As of January 2015, more than 23.3% of the top 10 million websites are using WordPress (source). To say it’s a popular choice for a content management system is an understatement. Part of its appeal are the thousands of free and commercial, pre-made themes available for the system. They are an enticing way to publish a website with little or no knowledge of programming required.
It helps to understand the motivation different parties may have in creating a WordPress theme for sale or free download.
Individual programmers are often motivated to create a theme to upload it to a site that sells them at low cost. Much like a stock photo, think of these themes as stock themes. You pay a fee that is a fraction of the cost of hiring a professional to create a custom design and theme, you download it for your website, and the individual programmer gets a small cut of that fee. With free themes, the original programmer usually requires that a link back to them appear on the site, gaining them more internet exposure.
However, there’s also a third, more nefarious reason for creating free themes – to spread malware and other malicious code. That’s right, some unscrupulous individuals will code nasty stuff right into a theme hoping to cash in on the popularity of themes and the ease of installing them, as well as uneducated or uninformed user. So how do you avoid this one? Of course I’d recommend going custom (more on that shortly), but if you’re determined to use a pre-made theme, be careful where you get them. There are several popular sites that sell themes, and WordPress.org has a directory of themes. Those are your best bets but you often have little recourse if you purchase or download a free theme and install it yourself any of these occur:
you manage to screw something up on the site
your site is hacked
your site is flagged by Google for containing malware