It’s been a long time since I built my first site and over the years, I’ve built several other websites. Some were hacked, others were an unsuccessful target for hack attacks. In this time, I learned that while WordPress is a secure platform, it’s ecosystem makes WP websites vulnerable. A majority of the websites that are hacked are found to have outdated themes and plugins. Take Templatic Theme which was hacked and it enabled hackers to gain access to crucial information of sites that were using the theme. Some site owners even received ransom demands from the hacker.
Many WordPress site owners don’t update their websites. As vulnerabilities are discovered in themes, developers issue an update with a patch to fix the vulnerability. When you don’t update the theme, the vulnerability remains. Hackers are always on a lookout for websites using outdated vulnerable themes. Therefore updating themes are essential to the safety of your WordPress website because the theme affects the security of the site. This is a precaution one must take after installing a theme to a website. But one must also take precautions before installing a theme. Here is a list of things you should be looking for when selecting a theme:
The Theme Can be Easily Updated
Updates are not just inevitable but necessary. No matter how well coded a theme is, in time it will develop vulnerability. When that happens, developers of the theme will quickly release a patch in form of an update. Typically, when you enter a WP dashboard, you can see an alert of outdated plugins and themes on the left-hand side. Simply go to the installed plugins page and updated the theme or plugins. Easy right?
There are some themes, however, that doesn’t offer an easy way of updating. The updates are announced on their blog or social media platforms. You’ll have to download the theme from their blog and then manually upload them. It’s not just a time-consuming process but risky. What if you miss a major update? By the time you find out about the new update, hackers may have used the vulnerability in the theme to break into your site.
Is the Theme Being Maintained?
Each year many themes are abandoned. They are no longer maintained which means, issues with the theme will not be addressed. You can’t just reach out to the Support for help nor can you expect new updates. Plugins and themes are bound to develop vulnerabilities sooner or later. When that happens, there will be no patch issued to fix the problem. You’d be left with two choices: either keep using the vulnerable theme and risk being hacked or switch to a different theme which means you’d have to spend considerable time and effort to design the site all over again. This is how bad a theme affects the security of your site.
Example of an abandoned WordPress theme: DeTube
Why are Themes abandoned?
Sometimes themes and plugins are developed as side projects and these side projects often run their course. Or a developer may have built a free theme but he has no time to maintain it because he has a full-time job. The theme might be good and even popular but he’s not getting paid for the time and effort that he puts in. Eventually, he loses motivation and gives up maintaining. Or he simply may not have the time to look after his creation because he needs to tend to his full-time job that pays his bills.
One easy way of finding if the theme is being maintained is to look up in the WordPress repository. See when the theme was last updated. We’d suggest you avoid the themes that haven’t been updated for a year. They are most likely abandoned. Not all themes are available in the repository, in which case, look for forums or groups where the theme are being discussed. A simple Google search will help you find such groups. If not, then try finding more about the theme in general WordPress groups and forum. WordPress has a great community culture and initiating a discussion is always welcome. Do your research before choosing a theme for your WP site.
Can you Download the Theme from a Trusted Source?
Piracy today is rampant. Many of us at one point or other may have crossed path with a shady website promoting premium software at a low price or even free of cost. Before downloading themes from such websites, we’d urge you to pause and think. Why is this site offering nulled WordPress themes? How do you know that the theme isn’t corrupted? Hackers are known to insert bad codes in nulled themes. Once website owners install such themes on their site, hackers gain access to the site.
Besides, even if the theme is not corrupted, it won’t receive updates from the theme developers because it’s illegal. Vulnerabilities will eventually develop and your site will be at risk.
Is the Theme too Complex?
Too many features may seem like an attractive deal but one has no idea what went behind-the-scene while coding it. With hundreds of thousands of theme and plugins available, it’s hard standing out in the market. This prompts developers to bring more features into the product that can be marketed. To get the new features up and running as soon as possible, developers write thousands of code in a short span of time. Often undermining crucial quality checks. It’s natural to be excited about themes that offer a ton of eye-popping features but it’s good to avoid such weak themes because the can be easily hacked. Your choice of theme affects the security of your site. Make sure your choices are good.
Is the Theme Developed by Someone Well-Known?
There are several disadvantages of using themes produced by a reputed company or individual. First off, there’s a guarantee that the product is good and that it went under severe quality control before being launched into the market. And second, there is an assurance that the theme will not be abandoned like any of the free themes developed as side-projects.
That just about covers how a theme affects the security of your WordPress site. Since one of the goals of this post is to tell you how one must buy a good theme, we’d like you to take the following precautions:
Is the Theme Dependant of 3rd Party Framework?
Several themes today offer features like sliders, page builder or image compressors. Theme developers don’t build these features, instead they tie-up with third-party plugins to enable these features in the theme. Such dependency can prove to be worrisome. We have come across popular themes that only work with specific plugins. For instance, if you are using X theme then only Y slider will work on your site. Any other slider plugin won’t do. You’ll now have to purchase both X theme and Y slider.
Are You Buying a Yearly or a Lifetime Plan?
Before buying a theme or any plugin/software, make sure you understand what you are paying for. We have seen pricing pages where there is no clarity on whether the package is for a month or a year or lifetime. If you come across such a page, don’t assume it’s a monthly or yearly package. Get your doubts clarified.
We have seen discussions on online forums where website owners related stories of buying a plugin thinking its a yearly plan, only to find out later that it’s a monthly plan. This means they have to shell out a certain amount of money each month, something they weren’t prepared for. Another option is to buy a new theme or use a free theme. This means you wasted money on a theme that you no longer want to use and you also wasted time and effort in setting up your site as per the design of the theme.
Over to You
One does not really think or ever research on how a theme affects the security of a site, especially if the site is a small one. A significant drop in an ocean. But hackers today are going for small websites as much as they target big ones. Why? Why is your small website being targeted? For an answer, read this: What do hackers gain from hacking a WordPress site?
The bottom line is, whether you are building a big site or a small one, be deliberate in your choice of theme. Now that you know how theme affects the security of your WordPress site, ask yourself the questions we mentioned above.