One of the truly great things about the WordPress community is the open availability of custom themes on the market. Your theme is essentially a plug-and-play website design, saving you tons of time and development work creating a unique design of your own. Most themes can be personalised, many themes are expertly crafted.
However, in a marketplace with thousands of free and paid user-created themes, it should also come as no surprise that infected, weak, or even maliciously crafted themes are among the top three reasons WordPress sites get hacked each year. WordPress themes affect your website code directly because they are your website design and a WordPress theme with a "back door" or other security weaknesses can open up your site to the activity of both hackers and malware. Some themes even come with malware attached that will hurt your website, computer, or network he moment you unpack the files.
Today we're here to highlight ten smart ways to make sure that your WordPress theme is legitimate, secure, and not already carrying malware hidden in the code.
10 Ways to Make Sure Your WordPress Theme is Secure and Malware-Free
- Expect a Cost
- Select from a Trusted Designer or Collection
- Do A Basic Theme-Structure File Check
- Scan the Theme for Viruses and Known Hacks
- Check the Theme for Known Security Vulnerabilities
- Make Sure You Have the Latest Theme Version
- Get Support from the Theme Developers
- Check the News and Reviews for Your Theme by Name
- Get Your Theme Approved by Company Security Team
- Keep Your Theme Updated and Integrated
1. Expect a Cost
There are tons of free WordPress themes out there. Some are basic, only one to five page designs and a bit of graphic art. Some are comprehensive and awesome. However, it's important to remember that anything free may have been put there by someone with an ulterior motive. Why would someone share all their hard work with the community? Maybe because they love the WordPress and OSS community as much as you do. Or maybe they only made the theme to embed malware and open paths into new websites that use the free theme.
So it's better to expect a small cost for your WordPress theme, especially since name-brand products with real providers also provide sales, setup, and security support channels.
2. Select from a Trusted Designer or Collection
Searching the open marketplace can be fun, but most savvy WordPress developers source their themes and plugins from trusted providers and trusted community collections. WordPress assets that come from trusted sources are far more likely to be secure, updated, supported, and not made by hackers to facilitate hacking.
Some sources contain the works of a single expert team while some are community-gathered based on a history of trust, experience, and cooperation. Make sure you find your WordPress theme through one of these providers. You can often rely on community collections full of themes that have already been vetted by multiple businesses IT teams. Of course, any theme you pick up should be tested and the team who developed it should be examined just in case.
Sometimes, a well known and loved theme that stops being developed will be picked up by a new team in the community to keep it available. This can be great for compatibility but you should also re-assess the credentials of the new team if this happens.
3. Do A Basic Theme-Structure File Check
A WordPress theme includes a system of structured elements that define how your site looks, functions, and navigates. This structure is standard and the same for most WordPress themes, including the types of files expected, the names of many files, and where those files are located.
Having a standard structure that all or most legit WordPress themes follow means that a quick check of the codebase can often tell you whether a WordPress theme is built with the expected structure and protocols. Any data or file types that are unexpected will raise a red flag. The most standard place to check the structure of your WordPress theme is through ThemeCheck.org.
If you have a great theme that is flagged by a theme checker, you'll want to closely examine every file that is not standard and every configuration setting that seems suspicious. An experienced WordPress team can often tell you if the flagged files are trustworthy add-ons for new features or embedded security risks like malware files or settings and scripts designed to open backdoors for hackers.
4. Scan the Theme for Viruses and Known Hacks
Next, use a virus scanner for an even more in-depth look at the files. Hackers often like to slip viruses and malware into free and even paid themes to open a route to attack later on when those themes are used. Some can even make their viruses look normal to a theme check, which can only examine structure and file types.
Altered standard files may contain known virus code snippets while hiding the existence of embedded scripts that create danger. A virus scanner is aware of all the known virus and malware types and can spot them in un-triggered file-form. Your virus scanner will let you know if there is lurking malware waiting to strike from inside your WordPress theme.
If you find lurking viruses. you have two choices. You can trust a skilled WordPress security team to try and extract them, including hunting down more signs of tampering, or you can switch to a theme that hasn't been compromised.
5. Check the Theme for Known Security Vulnerabilities
Now you need to vulnerability-check the theme. Vulnerabilities are the other way that hackers often crack into WordPress sites through known weak points in the security system or back-doors that can be accessed with the right tricks.
A vulnerability test can be done in an automated or manual fashion, likely both, to test the theme for all possibly created loopholes and security gaps in the code or design based on today's standards of data protection.
In other words, a vulnerability test probes at any way that hackers or malicious files could get into your server through both known and unknown vectors. If the vulnerability test detects a weakness, it will create a report of where the security gap is and how it found the information. Often, vulnerabilities can be fixed by looking up specific security patches, but your team might need to create custom patches to close specific vulnerabilities made by your technology stack.
6. Make Sure You Have the Latest Theme Version
Speaking of patches; before installing, check your theme version and look up what the latest version of your theme is. If you don't have the latest production version of the theme, you could be opening yourself up to security problems that were unknown when the older version was created but are known now. The latest theme ensures that your whole website design is robustly resistant to all known types of hacker invasions.
In addition to the latest theme update, you may also want to check for optional security patches as they may be useful and relevant to your security needs.
If there is no recent version and the version you are considering is over five years old, pick another one. That theme is likely no longer supported by its developers which can lower your quality of website care later on.
7. Get Support from the Theme Developers
In the WordPress community, it's okay to reach out to the developers of the theme or plugins you are using. When installing your theme, don't be shy to ask questions about how to get the installation right, how to set up the configurations for security, and how to solve any problems you may run into along the way.
Not only will this leave you informed and satisfied, it will also confirm that the developers of your theme are still on the job and taking responsibility for the maintenance and upkeep of your theme. In fact, if you develop some unique improvements in the course of building your website, it's not uncommon for custom users and developers to load an update or alternate of the theme for others to try out.
8. Check the News and Reviews for Your Theme by Name
Do a little research on the theme and the theme's developers. Discover what the developers do when they're not providing WordPress theme support and how highly customers have rated them in the past. Check out the reputation of the theme and the developers while also checking the news for recent WordPress hacks that might feature your theme front and centre.
If your theme is featured in a WordPress hack in the news, you have two options. You can investigate how your theme developers closed that gap and go with it or you can find a different theme that has yet to be targeted then make sure it is secure.
9. Get Your Theme Approved by Company Security Team
If you have a team handling your website and/or company security, then ask them to vet your new chosen theme before continuing with the installation. IT security teams know how to put a theme through its paces, check its qualifications and upkeep, and make sure there is no malware even if you were shaky on these steps.
They can also build a test environment with your entire server, WordPress and plugin stack to perform high-intensity penetration testing to ensure that the exact build of WordPress site, hosting, and defences are strong enough to meet your business' data security needs.
10. Keep Your Theme Updated and Integrated
Finally, make sure your WordPress theme stays updated. Check for updates each month (they can come that quickly) and be sure to implement each update with care. Every six months, double-check your tech stack to make sure that all plugins and the theme are working nicely together. Now you can trust that your WordPress theme is not the vulnerable factor in your website security.
Contact us today to find out more about building a custom WordPress site that is rock-solid, secure against hackers, and perfectly suits the needs of your business.