Why You Should Clean Out Your WordPress Themes Directory

photo credit: 13Moya 十三磨牙 - cc
photo credit: 13Moya 十三磨牙cc

You’ve probably heard the advice that you should delete old or unwanted plugins from your WordPress installation. Plugins are often on the forefront of WordPress housekeeping lists. This is probably due to the fact that on a normal WordPress site you’re usually running just one theme and then multiple, sometimes dozens, of plugins. Unused plugins in the mix make it inconvenient to scroll through the list and troubleshoot conflicts. They can also pose a security risk if they’re not updated.

But what about themes? Cleaning out your WordPress themes directory is just as important as plugin housekeeping. The current WordPress download package comes with three default themes pre-installed: Twenty Fourteen, Twenty Thirteen and Twenty Twelve. You may even have Twenty Eleven left over on your site, along with themes you’ve previously tested.

800px-themes

Chances are that you won’t need all of these. Any theme not in use has got to go – with one important exception: a default theme for fallback. You can always re-install a theme further down the road if you decide you need it.

Trying on a bunch of themes and then leaving them in your themes directory is somewhat akin to leaving your clothes all over the floor, instead of putting them in the laundry bin. When it comes to WordPress themes, however, this careless practice can have some serious consequences.

WordPress Themes Can Be An Entry Point For Hackers

Because WordPress is now powering more than 1 in 5 websites on the internet, WordPress sites are a prime target for hackers and spammers. If your site isn’t secure, hackers can use your themes as entry points. They’ve studied WordPress themes and know how to take advantage of them to forge an all-out attack on your site, your server and its resources.

Hackers may insert malicious files or edits to your theme to try to hijack your site. Sometimes they get in through vulnerable scripts, as was the case with the historic timthumb.php attack in 2011, which posed a serious security risk for millions of WordPress sites using themes bundled with the script.

Once a hack is successful, you’ll spend more time than you’d like in unraveling what they’ve done and convincing your host to turn your site back on.

WordPress Theme Housekeeping Checklist

Outdated versions of WordPress, themes and plugins are the most common cause of hacked sites. At the very least, you’ll want to keep everything up to date. Enabling automatic background updates is a great way to stay current, especially for sites that you own but rarely visit.

Here’s a checklist of what you can do right now to clean out your WordPress themes directory:

  • Remove all unused WordPress themes (with the exception of one default for fallback)
  • Update any themes that you are keeping
  • Make sure permissions on your wp-content and themes directories are 0755
  • Enable automatic background updates

This checklist should have you covered for the basics, but more advanced measures can be put in place if you’re keen on exploring additional security options. For more information about hardening WordPress against intrusions, check out the codex and its recommended resources.

15 Comments


  1. Are you suggesting that like Hello Dolly, users remove any theme that comes with WordPress out of the box that is not being used? I hope we don’t get to the point where WordPress comes with 10 themes and users have to spend time deleting all the unnecessary crud. Reminds me, should probably figure out what the plan is for TwentyEleven, TwentyTwelve, and TwentyThirteen. When will they stop being part of WordPress and live in the Theme Repository as seperate entities.

    Report


    1. When is WP going to remove 2012? from the package?

      Are we going to have 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 & 2020 all bundled up? eventually the size of the themes will be bigger than core files.

      I think WP should come with ONE theme. People can download themes. I don’t think we need 3 themes in the package.

      What if WP lasts until 2050? are we going to have 30+ themes on the download package?

      Report


  2. I check daily on all my sites.

    My home page is http://www.whateverdomain.com/wp-login.php x 8

    If there is an update for lets say Akismet, in site #1, then 2-8 will need update.

    I check out updates, then comments.

    Is there a plugin that will e-mail me whenever there is an update for theme/plugin?

    ——–
    Hello Miroslav

    You have updates on your http://www.wptaverntshirtswouldbeawesome.com

    Following plugins need to be updated:

    Akismet
    Jetpack
    La Cucaracha dances on the header

    Following theme needs to be updated

    Mountain Dew

    Please update immediately.

    Thank You
    ——–

    I don’t mean those e-mails Matt sends whnever there is a new core upgrade.

    This would be my own server/installation sending me an e-mail.

    Report


  3. Hi Sarah

    “Any theme not in use has got to go – with one important exception: a default theme for fallback.”

    That’s the way I usually go, just in case I have any problems with the theme I’m using.
    Deleting themes is no big deal only takes a minute or so.

    I check my own sites when I add posts and if any plugins need updating I update them and then update them on client sites.

    I use a few security plugins plus the Sucuri paid plugin, which is pretty cheap once you are using it on ten or more sites and setup is nice and easy.

    Report


  4. Thanks Sarah! I’ve been deleting excess themes from time to time, but I’ve always wondered if I needed to keep 1 or more default themes around. Someone once told me that if you were having database problems switching to a default theme could help – perhaps that was a myth. Does it matter which default theme you have? If 2014 is bigger, it is better to delete it and keep 2013? Or better to keep 2014 since it’s the most updated? TY!

    Report


  5. Hello to all, and Thanks to Sarah for bringing this issue up,
    I’ve always been following this practice in which I do not keep any extra theme except the default theme and the child-themes that I’ve created, Yet technically I’m not convinced how an unused but updated theme can cause a vulnerability? Appreciate if someone can explain the point.

    Report


    1. If you keep the unused themes updated, you’ll be ok. The problem is that most people don’t update themes they’re not using. If one of those updates contained a security fix, it won’t be applied to the theme. You should read the historic TimThumb attack and how years later, people were still being affected by it because they forgot about the themes that had on their site that contained the TimThumb script. This post by Joost illustrates the importance of updating everything.

      Report


      1. Thanks Jeff, maybe I’m obsessed but even if I’m middle of writing a post and at the same time an update notification appears on the admin-bar, I can’t finish my post unless I update the site first :) I remember TimThumb tsunami, by the time I was a very fresh WP learner, Though I’m not sure if I was using either a Woo or Elegant theme but I received an urgent newsletter from the theme vendor urging for an immediate update. I had no idea what’s this all about anyhow I followed the instruction and luckily faced no issue.

        Report



  6. I went into one of my sites a few weeks ago and saw I had 7 themes and quickly cleared them all out except one to fall back on. Great article.

    Report


  7. hey sarah i am new to wordpress can i delete twenty twelve default theme if yes then how?
    thanks in advance

    Report


    1. Supreeth – Sure, go to Appearance > Themes. You might leave Twenty Fourteen in there for something to fall back on in case there’s a problem with your active theme.

      Report

Comments are closed.