DEV Community

Risky Egbuna
Risky Egbuna

Posted on

How to Check a Restaurant WordPress Theme Like Barab Is Actually Safe to Install

Before You Install a Food & Restaurant WordPress Theme, Check These 7 Things First

Restaurant owners shopping for a WordPress theme usually care about two things: does it look good with food photography, and does it have a working online menu. Fair enough — those matter. But almost nobody checks whether the theme file itself is clean before they upload it to a live site. That's the part that actually causes problems six months later, when a site starts redirecting to a pharmacy spam page or gets flagged by Google Safe Browsing for no obvious reason.

A theme like Barab – Fast Food & Restaurant WordPress Theme is a good example to walk through, because it's the kind of product people download from a marketplace, a reseller site, or a "free GPL" mirror, and then install without ever opening the actual files. That's true whether you bought it on the original marketplace or got it through a GPL redistribution source — the install step is identical, and so is the risk if the package was tampered with somewhere along the way.

Below is the actual process I'd run through before putting any premium theme — restaurant-focused or not — anywhere near a client's production site.

Why this matters more for restaurant themes specifically

Restaurant sites tend to have a few things that make them attractive targets if something does go wrong:

  • They often run online ordering and payment integrations (Stripe, Square, third-party delivery plugins), so a compromised theme sitting in the same wp-content directory has access to a lot more than a simple blog would.
  • They get decent local traffic and Google Maps visibility, which makes them useful for SEO spam injection — attackers love hijacking a site with existing rankings to insert hidden links or redirect mobile visitors to ad networks.
  • Owners frequently don't check the site daily. A pizza shop owner is busy running a kitchen, not reading server logs. Malicious code can sit unnoticed for months.

None of this means Barab specifically is suspicious — it's a legitimate, actively sold theme. The point is that any theme, premium or free, deserves the same five-minute check before go-live. Skipping it is the actual risk, not the theme itself.

Step 1: Confirm where the file actually came from

This sounds obvious, but it's the step people skip most. If you bought the theme:

  • Through the official marketplace listing, you have a receipt and a known-good zip hash to compare against if you ever need to.
  • Through a GPL resale source such as GPLPAL, check that the listing clearly states it's redistributing under the GPL license terms (which WordPress themes are legally allowed to do), and that the download page isn't asking you to disable your antivirus or run an unusual installer .exe before getting the zip — a legitimate GPL theme is just a zip file, nothing more.

If a "free" copy of a $59 premium theme shows up on a random forum with zero seller information, that's the one I wouldn't touch. Not because every free copy is malicious, but because there's no accountability chain if it is.

Step 2: Open the zip before you upload it

Before installing anything through the WordPress dashboard, extract the zip locally and just look at the file list. You're checking for:

  • An unusually high number of PHP files for what should be a relatively simple theme structure (header.php, footer.php, functions.php, template parts, and so on). A bloated file count with oddly named files like wp-cache-tmp.php or class-update-helper.php sitting outside the normal WordPress naming conventions is worth a second look.
  • Files with no extension or double extensions (image.jpg.php is a classic trick to disguise a PHP payload as an image).
  • A functions.php file that's enormous compared to what a theme of this size should need. Restaurant themes mostly need menu post types, theme customizer options, and maybe a reservation form hook — they shouldn't need thousands of lines.

Step 3: Search functions.php and any included plugin files for red-flag functions

This is the step that actually catches most malware, and it takes five minutes with a text editor's search function. Open functions.php (and any bundled plugin files in the theme's /inc/ or /lib/ folder) and search for these specific strings:

  • eval() — executes a string as PHP code. Legitimate themes almost never need this. It's the single most common function used to run obfuscated malicious payloads.
  • base64_decode() — often paired with eval(). A line like eval(base64_decode('aWY...')) is decoding a hidden chunk of code at runtime so a quick visual scan won't catch what it actually does. Seeing this combination is close to an automatic red flag.
  • str_rot13() — another simple obfuscation layer, sometimes stacked with base64 to make the payload harder to spot.
  • gzinflate() or gzuncompress() combined with base64 — same idea, used to compress and hide injected code.
  • create_function() — deprecated since PHP 7.2 and rarely used legitimately anymore, but still shows up in older malware kits.
  • file_get_contents() pointed at an external URL, especially one that doesn't match the theme author's domain. Legitimate themes calling home to check for license activation is normal; calling out to a random .ru or .tk domain is not.

If you find any of these, that doesn't automatically mean the theme is malicious — base64_decode does have legitimate uses, and some page builders use light obfuscation for license checks. But it's your signal to stop and investigate the specific line of code rather than assume it's fine.

Step 4: Run the zip through VirusTotal before uploading

This one's free and takes thirty seconds. Go to virustotal.com, upload the theme zip (or the individual PHP files if the zip is too large), and let it scan against dozens of antivirus engines at once. A single flag from an obscure engine usually isn't a big deal — those produce false positives on legitimate code fairly often. But if three or more engines flag the same file, especially for something labeled as a PHP backdoor, webshell, or trojan, don't install it. Go back to the source you downloaded it from and try a different one, or contact the seller directly.

Step 5: If you're comfortable with command-line tools, run a YARA scan

This is a step past what most non-developers will do, but if you or your developer wants to go further, YARA rules let you scan files against known malware signature patterns rather than relying only on a single antivirus engine's database. There are public YARA rule sets specifically built for WordPress malware (searchable on GitHub) that look for patterns like backdoor shells, malicious file uploaders disguised as theme functions, and SEO spam injectors. It's overkill for a quick personal blog install, but for an agency installing themes across dozens of client sites, it's a reasonable five-minute habit to build into the process.

Step 6: Check the theme against the WordPress.org plugin/theme repository conventions

Even though Barab itself is a premium theme and won't be listed in the free WordPress.org repository, it's still worth comparing its coding structure against WordPress's own theme handbook to see whether it follows standard practices — proper use of wp_enqueue_script() and wp_enqueue_style() instead of hardcoded <script> tags in the header, sanitized and escaped output (esc_html(), esc_url(), sanitize_text_field()) on any custom fields it adds, and no direct database queries that bypass $wpdb prepared statements. A theme that ignores all of these isn't necessarily malicious, but it usually signals rushed development, and rushed development is where security holes tend to live.

Step 7: Test on a staging site first, not production

Last step, and probably the most underrated one. Spin up a staging copy of the site (most hosts offer one-click staging now — SiteGround, Kinsta, WP Engine all do), install the theme there, and watch it for a few days. Check:

  • Whether any new admin users get created that you didn't add.
  • Whether your wp_options table picks up any unfamiliar entries (a quick look through a plugin like Wordfence's file change scanner will flag this automatically).
  • Whether outbound requests spike in your server logs right after activation.

If everything's quiet after a few days, you've got reasonable confidence to move it to production.

Once the theme passes the security check, here's what actually affects rankings and conversions

Security is the part people skip, but it's not the only thing that quietly determines whether a restaurant site performs well. A clean theme can still lose customers if it's slow to load or invisible to local search. These three areas are worth checking right after the security pass, before the site goes live.

Local SEO: does the theme actually support structured data properly

Google doesn't just read your text — it reads structured data (schema markup) to understand that you're a restaurant, what your hours are, what your price range is, and what your menu items actually cost. This is what allows a listing to show a star rating, hours, or "Open Now" status directly in search results instead of just a blue link.

A few things worth checking on any restaurant theme, Barab included:

  • Does the theme (or a paired plugin) output Restaurant or LocalBusiness schema automatically, or do you have to add it manually through a plugin like Schema Pro or Rank Math's local SEO module? Some restaurant themes claim "SEO friendly" in their marketing copy but don't actually output any structured data at all — that's a marketing claim, not a technical fact, so it's worth verifying yourself.
  • Can you set opening hours, address, and phone number in a way that maps to schema fields, rather than just being plain text in a footer widget? Plain text footer hours look fine to a human visitor but mean nothing to Google's crawler.
  • Does the menu page generate Menu and MenuItem schema, including prices? This is what occasionally gets menu items to show up directly in Google search results or in Google Maps' "popular dishes" section — genuinely useful for foot traffic, not just a vanity SEO feature.

You can check any of this for free using Google's Rich Results Test — paste in the live URL once the site's up, and it will tell you exactly what structured data it's reading, if any.

Performance: high-resolution food photography is usually the bottleneck

Restaurant sites live and die by photography. Nobody orders from a food site with bad photos. But that same photography is almost always the single biggest cause of a slow-loading page, and page speed is both a direct Google ranking factor and a major driver of whether mobile visitors actually stick around to order.

A few specific things to check once Barab (or any restaurant theme) is installed with real photos:

  • Run the homepage and a menu page through PageSpeed Insights before adding any real content, and again after. If the score drops by more than 15-20 points after adding a handful of food photos, the theme likely isn't handling responsive image sizing well — meaning it's serving the same large file to mobile and desktop instead of generating appropriately sized versions.
  • Check whether the theme supports WebP image format or works cleanly with a plugin that converts uploads to WebP automatically (ShortPixel and Smush both do this). WebP files are typically 25-35% smaller than JPEG at equivalent visual quality, which matters a lot when a homepage might have a dozen dish photos.
  • Confirm lazy loading is actually working — scroll down a menu page with browser dev tools open on the Network tab, and you should see images load in as you scroll rather than all of them loading at once on page load. WordPress has had native lazy loading since version 5.5, but some themes override it in ways that break it without realizing.
  • If the site is going to get real regional traffic, pair it with a CDN (Cloudflare's free tier is enough for most single-location restaurants) so images load from a server geographically close to the visitor rather than wherever the host's origin server sits.

Plugin compatibility: this is where online ordering breaks in practice

The theme might look perfect in the demo, but the demo almost never includes the actual ordering plugin you're planning to use. This is worth testing on staging before committing, not after launch.

  • If you're using WooCommerce for online ordering, check that menu item pages and the cart/checkout flow inherit the theme's styling correctly rather than falling back to default WooCommerce templates that look visually disconnected from the rest of the site. This is one of the most common complaints with restaurant themes generally — beautiful homepage, oddly generic-looking checkout page.
  • If you're using a third-party delivery integration (a plugin connecting to DoorDash, Uber Eats, or a custom ordering system), test that the theme's mobile menu and the ordering plugin's floating cart or order button don't visually overlap or conflict — this happens more often than you'd expect, especially on smaller phone screens where both elements compete for the same space near the bottom of the viewport.
  • If reservations are part of the business (sit-down restaurants more than fast food, but still common), check that a booking plugin like OpenTable's widget or a WordPress-native reservation plugin doesn't get cut off or misaligned inside the theme's content width — some themes use unusually narrow content containers that clip third-party embedded widgets.

None of this is a flaw specific to any one theme. It's just the reality that a theme is built and demoed in isolation, while a real restaurant site is a stack of three or four different tools working together. Testing that stack on staging, the same way you'd test for security issues, catches problems before a customer hits a broken checkout flow instead of after.

What this actually means for picking a theme like Barab

None of this is meant to scare anyone off buying or downloading a restaurant theme. Premium themes from established marketplaces are, in the overwhelming majority of cases, completely clean — that includes copies sourced through legitimate GPL redistribution sites like GPLPAL, since the GPL license is what allows that kind of resale to exist legally in the first place. The point of this checklist isn't suspicion of any particular source — it's that a five-to-ten-minute review before installing anything on a client or business site is just good practice, the same way you'd check a contractor's references before they start work on your house.

For a restaurant site specifically, where you're connecting payment processors and handling customer data through online ordering, that small bit of due diligence is worth the time. Pick the theme that fits your menu layout and branding needs, then run it through the steps above before it goes anywhere near production. It's a small habit that saves a much bigger headache later.

Top comments (0)