One of the most important choices you’ll make during your WordPress career is which theme to use for your website. Not all themes are equal though, and some are safer than others. Choosing the wrong theme can leave your site vulnerable security-wise, so it’s essential you don’t base your decision on looks alone.
WordPress theme security can be hard to gauge at first unless you know what to look for. In this article, we’ll teach you five ways to spot a safe theme without you having to peek under the hood and see through its code. Let’s get to it!
Why WordPress Theme Security Matters
WordPress’ popularity makes it one of the best platforms you can use to create a website. It’s easy to use, and it offers a lot of customization options through plugins and themes. The problem is, that same popularity also makes it a target for attackers who prey on vulnerabilities on both the platform and its extensions. Themes can also be vulnerable to attack in several ways:
- Outdated WordPress themes often come with vulnerabilities. If your theme hasn’t been updated for over six months, it may be abandoned, and attackers are more likely to find security holes they can exploit.
- Old themes can cause compatibility issues. Even if an outdated theme is safe to use, it might cause issues with other plugins or WordPress itself, which can also lead to security problems.
- Pirated WordPress themes can be infected with malware. Some people download pirated versions of premium WordPress themes to save money, which often ends up with an infected website.
The good news is you can avoid unreputable themes for the most part by downloading yours from reputable sources only. We’ll talk more about some of the best places to look for themes in a minute. For now, let’s talk about how you can spot the safest options.
5 Ways to Check If Your WordPress Theme Is Safe
Figuring out which themes are safe to use is mostly a matter of common sense. There are several red flags you should be on the lookout for and if you know what they are, spotting winning options isn’t complicated. Let’s take it from the top.
1. It Receives Constant Updates
As we mentioned earlier, regular updates are the number-one indicator of a safe theme. If the team behind a theme is active when it comes to updates, chances are they aren’t just working on adding new features but also patching bugs and vulnerabilities.
Most theme repositories enable you to keep up with development updates. If you check out a theme on WordPress.org, for example, you can see the last time it was updated right below its version number:
For even more information, you can scroll down a bit further and click on the Development Log button under Browse the Code. On the next screen, you’ll see a list of every update to the theme throughout its history:
If you click on the latest number under the Rev column, you’ll see a list of folders representing each version of the theme:
From this screen, you can open the directory for any version of the theme and look for its changelog file within. You can open the file right from your browser, which will enable you to see a thorough breakdown of the changes from one version to another:
Sadly, not every theme on WordPress.org includes full changelog files, but they’re common enough for most popular options. Likewise, premium theme repositories also make a habit of letting you know when themes were updated last and what changes there are for each version. For example, we usually publish in-depth articles each time we launch a new version of Divi, or just plain old updates if there’s enough new content for us to discuss:
If you’re a regular reader of our blog, chances are you’ve seen at least one of those update announcements. In case you haven’t, you can sign up for our newsletter so we can keep you informed about theme updates.
2. There Is Direct Support From the Developers
It doesn’t matter how many amazing features a theme offers if there’s no way for you to get in touch with the developers when you need support. Thorough documentation often does the trick when it comes to solving problems, but it’s not the same as being able to ask a human being for help with specific issues.
Sure, popular themes often have such large enough communities that other users may be able to help you, but even they may not be enough. Finally, if you have zero ways to reach someone who works on the theme, it means they might not care about user bug reports, which is a huge red flag.
On WordPress.org, there’s a section called Support below each theme’s reviews. If you click the View Support Forum, you’ll find a section where you can ask questions and wait for answers by the themes’ developers:
When a question is solved, you’ll see a green checkmark next to it. The more checkmarks and replies you see in the forum, the better the odds you’re using a theme with developers who are happy to provide support. When it comes to premium repositories, you should also be able to find dedicated support sections for any themes you look into. For example, ThemeForest shows a Support tab right below the theme’s title. Within, you’ll find information on how to contact the theme’s developers and get help:
Finally, when it comes to Divi, you can open a support ticket at any time from your account dashboard, and we’ll get back to you as soon as possible:
Support is available for licensed users, and there are dedicated sections for each of our products. There’s also a support forum, where you can get answers from the entire Divi community!
3. You Can Find Clear Information About Who’s Working On the Theme
Transparency is one of the things that sets successful WordPress themes apart. When you know who’s working on a theme’s development, chances are you’ll come to trust them over time and maybe even check out some of their other WordPress projects.
In most cases, it’s easy enough to find out the basics about a theme’s developer(s). When you’re using WordPress.org, for example, you can see who built a theme right next to its name at the top of the screen:
If you click on their user, you’ll see a list of all the projects they’ve created:
However, this often isn’t enough information. We recommend looking for a website, where the developers include further information, such as team members, a business address, and more. It’s not a matter of stalking your favorite theme’s developers – instead, it’s all about accountability. If you’re using a theme created by a team with a legitimate business, chances are they’ll be more proactive when it comes to developing their products and supporting them. Elegant Themes is a great example of that business model (in our humble opinion!).
Many of the people behind Divi are regular contributors to the Elegant Themes blog, so chances are you already know a few of them. However, you can always check out the full list of the company’s members within our About Us page.
4. The Theme’s Website Showcases Unbiased Reviews
These days, finding reputable online products (including WordPress themes) isn’t hard if you take the time to read through reviews. Most reputable theme repositories showcase unbiased, detailed reviews, from genuine users.
For example, on WordPress.org they’re under the Ratings section to the right of the screen. There, you’ll find the theme’s average score, which ranges from one to five:
In our experience, most themes below a four-star average aren’t worth your time. However, it pays to read any one, two, or three-star reviews your theme might have regardless of its overall score, so you can check out if users are dealing with common errors or anything else to scare you away. To get to these reviews, just click on the links next to the ratings:
On the next screen, you’ll find a list of all available reviews for each star rating, and you can click on any of them to read a full version. When it comes to premium repositories, such as ThemeForest, you should also be able to find an average rating and read individual user reviews:
Finally, themes with their own home pages could be trickier due to the developer being able to ‘finesse’ the content towards their own narrative. In our opinion, you’ll either need to carry out some deeper searches (which should bring up some independent reviews), and take all of the other factors into account before making a decision.
You may also find some developers provider deeper insight into their customer base, such as with our own customer spotlights:
These aren’t paid or sponsored, they’re genuinely happy customers who want to help us spread the word about Divi. In short, a trustworthy developer in all other areas with a vested interest in happy customers is likely going to deliver the goods, rather than hoodwink you into opening your wallet.
5. It’s Popular With Plenty of Users
The wisdom of crowds isn’t something you can always rely on. However, users tend to do a great job of making secure and powerful themes popular within the WordPress ecosystem. In most cases, unsafe or mediocre themes never make it too far, whereas great ones spread around fast.
Of course, the size of a theme’s user base is something you should only take into consideration if you’re impressed with the other criteria we’ve mentioned so far. To see how many people are using a specific theme, you can visit its WordPress.org page and look at the Active Installs section under its Download button:
Generally speaking, any theme with over 10,000 simultaneous installations tends to be pretty good. After all, users often don’t stick around for long if a theme doesn’t meet their requirements. Sadly, premium repositories often don’t include information about active installs. Instead, they just show you how many sales a theme has, which doesn’t tell you the full story:
What’s more, less reputable independent developers will forgo information such as how many people use their products. Every Elegant Themes page includes those numbers, so you know you’re in good hands:
Overall, popular themes are that for a good reason. Usually, there are multiple factors, but hard numbers offer a good base from which to research a developer further.
Where to Find Secure WordPress Themes
Generally speaking, the safest place to find new themes is in the WordPress.org repository, due to the theme approval process. However, they don’t include premium options, so chances are you’ll need to look through marketplaces such as ThemeForest. They are the most popular premium theme repository online, and their themes tend to be safe.
Finally, you’ll also find plenty of theme shops that offer only their own products, such as Elegant Themes:
For these, you’ll want to take all of the tips mentioned in this piece and ruthlessly apply them. In our case, we’ve gone through several security audits from Sucuri, and passed with flying colors each time. Good developers will often display their successes proudly, making your choice much easier.
Most WordPress themes with sizable user bases are safe enough. However, if you’re going to pay for a premium option, you should aim for only the best. Our own Divi is a great option for most types of websites, and it’s gone through extensive security audits to ensure it’s safe for you to use.
In any case, here are five ways you can spot a safe WordPress theme quickly:
- It receives constant updates.
- You can get direct support from its developers within a reasonable timeframe.
- Information about who’s working on the theme is freely available and easy to find.
- It has excellent reviews with high average scores.
- It has a sizable install base.
What do you think is the most important criteria when it comes to choosing a safe WordPress theme? Share your thoughts with us in the comments section below!
Article thumbnail image by Anton Chuvstvin / shutterstock.com