Is this Hacker Entry Point Lurking in Your WordPress Website?

Trim the fat.

We all know this is one of the best things we can do for our personal health. But did you also know it’s one of the best things you can do for the health of your website?

You should be starting to notice this concept as a recurring theme here at the Synthesis blog.

Whether we are imploring you to use discretion with plugins, or suggesting that simple is sexy when it comes to social sharing buttons, we are saying essentially the same thing: trim the fat.

The concept applies to themes too.

Inactive Themes are Security Risks

You already know that you shouldn’t have inactive plugins on your site. What’s the point? They take up space, they introduce potential security risks, and they clutter up your dashboard.

Each of these reasons to avoid inactive plugins is a valid reason to avoid inactive themes too.

Frankly, taking up space and cluttering up the dashboard are pretty harmless byproducts of inactive plugins and themes. The security issue, however, is anything but harmless.

Remember the TimThumb zero-day security vulnerability? It got pretty nasty. It certainly made for a hectic day here at Synthesis headquarters.

Well, to borrow a popular Internet meme


TimThumb is still on many older versions of themes … and TimThumb was used on a lot of themes.

So it’s conceivable, especially if you do not keep your themes up to date, that you may be sitting on a TimThumb time bomb right now. I’d check on that if I were you.

The real question though, since TimThumb issues have mostly gone away, is what will be the next TimThumb?

Rest assured, it’s coming at some point. Hackers are relentless. And even Fort Knox-like security on par with what we deliver here at Synthesis can’t prevent all potential problems.

But you know what minimizes your likelihood of exposure? Fewer possible hacker entry points.

Since hackers love coming in through the wp-content folder, keeping only necessary files in there is a no-brainer best practice. This means keep only the plugins and themes you are using.

And lest you think I’m making a mountain out of a molehill here, just know that the sages of StudioPress agree. As does Tim Gregg. As do these folks. And on and on.

Inactive Themes Need Updates Too

A nuisance of inactive themes, and another reason to delete them, is that they have to be updated.

Remember that theme updates aren’t always just about usability and design. They also include security updates too.

So if you keep inactive themes around you have to take the time to update them when updates are available.

You say, but this takes, what, all of five seconds? Yep. That’s about it.

But the cost of forgetting is a potentially hacked site.

Why take the chance?

Themes Can Be Easily Backed Up and Stored …

One argument in favor of keeping inactive themes around is that it makes it easier to toggle back and forth between themes. Sure, it does. But how often are you switching themes?

If toggling from one theme to another is a daily activity for you, maybe there are other more serious issues we should be discussing…

No, I get it. I do. Sometimes you switch from one theme to another, but you’re not yet sold on the new theme so keeping the old one around is comforting.

Fine. But you should still purge the old one. Just back it up.

Download the old theme onto your hard drive, zip it up, and store it in a safe place on your local computer drive. Then, if you want to switch back to it later, it takes all of about 30 seconds to re-upload and activate it.

And all the while you’ve made your website safer by not having an inactive theme hanging out in wp-content providing absolutely zero value.

… Including Your Current Theme!

Don’t think that you should just back up and store themes you’re not using.

You should also back up a known good copy of your current theme and store it locally.

Yes, we are backing everything up for you constantly here at Synthesis. So you always have that to fall back on. But the quickest possible way to get yourself out of a sticky situation – say you hack up your functions.php file and your site goes white screen – is to reload the known good functions.php file from your computer in 15 seconds.

In fact, why don’t you go do this right now.

If your site is looking good and there are no known issues with your theme, go back it up, zip it, and store it on your computer.

And the next time you complete a round of changes to your theme, re-download it, zip it, and store it on your computer as the latest known working version.

It’s just an extra layer of peace of mind that takes less than a minute to complete.

WordPress Has Made Widgets Transferable

One issue I used to hate is having to re-do my widgets when I switched themes. It was a pain in the neck, especially if I forgot to copy out of the code into a Word document.

But WordPress is always making itself better – as any technology service provider should! – and now widgets don’t disappear anymore. (And there was much rejoicing!)

Even if you switch themes, you can still find your widgets on the widget page. They will either be in the inactive widget section or already populated in the sidebar.

Now, your new theme might have a different number of sidebars, or different nomenclature, so you will likely have to maneuver the widgets around to where you want them. But that shouldn’t take long.

It’s worth nothing that Matt Lawrence, one of the many Synthesis technical hamsters who is way smarter than I am, still recommends copying the code and order of your widgets into a Word document before switching themes. He calls it a “fail safe” for just in case something goes wrong. Plus, at a minimum, it will help you re-line up the widgets if they get discombobulated.


Again, the lesson is simple: just trim the fat.

Inactive themes are doing nothing on your website but wasting space and holding up a “Hackers Welcome” sign. Just because 99.9% of the time you won’t get hacked because of an inactive theme does not mean it’s a risk worth taking.

Ask people who were pistol whipped by TimThumb. The negative impact can be severe.

The risk just isn’t worth the reward, which in the case of holding onto inactive themes is, well, nothing.

So delete your inactive themes. Then smile, because you’re safer.


  1. Yeah, simple is always better smaller attack vector. Its just if you have shooting target one has a diameter of 10 inches. the other 50 which one is easier to hit. You can apply this mantra to a lot of things and be pretty safe :-)

  2. hey i too have a wordpress website but why its being worthed zero by many sites.

  3. A really timely article. I didn’t know about the need to update inactive Themes. or that they can be hacker entry points. I’ll save and delete my extra themes today.

Leave a Reply