From time to time, someone asks about how Weaver handles web security. Weaver and Weaver II share their security code, and it has been scrutinized by both the WordPress theme review teams, and the Weaver user community. Over time, the developers at WordPress have developed a set of guidelines to make WordPress and WordPress themes as secure as possible. Weaver follows these guidelines, and is using the currently known best practices.

To date, there have been no known security breaches via Weaver. But note that WordPress plugins are not subject to the same scrutiny as themes, and there are known breaches via plugins. For example, the old wpweaver.info site was hacked via a problem with the Captcha code used by the Mingle Forum (since corrected).

But to give full disclosure, there is one potential security issue on a tiny number of shared hosts that could affect Weaver II Pro (but NOT Weaver II basic) – but if it does, then that is the very least of your worries. It has to do with how shared hosts handle file permissions. As you probably know, when you use a shared host provider, you are sharing space on a common file system with an unknown (but probably small – < 100 most likely) other users. Almost all modern hosts use a file protection system that keeps your files safe from other accounts on the shared server. But some hosts don’t use the most up to date file sharing, and it is possible for one of the other accounts on your server to get access to your files. In the case of Weaver II Pro, they could possibly get access to the weaverii-style.css file and try some CSS/JavaScript attacks. But as I said, that is the least of your worries in that case, because if they can get at weaverii-style.css, they can get at .htaccess, your config.php file with your mySQL passwords, and all sorts of other more useful attack vectors.

And how do you know if you have an old-fashioned shared host that could allow that? One symptom is a need to manually change some file permissions to get WordPress to work right. Another is the need to enter an FTP password when you update themes or plugins. But, and this is very important, getting those symptoms does not necessarily mean you have an issue. IF you are using a shared host, it usually does mean you might have a problem. IF, on the other hand, you are using a VPS or other kind of more “private” hosting, it probably isn’t an issue. The difference is that if it happens on a shared host, then other accounts could potentially get access. But if you have a private host (e.g., a VPS), then you are the only user with access to your files, and you are not subject to this kind of attack.

And this kind of sharing issue comes only from other users on the same shared host. The likelihood that one of the other users is a hacker is non-zero, but not large.

So what do you do if you find out you have a host with an insecure file sharing configuration? FIND A NEW HOST! This kind of approach to sharing is inexcusable. It is possible that your host might have different servers that have been upgraded, and you might be able to switch, but don’t stay on these insecure shared hosts.