A question that’s on a lot of our minds is why WordPress.com doesn’t allow custom template editing. Although XSS (Cross Site Scripting) vulnerabilites are a viable threat, is there anyway that Automattic can protect the site and allow this functionality at the same time?
Obviously we want to provide as much freedom as possible without sacrificing the performance and security of the site. Customization is the single most requested feature on WordPress.com. It’s something we’re always improving – such as with Widgets and the new version of Regulus with custom header images.
It’s probably possible to create a new templating system for WordPress so that anyone can make their own template without exposing things that should remain secure on the server. There are people working on this kind of thing in different ways: plugins, flexible themes, even core mods.
Most folks are very happy with the options we provide, too. They’re very vocal about it in the feedback form. The few people who really need their own theme are encouraged to run WordPress on their own server space so that they have full control over their site.
Personally, I encourage anyone who wants to make their own theme to install WordPress on their home computer and play with it. If you fall in love with it, you’ll probably want to rent space on a shared server and then you can also have your own domain name. It’s a lot of fun, but when you just need a place to blog you’ll still have the ability to do so on WordPress.com. I have blogs there as well as elsewhere.
I wish more people over at the support forums would understand that. 🙂