Two of the biggest reasons for WordPress’ success is how easy it is to customize and that there are so many free ways to do so. The WordPress directory is full of literally thousands of free themes and plugins and can change the design and functionality of your site in seconds. In addition to that, we have masses of premium plugins and other commercial offerings from high-quality WordPress companies.

As a consequence, anyone looking to enhance their site is just a Google query away from doing so. Enter “free WordPress themes” and you are sure to find something for your purpose.

However, there’s a catch. Because WordPress is as open as it is, anyone can put up free themes on their site. However, you won’t always know what’s in them. If they contain something that you don’t like, by installing a theme on your site, you can seriously harm it.

To avoid that, in this article we will talk about WordPress theme safety: how you can find out whether a WordPress theme you are planning to use is secure or not. For that, we will first talk about ways in which themes can harm your site and then give you tips on how to avoid that situation. Sounds good? Then let’s get going.

Just a short caveat, we will talk a lot about free themes below as problems are more pertinent there. Yet, the security guidelines are also valid for premium themes, even if those are usually safer.

The Good, The Bad and The Ugly of Free WordPress Themes

how to check wordpress themes for malicious code

Before beginning to talk about the danger of downloading and installing free WordPress themes, we should first establish that not all free themes out there are bad, even if they are not in WordPress theme directory.

Plenty of developers and reputable vendors offer free themes as part of their portfolio to attract customers and get them to purchase their premium offerings later. Consequently, someone offering free WordPress themes isn’t necessarily a scammer but maybe just someone trying to market themselves. So, why it’s important to be vigilant, being suspicious of everyone is not necessary.

The Good

The most obvious benefit of using a free WordPress theme is that it is, in fact, free. Just like WordPress core itself, there are plenty of high-quality themes with awesome design that don’t cost you a dime.

That means you can download, install and test the theme to your heart’s content without forking over any of your hard-earned cash. If you don’t like it, simply delete it. No buyer’s remorse, no complicated return policy. If only everything in life was like that.

The Bad

Of course, using a free theme also comes with downsides. One of them is that you might not be the only one using it. If anyone can download it, your site might end up looking like a lot of others out there. With premium themes, that’s less likely.

In addition to that, there are a number of freemium themes out there that let you use a basic version for free but hide key features behind a paywall. Finding that out after you have already installed the theme can be frustrating as it means you have to start again from zero.

The Ugly

While the above is annoying, however, by far the biggest dangers of downloading free themes from disreputable sources are malicious code, bad coding, and lack of support.

In the first case, it means someone purposely includes code in the theme that serves their own purposes, not yours. That way, when you install the theme, this code will become part of your site.

Examples of this include footer links to their own websites, backdoors to make your server part of a botnet, ads (often for stuff that you really don’t want to advertise), redirects, or malware. Having any of this on your site is a shortcut to high bounce rates and SEO purgatory. Bad.

Another possibility with free themes is that the author is just not good at what they are doing and you are left with a poorly-coded site. That could mean your site is less secure, open to hacking attempts (find out how to recover from a hacked WordPress site), has bad SEO, is hard to customize or simply slow.

While this scenario is not as openly hostile as leaving malicious code, it’s still far from a desirable situation.

Support can also be an issue. If you have nobody to talk to, it can be hard to deal with issues that come up when working with your theme. Plus, lack of support can also mean lack of updates, which means your theme might become incompatible with WordPress over time. Since keeping WordPress core up to date is part of WordPress security 101, that’s not an option either.

Overall, if you choose the wrong theme, you might end up spending more in money and time than if you had simply bought a premium one. However, doesn’t mean there aren’t high-quality free themes out there. Now, we will talk about how to recognize them and divide the wheat from the chaff.

How to Make Sure Your Chosen WordPress Theme is Safe

So, how do you choose a safe WordPress theme then? It basically comes down to two steps.

Get Your Themes From Reputable Places

wordpress theme safety wordpress directory

When considering WordPress theme safety, the first thing to think about is the origin. Where you download a theme is already a big step toward or away from security. By using a reputable vendor, you can be sure that your theme has been vetted for quality, is up to coding standards and definitely doesn’t contain malicious code.

What are reputable sources you ask? Well, here are a few:

  • WordPress Theme Directory — By far the largest collection of free WordPress themes. It provides many filter options so you can find just what you need. Everything in here is tested by the Theme Review team before being included so you know you are getting quality.
  • StudioPress — The maker of the Genesis theme framework (which I am a big fan of). Besides the framework, they offer loads of child themes for different purposes. The company has an excellent reputation and their work comes highly recommended.
  • Elegant Themes — Besides their excellent blog, Elegant Themes offers themes for many different purposes. At the time of this writing, their portfolio includes 88 themes including their flagship Divi.
  • iThemes — While most well known for plugins like BackupBuddy and iThemes Security, they also offer a wide range of themes for different types of websites.
  • WooThemes — Maker of WooCommerce (check our tutorial). By now WooThemes is a part of the Automattic family so you know they make quality. While their main focus on is ecommerce themes for their plugin, they also have other offers.

There is also ThemeForest, which is the biggest fish in the pond. However, the theme vendor frequently comes under flak for their lax quality standards and badly coded products. For that reason, be careful. If you do consider buying a theme on ThemeForest, check Shaun Quarton’s guide to make the right choice.

For any other theme store, a quick Google search will tell you the experience others had with that vendor. Look for phrases like “[store name] review”, “[store name] malicious code” or “[store name] issues”.

Aside from that, take a look at their support and return policy as well as overall quality of the site. For examples, many theme vendors now also offer excellent blogs. Nobody who puts that much effort into building an audience would tarnish their reputation by offering shoddy themes.

Use These Tools to Check Your Themes

However, what if you have already downloaded a free theme from some other place and you are not completely sure about its legitimacy? In that case, can do several things to make sure it won’t actively harm your site.

use theme check to ensure wordpress theme safety

Theme Check is an online service for examining themes for both code quality and security. It checks for WordPress coding standards and whether there is anything in the theme that shouldn’t be there.

To do so, upload your theme zip file. When you do, the service will check the file and give you an overall score plus alerts and warnings of problems it encountered. Besides that, you can also simply search for the name of your theme to see if someone has checked it before. If it turns up, click on its name to see the earlier results.

This is not just useful for consumers, but also developers who want to make sure their work is up to snuff. The best part: you can do this before upload so the theme in question never has to touch your site.

Alternatively, you may also use Virus Total. Here, too, you can upload your theme files to check them for viruses, trojans and other undesirables.

Theme Check

theme check pluginFor themes that have already been installed on your site, we have this plugin. Theme Check makes sure your theme is up to WordPress coding standards. It lets you run all the automated testing tools that the Theme Review team uses for submissions to the WordPress directory. Again, also a great tool for developers.

Exploit Scanner

What Theme Check is for coding standards, this plugin is for malicious code. Exploit Scanner not only searches files on your site but also the post and comment tables of your database as well as active plugins. Simply install, run a scan, then look at the results. If you are unsure about what they mean, you can always swing by the support forums to ask for help.


sucuri security pluginSucuri is one of the biggest names in web security (not only because they were recently acquired by GoDaddy). For security-conscious WordPress users, they offer both a plugin as well as an online scanner to check the integrity of your site. Both scan your site for malware, spam, blacklisting and other security issues.

While this won’t guarantee that your theme is properly coded and future proof, at least you can be sure that you are not inviting malware onto your site.

WordPress Theme Safety – Final Thoughts

Free themes are great and a big part of what has made WordPress successful. However, as with everything in the world, not all that glitters is gold. Besides the good stuff, there are also some bad apples out there.

Unfortunately, those bad apples can really do a number on your site. For that reason, you need to know how to best avoid them.

Above we have learned how bad WordPress themes can harm your site. We have also given you the necessary tools to check whether the theme you want to install will do so. It basically comes down to sticking with legitimate theme vendors and checking themes before using them.

With this information, you will greatly reduce the risk of installing a bad theme. That way you and your audience can continue enjoying your site.

How do you choose themes for your sites? Have you ever run into a problem with a free WordPress theme? Let us know in the comments section below!

Nick Schäferhoff is an entrepreneur, online marketer, and professional blogger from Germany. He found WordPress when he needed a website for his first business and instantly fell in love. When not building websites, creating content or helping his clients improve their online business, he can most often be found at the gym, the dojo or traveling the world with his wife. If you want to get in touch with him, you can do so via Twitter or through his website.

The post WordPress Theme Safety – How to Ensure the Theme Your Are Using is Secure appeared first on Torque.

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.