An essential security maintenance function of any WordPress install is performing regular updates. Many people do update the WordPress Core and Plugins; also, it is just as important to update to the latest version of all installed WordPress Themes. Any themes you are not using should be removed.

Examples

29th April 2012 - an exploit was released for the Woothemes Framework. This exploit allows possible code execution through the short code preview function. Version 5.3.10 resolved the issue, but additional fixes were applied to make 5.3.12 the recommended version to stay secure.

August 2011 - an exploit was released for an image function called "timthumb"> This exploit affected many WordPress themes as it was a popular function included with many frameworks, and standalone themes (this not only applied to woothemes).

There have been two critical security vulnerabilities in the past year that affected Woothemes framework based sites. As we see in the charts below, even those websites with significant levels of web traffic appear to have little knowledge or no regard for security updates to WordPress themes.

Research

As we use Woothemes here at HackerTarget.com, we researched a bit further into the woothemes frameworks in the top 1 million websites. The following statistics show the breakdown of the Woothemes Framework versions in use.

WooFramework Versions Compared

This chart shows the detected WooFramework versions of WordPress installs in the top 1 million websites. A total of 2476 Woo Powered sites were detected; note that this only includes sites that have the metagenerator tag enabled.

The next chart shows a simple breakdown of the sites, with the latest version; compared to sites with older versions of the Woothemes Framework. It would not be an unreasonable assumption to predict that many of the 1699 websites with an older version are indeed vulnerable to known security exploits.

Data was collected in mid May; only 31% of Woothemes sites were running the latest version of the framework.

Disabling the Metagenerator Tag

These statistics have been determined by searching for the Metagenerator Tag in the html source. It is easy to remove this information from your Woothemes installation as shown in the following image.

Disabling the metagenerator tag is a good way to remove what security people like to call information disclosure. This is information leakage that allows an attacker to more easily find ways to break into a system. You will, of course, still need to keep all your WordPress bits and pieces up to date; to avoid becoming a victim.

The post Woothemes Framework Update Analysis appeared first on HackerTarget.com.

Methodology

To determine themes in use by the world's most popular WordPress based websites, a search of the source html from the primary page was analysed for wp-content/themes/. This is a good indication of a WordPress installation, and also reveals the theme in use.

As expected from a free open source content management system, of the 160438 sites we found with WordPress themes, many are running free themes, but many are also running premium commercial themes.

Top 5 Premium WordPress Theme Providers

To determine the commercial themes in use, the 100 most popular themes have been counted (35930 total wordpress sites). Of the 100 most popular themes, 51% were premium or commercial themes. This clearly shows how significant the WordPress "economy" is in the world of web development.

Of the commercial themes, Thesis Theme Framework, StudioPress, Woothemes, OptimizePress and Elegant themes were the top 5 providers in the 100 most popular themes.

It is interesting to note the high number for the OptimizePress theme. This is a single purpose theme, whereas the others in the Top 5 are all theme frameworks. OptimizePress is very much a sales-focused theme, using techniques such as "funnels" and "squeeze pages" to push users into a sales pitch. It shows that WordPress is much more than just a blogging platform.

Woothemes has the most popular general purpose commercial theme with its "canvas" theme coming in at number 16.

Free themes are of course very popular with the top 2 themes come bundled with WordPress default installations (twentyten and twentyeleven).

Summary of the Top 20 WordPress Themes

1.		Twentyten The default WordPress theme for 2010, it just so happens to be the most popular wordpress theme in the top 1 million websites. Total Sites: 3096
2.		Twentyeleven The default WordPress theme for 2011, and hot on the heels of 2010, this theme is the second most popular. Total Sites: 2793
3.		Thesis 18 This version of the Thesis theme framework comes in as the highest commercial listing. This entry is a theme framework, and not an individual theme. Total Sites: 1706
4.		Optimize Press This commercial theme is a very popular theme that is dedicated towards driving a visitor towards the sale of a product or sign-up. Total Sites: 1457
5.		Thesis 182 This is a later version of the Thesis theme framework and comes in as the third highest commercial listing. Note this is a theme framework, and not an individual theme. Total Sites: 1144
6.		Default This was the default theme for WordPress versions 1.5 up until 2.9. When browsing the web sometimes this old timer still pops up and these stats confirm that it is still kicking strong. Total Sites: 918
7.		Mystique First release was back in 2009, this theme has recently been moved into a Framework like core called Atom. Total Sites: 916
8.		Arras A clean magazine style theme that comes in multiple color variations. While the Arras theme is a Free download commercial child themes are being developed. Total Sites: 868
9.		Atahualpa Bytes for All have a handful of Free wordpress themes, Atahualpha being the most popular. Total Sites: 795
10.		Suffusion A versatile Free theme with a 5 star rating at the WordPress theme directory. Total Sites: 766
11.		Inove A popular theme that was last updated back in 2009. Are the sites running this getting no updates or do people just love this theme? Total Sites: 758
12.		Thesis 184 This commercial Framework makes another appearance with version 184. Note this is a theme framework, and not an individual theme. Total Sites: 726
13.		Graphene Another popular free theme, the developer actively offers paid customisation and support. Total Sites: 654
14.		Article Directory A popular example of a custom purpose theme. This turns your WordPress installation into a feature packed article directory. It is a commercial offering. Total Sites: 604
15.		Lifestyle A commercial theme from Studio Press. Works with the Genesis Framework. Total Sites: 581
16.		Canvas A commercial theme from Woothemes. Uses the Wooframework, this theme is designed to be highly customisable. Total Sites: 562
17.		News Another commercial theme from Studio Press makes an entry into the list. Uses the Genesis Framework. Total Sites: 500
18.		Magazine Basic A free theme from a now commercial theme house. Total Sites: 465
19.		Arthemia A commercial theme available from Colorlabs. Total Sites: 418
20.		Headway 2013 A commercial theme available from Headway themes. Total Sites: 409

Premium vs Free Themes in the Top 20

This shows a very different result to the statistic for the top 100. In the Top 20, only 35% are premium themes. This appears due to the large number of twentyten and twentyeleven themes in use.

WordPress.com Hosting in the Top 1 Million

Over at wordpress.com, you can get free hosting for a wordpress installation. They also offer a VIP hosting option for commercial-grade hosting. Looking at the theme paths we can see that 2.8% (4492) of the 160k wordpress sites are running on wordpress.com path /wp-content/themes/pub/ and 147 are running on wordpress.com in a paid for capacity /wp-content/themes/vip/.

Related Articles

• Infographic detailing various statistics of the Top 100K WordPress sites (March 2011)
• Analysis of Top 100K WordPress Sites
• Woothemes Framework Updates - Security Analysis (June 2012)

The post WordPress themes in top 1 million websites appeared first on HackerTarget.com.