What you’re about to read is so simple it might seem foolish to some of you.
However, I can’t tell you how many times I’ve logged in to work on someone’s WordPress site to find a half-dozen or more security liabilities that could’ve been fixed with just a couple of clicks.
Themes. People hoard them like Imelda hoarded shoes.
Pretty sure I know what you’re thinking: “What’s the big deal with having a few extra themes sitting around?”
Some themes are solidly coded and less likely to be targets for hackers. Developers of reputable, high-quality themes issue updates as soon as they can after learning about a vulnerability.
However, all themes are potentially vulnerable. And, some themes are already actual security risks.
The longer a vulnerable theme sits in your WordPress install, the greater the threat.
It takes time for vulnerabilities to be discovered by people who want to fix rather than exploit them. It takes time for developers to create updates. How long does it take you to realize an update is needed, then to log in and fix it?
Wanna see how easy it is for a hacker to zone in on a vulnerable site? Here ya go.
Since this is an easy fix (I’ll walk you through in a sec if you’re not sure what to do), there’s no reason to leave yourself open to creeps that’d ruin your site and your reputation.
Wait – how’d all those themes get there?
With every new WordPress install, and nearly annually after that, the generous folks at WordPress gift us with a new default theme design.
Most websites I work on don’t use any of these themes, but the longer a site’s been around the more likely it is I’ll find Twenty Seventeen, Twenty Sixteen, Twenty Fifteen, etc., etc., installed.
Sometimes it’s not just the default themes people stockpile. When you build your own site there’s usually a lot of trial and error before landing on the right theme. Often the rejects remain in the WordPress install. Just in case. Or maybe just because you’ve moved on.
Although they won’t necessarily come up in a Google search, you should know that even deactivated themes can present a security risk.
A dead-simple 5-minute solution
Delete all inactive themes except one: the latest default WordPress theme (currently Twenty Seventeen).
Why keep one default theme around?
Every once in a while something will go awry on your site. Having a solidly-coded theme you can switch to enables you (or a helper…if the nerd factor gets unbearable) to figure out whether it’s your theme or a plugin.
Bonus: You’ll reclaim disk space in your web hosting account when you delete all those unused themes.
Note: Whether a theme is active or not, it’s very important to continue applying any updates released. As you saw in the video, hackers can easily find vulnerable themes. They will use the hell out of you as long as they can.
Which might not be long before your hosting company shuts you down.
How to delete a WordPress theme, step by step
- From within the WordPress Admin area, go to Appearance > Themes
- Click the thumbnail image for the theme you want to delete
- Click ‘Delete’ to begin.
- Click OK to confirm that you really do want to delete the theme
- BOOM! – one less potential security vulnerability, 1.5MB more space!
- Repeat for all remaining unused themes, leaving only one extra theme – the latest default WordPress theme from WordPress.org – for troubleshooting purposes.
Does this actually delete the theme files from my hosting account?
What if I want to keep a copy of a theme?
If you’re comfortable with FTP, that’s the quickest way to download the theme files before deleting them. If your web host provides a file manager app that works too.
To find the theme, from your site’s root or home directory, which is probably something like public_html, look for a directory named wp-content. Inside that is a directory named themes, which holds all of the themes currently in your WordPress install. Select the theme directory you want to copy (e.g., twentysixteen).
In other words, root/home/public_html > wp-content > themes > themetodelete.
With FTP you’ll simply download the selected directory. With a web hosting file manager it’s usually easiest to compress the directory before downloading, and download that single compressed archive.