Chip Bennett

First – bear in mind that the Theme Checker plugin is geared towards developers who wish to submit a theme to the WPORG Theme Repository. So there is a strict list of allowed tags. You cannot just throw in a few of your own.

That’s retarded. But I guess, I understand. Where are these “tags” I can use?

At first glance, one may think so. However, consider things from the end-user’s perspective. Unless we maintain a whitelist of tags, then tags quickly become utterly useless. (For cross reference: try doing a tag search here in the forum.) The list of valid tags may be found here.

That’s totally banned in the Theme Repo. Why do you need to write to a file anyway?

I already explained that – Because you have a custom css, php and js editor built into the themes options page in which you can edit the custom css, php and js file right from inside the theme, this requires opening, writing to, (possibly) creating said files which are: custom-css.css, custom-functions.php and custom-js.js

I do not want the user using the functions.php file because of how the theme framework works. Most theme frameworks come with a custom-functions.php for the user to use instead.

There is absolutely no need to write/read files for this functionality. Store the user-generated data, properly sanitized, in your options array, and print them out, properly escaped, via callback, hooked into an appropriate action hook.

If you have any questions regarding how to implement, just ask on the theme-reviewers mail-list.

So I assume I have to strip this functionality out if I want the theme to be used in the wordpress theme repo?

Certainly not. It just has to be implemented properly.

Dreamweaver project file

You can only include theme specific files.

Im sorry what? How is that a theme specific file?

It’s not. And that’s the point. You need to remove development files from the Theme package before you upload it to the repository.

All required under the Theme Review Guidelines. You did read that page., didn’t you?

I skimmed it. I wont lie there. I will check out that page, But i find it ridiculous that they are REQUIRED css classes.

WordPress generates those classes. We must ensure that the Theme developer, at a minimum, considered and accounted for the use cases in which the classes are generated. Your Theme will be used to display image galleries, and pictures with captions. So yes: you need to have considered how those elements will be presented (styled) by your Theme.

My “rage” comes from the fact that I am building a theme framework similar to others such as thesis, woo themes and what not, with the difference of being in the WordPress repo because I am no where as famous as these people.

I promise you that we show no favoritism. If any of those Themes were to be submitted to the repository, they would undergo exactly the same scrutiny.

Any thoughts, suggestions, flaming remarks? There are some things I wont budge on, which are used in a lot of popular themes and that’s the whole writing to files when using the php, css or js editor.

You’re welcome not to budge on some things. However, anything that is listed as required in the Theme Review guidelines are things that the Theme Review Team also will not budge on, without extraordinarily compelling justification.

ok Im in filezilla but I dont see where I can find wp-config.php

Is there a common place it’s usually located?

Yes: in the WordPress root install directory.

Can someone PLEASE walk me through this in plain terms!?!?!?!

Please do not bump.

Seriously: use Pastebin for code longer than about 10 lines.

As for your specific problem: I would recommend starting with a blank functions.php file, and verify that the site works.

Then, restore each part of functions.php, line-by-line or function-by-function (as appropriate), to determine what code is causing the error. Be sure that you have enabled WP_DEBUG, so that you can see the Fatal Error(s) being generated.

First thing: enable WP_DEBUG, and report any Fatal Errors that are being generated.

I have a single e-mail sample today, pretending to be Amazon as in the initial report, with ten different compromised WP sites linked, all of those links including

/wp-content/themes/twentyten/zone.html

So it’s obviously an issue native to WordPress and the twentyten theme.

No, it’s not. Twenty Eleven is the target, not the exploit vector

Very likely, what is happening is that an exploit vector has been identified, and a payload created and deployed, targeting the Twenty Eleven Theme, because it exists on every current installation of WordPress.

Chip, how can you be sure that it’s the server that is compromised and not a hole in the theme that enables you to upload a file?

Call it a hunch on my part, because it is almost always a server exploit – either through server configuration, or (more often) through compromised FTP credentials (virus/malware scanning of your local PCs remains important for this very reason).

Who knows what the exact exploit vector is in this case? It could be a Plugin; it could be another TimThumb exploit. It could be something on the server, completely unrelated to WordPress.

But I am 99.999% confident that Twenty Eleven itself is not the exploit vector.

Duplicate post

ust to be clear – assuming Clean Home (from the archives) works, I can still install it, yes? I would not be violating anything, right?

Correct. It is still available in SVN, for those who know how to access subversion. The Theme is simply not being publicized/distributed through Extend/Themes anymore.