Over the last few years I have seen more accounts compromised due to outdated default themes like “Twenty Twelve”, “Twenty Thirteen”, “Twenty Fourteen”, etc. When a user installs a new copy of WordPress more often than not they proceed to install a new theme that they prefer over the default offerings. The big issue is the result of two missing steps that all webmasters should perform.
First and foremost is keeping everything up-to-date which can prevent the vast majority of account compromises we have seen over the years. We keep the servers themselves secure from intrusion and we even work to protect your usernames, passwords, email accounts, etc. but there is a limit to how much we can shelter you. If, for example, you have an outdated theme or plugin installed even if you aren’t using it – it can be used against you and your site.
Secondly if you aren’t using a theme or a plugin it is best if you physically remove it from your account. You can do this via the “wp-admin” or you can simply remove the appropriate folders inside of “wp-content/themes” and “wp-content/plugins“. I do always suggest taking a full backup of your files and your databases prior to making changes just in case.
Why is it so important to remove plugins and themes that you aren’t using?
The more software you have within your account the larger the surface area you’re exposing to the internet. Every plugin and theme is actually PHP script just like WordPress itself. WordPress updates often contain security patches and updates to plugins and themes are the same. An update is not always going to contain only new features and will often include security patches.
A simplistic analogy is to replace “account” with house and “plugins and themes” with “doors.” Just like your house – the more doors you have to keep secure the more likely it is that one of them will be left unlocked / unsecured. You can view updating your plugins and themes like double-checking that the doors are still locked. You can also think about removing unused plugins and themes like removing a door into your house that you never use and replacing it with a solid wall.
Do I have to do this or is it just recommended?
Ultimately the security of your scripts like WordPress and its plugins and themes is up to you. You can decide whether you wish to perform the work to keep your account secure but I personally recommend it. Updating generally only takes moments and uninstalling plugins and themes that are inactive takes only a few minutes. Updating is a regular process where as removing plugins and themes you don’t use isn’t required so often.
At the end of the day it doesn’t take long and is one of the best things you can do to protect your account.
How do older themes like “Twenty Twelve” compromise a site? My understanding is that the WordPress themes are kept updated, just like the core. Your intro sentence is a little confusing as you make it sound like older themes are a problem in and of themselves as opposed to your main argument which seems to be unused themes or ones that have not been kept up to date.
I’ve seen plenty of sites compromised via out-of-date core WordPress themes. The biggest issue is that an unused theme is likely to be un-updated as well.
This is great advice Michael. I configure WP to auto-update everything – major and minor core updates as well as plugins and theme. I take a small oops-the-update-broke-my-site risk in exchange for better hack protection. I leave the latest default theme installed though, useful for troubleshooting.