[shadowpwner]

Let's see:

1) Anything linked outside of the domain. 2) Anything not HTML/CSS/image/Wordpress tag/Javascript libraries 3) Anything encrypted.

Let me know if I missed anything.

[jarek]

Do you whitelist the Javascript libraries? Who certifies them? Is having a base64 decode function available from the library a problem?

Do you scan the CSS for url() references outside of the domain?

[shadowpwner]

1. Most Wordpress theme developers use popular Javascript libraries, so it wouldn't be too difficult to replace them with the original if you suspected something was amiss. The function wouldn't be a problem, if there wasn't any base64 code. 2. url() references should all be relative, in the same domain, so if it linked on the outside, I'd change it.

Most of the time I use a Wordpress theme as a starting point, rewriting some parts and looking over all of the code.

Also, mentioned above, securing the theme against injections and XSS is important.

[jarek]

Do you scan images provided with the theme to check if any subset or combination of subsets of their contents can be malicious when base64 decoded?