Do you whitelist the Javascript libraries? Who certifies them? Is having a base64 decode function available from the library a problem?

Do you scan the CSS for url() references outside of the domain?

1. Most Wordpress theme developers use popular Javascript libraries, so it wouldn't be too difficult to replace them with the original if you suspected something was amiss. The function wouldn't be a problem, if there wasn't any base64 code. 2. url() references should all be relative, in the same domain, so if it linked on the outside, I'd change it.

Most of the time I use a Wordpress theme as a starting point, rewriting some parts and looking over all of the code.

Also, mentioned above, securing the theme against injections and XSS is important.

Do you scan images provided with the theme to check if any subset or combination of subsets of their contents can be malicious when base64 decoded?