Support » Themes and Templates » Updating a site that did not use Child Theme

  • I have a new client who has an existing site that is a customized version of Twenty Ten. Having not developed the site myself (I always use a child theme), I have no idea how many templates or what styles were customized, but the name is still Twenty Ten and the WordPress version is 3.5.1. I backed up the site and need to upgrade it. I know all customizations will get overwritten with the theme named Twenty Ten. I need to update without going back and trying to turn this into a child theme, since I don’t know what’s been customized. I think all I need to do is copy the theme folder, change the name of the theme folder, and change the name of the theme name in style.css. And then I should be safe to update to WordPress 3.7.1. Is this correct?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Kind of. Read the Child Themes page in the Codex, it’s this specific line in style.css that indicates a child theme:

     Theme Name:     Twenty Ten Child
     Template:       twentyten
    @import url("../twentyten/style.css");

    The Theme Name is irrelevant but required, the Template and import create a Child Theme. That should work, but obviously create a backup of the theme to be safe.

    Another problem is that while this will technically be a Child Theme, it will really just be a clone of the 3.5.1 version of the theme – all the buggy and vulnerable code will be in the Child Theme, so it’s like you never upgraded at all.

    What I would do is create a test site somewhere, install the theme as a Child, and whittle away everything that isn’t a modification. This will take a bit of work, but I can almost guarantee that most of the mods are in style.css and header.php. This is really the only secure option, short of using a new theme.

    Thanks for your reply.

    Am I understanding you correctly? If I update WordPress, and don’t update my theme, it’s like I never upgraded at all? I didn’t know that. What about all those custom one-off themes people create for their clients, that presumably don’t have updates? No point in updating WordPress then? I find that difficult to believe.

    WP updates core and bundled themes separately since awhile back. So you can upgrade WP and your customized Twentyten theme will be kept untouched.

    Before upgrading WP, install that customized Twentyten that you backed up from the site to a local server with latest WP running (doesn’t matter what content in it).

    Turn the debug on

    and see if there is any error or warning, this is to figure out if theme is compat with latest WP.

    Use a text editor that has file compare option to compare all the files in both folders (the customized 2010 and the latest 2010), this is how to figure out what had been changed, so you can make a child theme for it properly.


    That wasn’t what I was trying to say. Let me give you an example of what I mean (sorry for how long it is):

    Imagine you make a Twenty Ten Child Theme that is just a style.css file with some custom CSS. While building a page, WordPress asks your theme for a file called index.php – since your theme doesn’t have this file, it points WordPress to it’s parent (in this case, Twenty Ten), and WordPress uses the index.php from it.

    This is the benefit of Child Themes: You can apply (mainly cosmetic) changes on top of a theme, while leaving it’s core functionality untouched.

    Now, imagine the Child Theme you’re describing: an exact copy of Twenty Ten. Whenever WordPress requests a file (like index.php), it’s always available – there’s never any need to revert back to Twenty Ten for a file, because for all intents and purposes, your theme is Twenty Ten.

    But what if a security hole is found in Twenty Ten’s index.php? Automattic sends out an update fixing it, and that’s that. But since your Child Theme is just a copy of Twenty Ten, it never receives the update, and you’re running code with a known bug.

    This creates a security risk, and there are hacker programs out there that just go around looking for known bugs in WordPress sites (according to my server logs, my site gets attacked by these bots at least once a week). So, doing this will put your site at risk of being hacked (how likely it is depends on what bugs are found and how popular your site is, but the risk is there).

    Thanks for these explanations. I didn’t realize that hacks come through the themes themselves, I always figured the security holes were in the WP core files.

    I would never dream of skipping the child theme step in this day and age. In this particular case, I inherited a highly customized site that I did not make. I was asked to make a few simple changes to it, but wanted to update WordPress first. As far as making it into a child theme at this point – I am almost sure it is more than style.css and header.php, and since I didn’t create the site, I’m not comfortable trying to turn it into a child theme retroactively. It needs to stay up and running.

    I went ahead and renamed it something besides Twenty Ten.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Updating a site that did not use Child Theme’ is closed to new replies.