It is fairly simple to check for obviously malicious JS or PHP code in a theme, but it's not so easy to find themes which are badly written and thus insecure. Can you always spot a XSS or SQL injection vulnerability?

What is your exhaustive definition of "malicious" in this case?

Let's see:

1) Anything linked outside of the domain. 2) Anything not HTML/CSS/image/Wordpress tag/Javascript libraries 3) Anything encrypted.

Let me know if I missed anything.

Do you whitelist the Javascript libraries? Who certifies them? Is having a base64 decode function available from the library a problem?

Do you scan the CSS for url() references outside of the domain?

1. Most Wordpress theme developers use popular Javascript libraries, so it wouldn't be too difficult to replace them with the original if you suspected something was amiss. The function wouldn't be a problem, if there wasn't any base64 code. 2. url() references should all be relative, in the same domain, so if it linked on the outside, I'd change it.

Most of the time I use a Wordpress theme as a starting point, rewriting some parts and looking over all of the code.

Also, mentioned above, securing the theme against injections and XSS is important.

Do you scan images provided with the theme to check if any subset or combination of subsets of their contents can be malicious when base64 decoded?

I wonder how many people who run WordPress think it's pretty simple to check for malicious Javascript or PHP code in a theme?