensure that the themes you purchase don’t fall victim to responsive web design pitfalls.

Fortunately by following a few common sense precautions, you can reduce the chances of downloading a theme which can pose a threat to your website.

Simple Ways to Validate Your Themes Code

Since going through a themes code by hand is a tedious task most professionals don’t have time to do, validation tools such as the W3C Markup Validator allow you to check the markup validity of a site with only a few clicks. To validate the themes you plan to purchase, simply point the validator to the live demo page and then check the results.

W3C Markup Validator

In general you shouldn’t worry too much about warnings the theme triggers. Rather you should be focused on markup errors since those typically have a significant impact on your site operations. Once you check the markup of your theme, you should also run the W3C CSS Validator to ensure that the CSS in your desired theme follows coding best practices.

W3C CSS Validator

If you’re looking for a more thorough way to ensure the themes you have are compliant with web design best practices, you can use ThemeCheck.org to see a thorough validation score simply by uploading the package to your website. Although this method requires you to have the theme files on hand, the ThemeCheck website lists a wealth of theme ratings on their homepage. This can allow you to pull up a themes score if you have the name.

ThemeCheck.org is open sourced with the code available on Github and it technically is a fork of the Theme-Check plugin which is mentioned below.

Theme Check

If you want to take your verification a step further, there are tools which allow you to check your WordPress themes after they are installed on your server. While this step isn’t ideal for themes you need to verify in advance, it is a helpful safety layer for free themes. Theme-Check is a plugin which allows you to test your WordPress theme and ensure it is compliant with the latest WordPress theme review standards.

To use Theme-Check, you simply run the tests through your WordPress admin panel. The results are shown at once, and the results also are saved to a log which can be helpful if you are a theme developer.

Another useful tool to ensure your WordPress themes are compliant with theming best practices is the Theme Authenticity Checker (TAC) which is a tool focused on finding malware hidden within themes.

Theme Authenticity Checker

Although we’ll discuss how to find quality paid themes shortly, it’s important to note that some free themes contain malware or spam links as a way for the developer to generate revenue. While not all free designs are dangerous, it never hurts to be safe when it comes to ensuring your website is free of malware.

Although a different topic, while you are verifying your themes for malware, you should know how to protect yourself from rogue plugins.

Sticking with Trusted WordPress Theme Sellers

Although there’s no shortage of theme developers on the web, you can help to protect the integrity of your websites by only purchasing themes from reputable sellers. If you’re looking for a wide selection of themes, ThemeForest and MojoThemes are two of the largest template vendors on the web. While they are a marketplace with many sellers, they offer a feedback system so you can see whether a seller has a proven track record.

Other WordPress theme vendors worth considering include:

There are many other reputable sites on the web, so the previously mentioned names are far from a comprehensive list.

If for some reason you need to choose a free WordPress theme, it’s usually best to stick with themes you find mentioned on major blogs and reputable sites. When possible, avoid downloading themes from random websites, and of course avoid nulled themes at all costs. For those unfamiliar with the term, a ‘nulled theme’ is a premium theme which has the copy protection removed. Nulled code is illegal to use, and almost always will have modifications to give attackers access to your website.

When in Doubt, Use Google

When you’re in a situation where you aren’t sure if a theme creator is legitimate, it never hurts to Google the creators company name to see if they have a negative online presence. This can be a valuable tool for marketplaces and standalone theme retailers as it allows you to gather insights which might not originally be apparent. Although this method is far from foolproof, it still is an effective way to bring another perspective to your theme purchasing.

  • Fred Reillier

    Themecheck.org’s homepage is not a good source of information, because the criteria for identifying “rogue” themes are very strict : using iframes leads to a “critical alert” and the theme is marked as invalid…
    Of course “iframes are sometimes used to load unwanted adverts and malicious code on another site” but sometimes iframes are just needed and not malicious….

    Same remark for the use of things like fopen, fwrite, fread, file_get_contents, any use or curl…

    Themecheck helps you check important details in the code of your theme, but should not be trusted as a “notation” tool.

  • Husain Ahmmed

    Important information

  • jcummings68

    Very useful for the toolkit. As Fred mentions though, use as a frame of reference, not the complete answer.

  • http://hightechrealm.com Charles Costa

    Good point – When I put this guide together I tried my best to balance security with practicality so I couldn’t get into the level of detail you mentioned, but I agree automated tools like ThemeCheck are not a perfect substitute but it’s definitely better than doing nothing at all.

    • Fred Reillier

      Of course ! You did a great job.
      Before I read your article I was not even aware that themecheck existed :-)

  • Stephan Lück

    I like to test themes wptest.io http://wptest.io/ and i use sass/compass and chrome



Because We Like You
Free Ebooks!

Grab SitePoint's top 10 web dev and design ebooks, completely free!

Instant Website Review

Use Woorank to analyze and optimize your website to improve your website to improve your ranking!

Run a review to see how your site can improve across 70+ metrics!

Get the latest in WordPress, once a week, for free.