Uploading theme changes siteURL

  • I just had quite the shock which totally messes with my understanding of how themes work.

    I just received a theme from a designer (.zip file). I uploaded that theme through the regular WordPress admin console UX (Appearance -> Themes -> Uplolad, etc).

    After the upload completed I DID NOT ACTIVATE THE THEME. I simply pressed the preview option. Well it turns out that process updated the SiteURL of my server (in wp_options). So, until I figured this out, I could not log on to my admin console – doing so redirected to my designers server.

    This freaked me out ?? I assumed uploading a theme – AND NOT ACTIVATING IT – was a reasonably safe option. I am clearly mistaken.

    I ended up modifying SiteURL directly in the database but this messes with my understanding.

    By the way, while I was blocked from the admin console, my regular site remained unaffected, with the correct theme.

    Can someone educate me as to what’s going on here?

    Mark

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter markwill

    (@markwill)

    This turned out to be worse than I expected and updating SiteURL didn’t completely resolve the issue. I have to go back to a backup of my server and have initiated that process.

    So, I am back to the simple question – can merely UPLOADING a theme through the admin console update essential site-wide parameters BEFORE THE THEME IS ACTIVATED. That sounds like a hackers dream there (here – preview this neat theme… :)).

    Obviously there’s a basic change/configuration management issue I need to consider here but, as I say, I didn’t consider a non-activated theme to be “dangerous”.

    Any advice very welcome.

    Thanks.

    Mark

    Thread Starter markwill

    (@markwill)

    I did some more digging since this event really concerned me, given that I didn’t activate the theme.

    At the bottom of the functions.php file was the following:

    update_option(‘siteurl’,’https://<server>/&#8217;);
    update_option(‘home’,’https://<server>/&#8217;);

    Where <server> is the URL to my designers server. So, I am guessing that is WHERE this came from (the redirection).

    But what I still don’t get is why this “ran” when all I did was upload and click on Live Preview. I am guessing now that these two lines were called even with Live Preview – and brought my site down.

    So, does this all boil down to these two lines being out of place in a theme intended to be installed on various servers?

    Thanks.

    Mark

    Live preview has to use the themes files in order to let you see the theme, so yes, any code in the theme will run.

    You are also right, that code has no place in a theme, even if it’s meant for a single-site/server. :/ It’s just a bit of sloppy coding form the developer that shouldn’t have made it into what was delivered to you. Hopefully the rest of the theme is better quality. ??

    Thread Starter markwill

    (@markwill)

    Thank you, catacaustic. I appreciate the response.

    Mark

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Uploading theme changes siteURL’ is closed to new replies.