Website Security – Are Free WordPress Themes Safe?


You found a great WordPress theme, and it’s free! Hey, ‘free is for me’, right? Well, before you make the leap and install that theme, beware of the potential security risks. One of the most requested services I get from new clients is helping them with a hacked website, which quite often was the result of using a free theme for their WordPress site.

This is probably the biggest and most common website security breach of all time. It also happens to be the easiest website security mistake. There are tons of free themes out there you can download and install for your website. Most if not all of them come bundled with scripts and functions already written and set up. They’re advertised as ‘plug and play’. All you have to do is upload and you have an instant website (soooo not true as I explain in the article, “plug-and-play nightmare of ready-made ‘theme templates’“).

Free WordPress themes are often built by novice theme developers, who are still learning. Their intentions may be pure, but by using poor coding practices in building a theme, can leave your website vulnerable to security holes. Free WordPress themes are not usually kept current, either, so many begin to break down over time because of incompatibility with newer WordPress and plugin versions. Even free themes created by the most well-intentioned developer can pose problems with compatibility and security.

The authors of free themes are likely going to want you to keep a link to their website at the bottom of your website. Often this is done with what’s called base64 encryption. This encrypted code ensures that your website will give them a back link to build their own reputation. Unfortunately linking to poorly rated sites, or websites that have been identified as using black hat SEO strategies are also penalized. That means that if you use a free theme with a link back to the free theme author’s website (even if you don’t know it because it’s not visible on the screen) your website can be heavily penalized for it. That feels pretty wrong, doesn’t it?

Base64 is also an algorithm that is often used to encode and inject malicious code into a website. While I’m not suggesting that all free themes have code that does sneaky things, I am saying some of them definitely do.

If you’re already running a free theme and want to check for possible exploits in the code, we like to use a plugin called “Exploit Scanner“, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code. If you think you may have a problem, we can help.

I have met so many new clients who came in a panic because of a ‘free’ theme problem they were experiencing.

You’ve heard the old saying, “It’s not just what you say, it’s how you say it.” One could argue that what we do at TrekVisual isn’t unique, but how we do it is. TrekVisual has been creating stable websites using sound practices since 2003. We don’t compromise security for design – or design for security. I think you’ll agree that our websites are also probably a lot prettier than any free theme you’ll find out there. I know that in the end they will cost you much less in time, aggravation and money.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.