The following article is written purely from a security point of view as I am sure there will be a multitude users out there who will beg to differ, but just how many themes should you install on a WordPress blog? The answer if you care about security is usually just two, your current theme and a default WordPress theme (usually the latest one with all the bug fixes in place) to fall back to in case your current theme breaks.

Why only two then, why can’t you have a few more to choose from so you can experiment with different looks – they can’t cause any harm can they? The problem is they can cause harm because even if they are not enabled, the theme files are still accessible in the wp-content folder by anyone who knows the url of theme which means if there is a known exploit in the theme code, your site is at risk of being hacked even though the theme is not enabled.

The classic example of this was the TimThumb WordPress exploit discovered a couple of years ago. The author of TimThumb quickly released a patch for the code to combat this, but the problem was that the exploited version of the code had been integrated into a large number of commercially available themes and these were not patched as quickly as they could have been meaning hackers immediately seized on an opportunity to bombard WordPress sites with known exploitable theme URLs which left thousands of WordPress blogs hacked.

Fortunately there have been no notable repeats of this incidence since but my experience of WordPress over the years tells me that that any theme or plugin for that matter that is not enabled or currently used should be deleted.

Add a comment