You’ve probably heard the advice that you should delete old or unwanted plugins from your WordPress installation. Plugins are often on the forefront of WordPress housekeeping lists. This is probably due to the fact that on a normal WordPress site you’re usually running just one theme and then multiple, sometimes dozens, of plugins. Unused plugins in the mix make it inconvenient to scroll through the list and troubleshoot conflicts. They can also pose a security risk if they’re not updated.
But what about themes? Cleaning out your WordPress themes directory is just as important as plugin housekeeping. The current WordPress download package comes with three default themes pre-installed: Twenty Fourteen, Twenty Thirteen and Twenty Twelve. You may even have Twenty Eleven left over on your site, along with themes you’ve previously tested.
Chances are that you won’t need all of these. Any theme not in use has got to go – with one important exception: a default theme for fallback. You can always re-install a theme further down the road if you decide you need it.
Trying on a bunch of themes and then leaving them in your themes directory is somewhat akin to leaving your clothes all over the floor, instead of putting them in the laundry bin. When it comes to WordPress themes, however, this careless practice can have some serious consequences.
WordPress Themes Can Be An Entry Point For Hackers
Because WordPress is now powering more than 1 in 5 websites on the internet, WordPress sites are a prime target for hackers and spammers. If your site isn’t secure, hackers can use your themes as entry points. They’ve studied WordPress themes and know how to take advantage of them to forge an all-out attack on your site, your server and its resources.
Hackers may insert malicious files or edits to your theme to try to hijack your site. Sometimes they get in through vulnerable scripts, as was the case with the historic timthumb.php attack in 2011, which posed a serious security risk for millions of WordPress sites using themes bundled with the script.
Once a hack is successful, you’ll spend more time than you’d like in unraveling what they’ve done and convincing your host to turn your site back on.
WordPress Theme Housekeeping Checklist
Outdated versions of WordPress, themes and plugins are the most common cause of hacked sites. At the very least, you’ll want to keep everything up to date. Enabling automatic background updates is a great way to stay current, especially for sites that you own but rarely visit.
Here’s a checklist of what you can do right now to clean out your WordPress themes directory:
- Remove all unused WordPress themes (with the exception of one default for fallback)
- Update any themes that you are keeping
- Make sure permissions on your wp-content and themes directories are 0755
- Enable automatic background updates
This checklist should have you covered for the basics, but more advanced measures can be put in place if you’re keen on exploring additional security options. For more information about hardening WordPress against intrusions, check out the codex and its recommended resources.