How to update core theme, without breaking design

I am trying to help a client that have a wordpress site with Sage 8.2.1. Their site have been attacked and hacked 5 times now, the last 3 months. Lots of backdoors .php files are created all over the wordpress directories. And their hos shuts down therir site. We have cleaned it up 4 times, and now it just happened again, so I guess the bots are using the same exploit everytime…

We have reset all password, including mysql and ftp. We have updated Wordpress and all its plugins.

The only thing we have not updated is the Sage theme. Are there any known security problems with the 8.2.1 version?

How would I proceed updating the theme, but keeping the design as it is? The guy who built the site is no longer around.

Nope

You don’t need to update the theme, you need to remove all the problematic pieces of code that were added after you were hacked

You can compare your theme to the 8.2.1 tag on GitHub, but since Sage is a starter theme it might not really help.

We have cleaned the site everytime. So the webhost now suggest that we also update the theme, since I know nothing about the Sage theme, I was just looking for information on how to do that. Or if it is really nessescary at all.

If there are no known exploits for the version our client is running, I see no need to update it.

There are no security issues

Well, I have closely monitored the customers webhotel now. Some days ago, two new files where created inside the /wp-content/themes/theme-name/assets/styles/ folder.

Both files where malware php files which allowed file upload access.

This could be a security problem with the server, or an unaddressed issue with WordPress core or one of the plugins you have installed, but Sage itself really doesn’t do that much and so presents a much smaller attack surface than, say, WordPress core or its popular plugins.

This is an issue with your web host / webserver configuration / something running on there, and is unrelated to Sage specifically.