We received a question from a client about whether WordPress “theme updates” are important for security purposes, so we would like to explain this.
In conclusion, we believe that updating a WordPress theme should be done with caution because of the high possibility of problems and the fact that security concerns are not as great as with plug-ins.
Carelessly updating a WordPress theme is likely to cause glitches and layout collapses.
A large percentage of WordPress themes have customized (modified) files such as functions.php and Style.css.
If you update these files, the customized parts will be lost, and the layout may be corrupted or functionality may be lost, resulting in a site that does not display properly.
Also, even if you are using a child theme, the creator of the theme may make significant changes to the design and functionality of the theme (perhaps the theme creator has changed the design). (This is probably because theme creators think in design terms and may not pay as much attention to backward compatibility of theme features.)
In these cases, too, the compatibility between the child theme and the main theme may be broken, resulting in broken layouts and malfunctions.
For this reason, we recommend that you take backups and update your theme carefully, or try it out first by creating a test site and updating it there.
Is there a security issue if I don’t update the theme?
Themes can be vulnerable, but the number of vulnerabilities is smaller than that of plugins.
For example, the image below shows a search of NIST’s vulnerability database for themes with a high risk score (medium or higher), but only 221 vulnerabilities were found.
For plug-ins, on the other hand, more than 3,000 vulnerabilities are found.
The probability of a WordPress theme made in Japan or an original theme being exploited for vulnerabilities is quite low (hackers look for the easiest sites to penetrate by looking around), so unless you are using a popular foreign theme, and the creator of the theme has not issued a warning about the vulnerability, there is no need to be overly concerned about vulnerabilities. Unless you are using a very popular foreign theme, there is no need to be overly concerned about vulnerabilities if the creator of the theme has not issued a vulnerability alert.
However, we do think that you need to be somewhat careful with foreign-made themes (official WordPress themes) that are widely used. This is because hackers often study such themes and find vulnerabilities.
In particular, if you are using a customized version of the official WordPress Twenty series theme, it would be safer to make it a child theme, back it up before updating, and update it frequently.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].