Choosing the right theme for your WordPress website is an important step. However, it’s not enough to look for a beautifully-designed layout that incorporates the features your website needs. It’s also crucial to think about security.
With WordPress powering over 30 percent of all websites, many hackers think of it as an easy target. One method they use to gain access to sensitive data is exploiting vulnerable themes. Thankfully, with a few simple precautions, you can make sure your theme is secure against common attacks.
In this article, we’ll talk about why it’s important to choose a secure WordPress theme. Then, we’ll share six tips for selecting a safe and reliable one. Let’s dive on in!
A brief introduction to WordPress theme security
There are almost 8,000 themes in the official WordPress Theme Repository. These extensions feature a wide range of different styles and provide functionality for many kinds of sites.
Some WordPress themes are lightweight and optimized for performance. Others offer unique page layouts or lots of customization options. If you’re determined to top Google’s search results, there are even some coded with Search Engine Optimization (SEO) in mind.
When it comes to finding your perfect theme, there’s no one-size-fits-all solution. However, it’s vital that the one you ultimately choose is secure. Themes add code to your website, which could inadvertently provide windows for hackers to gain entry.
Hackers have a knack for identifying security loopholes in all kinds of software. However, WordPress recommends that developers distribute their themes under a GNU General Public License (GPL).
This means that many themes are open source and their code is publicly accessible. Hackers could potentially study your theme’s code and use any security vulnerabilities they find against you.
If your theme is compromised, then a hacker could wreak havoc on your website. They might steal confidential visitor data, inject malware into your WordPress installation, or even delete your website entirely. In the worst-case scenario, you might wake up to discover that your website has vanished, and years of hard work have been lost forever.
A secure theme shouldn’t include any known vulnerabilities. It’s also under active development, regularly updated, and adheres to coding best practices. This means it should be compatible with the latest version of WordPress, as well as all your site’s other third-party elements, such as plugins.
How to make sure your WordPress theme is secure (6 key tips)
Now that we’ve discussed why it’s important to use a secure theme, let’s help you find one. Here are six tips for choosing a theme that’s beautifully-designed, feature-rich, and safe to use.
1. Only install themes from reputable sources
To help protect your website, you should only install themes from reputable sources. For free ones, the official WordPress Theme Directory is the best provider. It has strict security guidelines for all the products it includes.
If you’re looking for a theme for your WooCommerce store, you might also consider options from the official WooCommerce website.
When purchasing a theme, you should always check whether the developer or provider offers ongoing support. If you have any questions, ask before you buy.
2. Research your themes’ history and reviews
Even when you’re downloading a theme from a reputable source, you should still exercise caution. It’s a smart move to check its reviews, particularly its most recent ones.
Themes can become less secure over time. For example, the developer’s coding standards may slip. The most recent release may even inadvertently introduce new security vulnerabilities.
If a theme is currently receiving positive feedback, then it’s likely to be a secure option. You can usually find the latest user feedback on the sales or download page:
You can also boot up your favorite search engine and enter your theme’s name. This is a smart way to check whether anyone is complaining about it on third-party forums and blogs. Disgruntled users often air their grievances on social media, too, so you may want to expand your search to popular platforms such as Twitter and Facebook.
You should also check the date of the theme’s most recent update. Hackers are coming up with new tricks and malicious techniques all the time. If a theme hasn’t been updated recently, then it may be exposing your site to a security vulnerability that’s widely known.
3. Test your theme with Theme Check
You can be confident that all the themes in the official WordPress Theme Directory have passed the platform’s strict security guidelines. However, as we’ve already mentioned, this isn’t the only place to find themes.
There are many reasons why a developer might not publish their theme in the official Repository. They may not want to license it under the GPL or wish to direct traffic to their website to build their client list.
Fortunately, you can still test any theme against WordPress’ theme review standards. Theme Check is a free WordPress plugin that uses the same automated testing tools.
Once you’ve activated Theme Check, navigate to Appearance > Theme Check in your dashboard. You can then select the theme that you want to scan from the dropdown menu and click on Check It!:
After a few moments, Theme Check will display any issues it’s detected:
Note that just because Theme Check identifies one or more issues doesn’t automatically mean the theme is dangerous.
Some themes may be optimized to work with a specific kind of WordPress website, such as e-commerce stores. By focusing on providing the best experience for a subset of users, it may no longer fulfill the general guidelines.
Don’t dismiss a theme outright because it fails the check, or accept one just because it passes. Instead, we’d recommend reviewing the Theme Check output carefully and considering the implications for your particular website.
4. Keep your themes up-to-date
According to WPBeginner, 86 percent of sites are hacked due to an outdated plugin, theme, or WordPress version. Hackers actively target websites that are running out-of-date code. If you haven’t installed the most recent version of your theme, then it could be putting your entire website at risk.
Updates can fix vulnerabilities, introduce new security-focused features, and generally improve your website’s performance. Unless you have a specific reason not to, it’s smart to install updates as soon as they become available.
Keeping your themes up-to-date can be a tedious process. If you manage multiple websites, then monitoring and updating your themes can take a significant chunk out of your day.
Instead, we’d recommend setting your themes to update automatically. ManageWP can scan for available updates and then install them simultaneously across all your websites:
To minimize disruption to your visitors, it’s best to perform updates during periods when your site typically experiences low traffic. You can use ManageWP’s scheduling feature to select the exact date and time when it should install any available updates.
Plus, with ManageWP’s Safe Updates, you can update all your themes without having to worry about errors or conflicts. If a problem does occur, it will roll back your changes automatically. You can then troubleshoot the issue without experiencing downtime.
5. Delete unused themes
Every theme that’s installed on your site is a potential loophole for hackers to exploit. If you don’t require a theme, then you should uninstall it. The ManageWP dashboard makes it easy to see all your inactive extensions:
You can then delete inactive themes directly from the ManageWP dashboard. If you manage multiple WordPress websites, then this is an easy way to quickly remove unnecessary code from all of them.
6. Disable the Theme Editor
By default, you can modify your theme using WordPress’ built-in code editor. While this is handy for customizing your site, it also makes it easy for intruders to edit your site’s files.
If you don’t require the Theme Editor, we recommend disabling it. This requires you to edit your WordPress website’s code, so it’s smart to create a backup before proceeding. You can then restore your site if anything goes wrong.
To disable the editor, you’ll need to connect to your server using File Transfer Protocol (FTP) and an FTP client such as FileZilla. Then open your wp-config.php file:
Find the line that reads, “That’s all, stop editing! Happy publishing.” Directly above it, add the following snippet:
define( 'DISALLOW_FILE_EDIT', true );
Save your changes. The Theme Editor will then vanish from your WordPress dashboard.
While plugin security receives a lot of attention, as a website owner it’s crucial that you close any loopholes hackers might seek to exploit. This includes choosing a theme that adds to your website’s security rather than undermines it.
In this post, we’ve shown you how to reap the benefits of theme security by:
- Only installing themes from reputable sources.
- Researching your themes’ history and reviews.
- Testing your theme with Theme Check.
- Keeping your theme up-to-date.
- Deleting unused themes.
- Disabling the WordPress Theme Editor.
Do you have any questions about theme security? Let us know in the comments section below!
Featured image credit: Pexels.