WordPress is growing quickly - both as a hosted platform and also via standalone blog installations. The rapid growth and its open, flexible approach to blog design, means it may become a target for hackers who embed malicious code within themes they distribute.

One of the reasons for its success is the flexibility it offers for customization. WordPress is built around a central engine, written in PHP, called The Loop. Every time a blog is viewed, The Loop processes each part of the page — a header, the body and posts, a sidebar, and a footer. Blog operators are free to change these elements: They can modify the stylesheets to change fonts and colors. They can change the PHP code to display things like author details, popular tags, and so on. And they can put in plug-ins to further extend the capabilities of their site.

Designers bundle up stylesheets, PHP code, and sometimes plug-ins, into themes. A WordPress theme isn’t just cosmetics: It’s code. If you change a theme in Powerpoint, you’re just changing fonts and colors. But when you change a theme in WordPress, you’re also modifying the underlying structure of the site, including database queries and PHP execution.