Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

10 Tips to Keep WordPress Theme and Plugin Code Secure

October 29, 2018

6 Min Read
wordpress theme secure
Reading Time: 6 minutes

As much as the online world seems fascinating, you should not forget the fact that how dangerous it can be. Despite working very efficiently and smoothly, you would not get to know how the table turned against you.

If you are a WordPress website owner, you would know how many efforts one has to put in keeping the site secure from hackers, considering how continuously trying to get access to different websites through brute force attacks, phishing, malware, and some other techniques.

Table of Contents

  1. Choose Themes & Plugins Wisely
  2. Validating Entered Data
  3. Regular Updates of Themes & Plugins
  4. Uninstalling Unwanted Themes & Plugins
  5. Disable Theme & Plugin Editor
  6. Use WordPress Firewall
  7. No Access to Plugin Directory
  8. Be Attentive with User Roles
  9. Disable PHP Error Reporting
  10. Get Themes & Plugins from A Reliable Source

Regardless of the regular bug fixing of plugin and theme codes, hackers have evolved and figured out the ways through which they can break the security measures. Thus, it has become important to take everything in your hand before the situation gets worse.

So, here are some tricks through which you can keep your WordPress theme and plugin code secure.

1. Choose Themes & Plugins Wisely

Just like apps, even WordPress themes and plugins are handled and monitored by different developers. While some developers keep providing regular updates to their themes and plugins, on the other hand, there are some such as well who don’t even bother about them.

In such a scenario, you would have to be cautious enough while selecting your themes and plugins. When the developer updates these things frequently, then that means that he is rigorously searching for bugs and is removing them as well.

In this way, you can gain nothing but utmost protection for your themes and plugins. Apart from the security aspect, with regular updates, you can experience fast loading and working, innovative designs, advanced features, and much more.

2. Validating Entered Data

If you have a contact form or any other type of form available on your website, the chances of malicious code injection to the plugin or theme can increase considerably. Therefore, without adequate validation, forms on your website should not accept any sort of input.

Though such feature is already inbuilt in WordPress website, however, you may have to customize the code and incorporate the feature of data validation to get superior and proper results.

You can do so while creating customized input columns. For instance, you can make certain columns important in the entire form. Therefore, if the user only enters an email id without any additional information, the comment would not be accepted.

3. Regular Updates of Themes & Plugins

The moment you set up a WordPress website, its utmost security depends on how you are keeping the data at the backend, including plugins, themes, blogs, and other. If you want to keep your entire website unharmed, it is important to keep upgrading it from time-to-time.

One of the best things about the WordPress platform is that it notifies you whenever an update is required. Furthermore, even if you don’t want to upgrade the entire website, you can update the essential themes and plugins to be on the safe side.

Such updates will not only strengthen the security of your website but also can even fix vulnerabilities and bugs. If you cannot keep an eye on the updates, even some plugins available that can do the job for you.

4. Uninstalling Unwanted Themes & Plugins

There is no denying the fact that the abundance of plugins and themes seems to be very attractive. Since there is a gamut of them, it becomes a bit difficult to choose the most effective ones out of the rest, especially if you are getting them free of cost.

For a newbie, this dilemma is surely understood. However, by keeping unnecessary and unwanted themes & plugins in your site can pose a threat to your data. Even if you are not using them and have kept them deactivated, they are not going to fetch you any good.

Therefore, it would be better to uninstall these unwanted plugins and themes than to open the door for hackers to ruin your side. On the bright side, you will even get more space to download something more useful.

5. Disable Theme & Plugin Editor

If you have convenient features on your website, your responsibilities towards them will be higher. Also, you must note that advanced features don’t decrease risks but increase. Here, the limelight can be upon the inbuilt theme editor present in your WordPress dashboard.

Although it may seem easier to tweak and edit the code directly from the dashboard whenever required, it can also generate risks and destruct your website altogether. On top of that, if your admin panel is shared with a couple of more people, you would have to be extra attentive.

Therefore, you can disable the function of using the theme and plugin editor altogether. To do this, you would have to write the following code at the end of your wp-config.php file:

// define (‘DISALLOW_FILE_EDIT’, true);

6. Use WordPress Firewall

Generally, what makes a plugin extremely vulnerable and susceptible to hacker attacks is the zero-day-vulnerability. Whether you have recently installed the plugin or updated it, nothing will work out in front of it.

If hackers detect such vulnerability, it won’t take a lot of time for him to attach your site. Therefore, to prevent such threats to your site, you can use a WordPress firewall. Acting as a filter, this wall keeps all the apprehensive threats at bay.

With WordPress, you can check out different firewalls. Have a look at their features. And then, you can select the one that’d best suit your requirements. But, keep in mind the goal of website security while installing a firewall.

7. No Access to Plugin Directory

One of the best things that you can do to secure your theme and plugin code is by cutting off the access to plugin directory. If you have other users as well, and then keep in mind you should not be sharing this part with anyone.

If you have kept the plugin directory open, it will become easier for hackers to access your plugins as well as themes. So, to do that, follow these steps:

  • Create a blank indext.html
  • Upload that file to the plugin directory
  • Go to the Root folder
  • Open .htaccessfile
  • Add Options – Indexes at the start

This method will ensure that no second person is snooping inside the information that you have on your website.

8. Be Attentive with User Roles

If you have different users on your WordPress site, such as author, editor, administrator, contributor, subscriber, etc., then you would have to be careful. First, ensure that the people you are assigning these roles are trustworthy.

Next, you must also track every sort of activity that is taking place on your website whenever these users have logged in. There are certain plugins available that can help you keep a tab on such activities, like User Activity Log, WP Security Audit Log, and more.

These plugins offer several advantages features that will help you keep a check on what is happening on your site, including the recent changes that have been made to posts, pages, categories, tags, updates, media, taxonomies, comments, widgets, themes, export, menus, etc.

9. Disable PHP Error Reporting

Next thing that you should be disabling on your site to keep your theme and plugin code secure is the PHP error. Since this feature sends you notifications whenever there is a problem on your platform, it can be a great opportunity for hackers to get in.

These PHP reporting errors come with server path information. So, if troublemakers get a message of error, your website will be gone from your hands. Furthermore, disabling PHP error is not tough, either. Follow these steps to do so:

  • Go to wp-config.php file
  • Copy this to the file-


10. Get Themes & Plugins from A Reliable Source

Being new to the realm of WordPress can mess things up for you. However, throughout the way, you would have to be extremely careful when selecting themes and plugins that you are going to download.

While free themes and plugins may sound inexpensive and a good alternative to paid options, sometimes, they don’t come from a reliable source. Hence, they can be a threat to your site as well.

So, make sure that you are only choosing a reliable source, such as the WordPress community or a plugin/theme store. It will help you maintain your website in a good manner.


Surely, plenty of websites get hacked on a daily basis. This calls for the need of a significant WordPress security plan that will keep your website secure. To do so, you must ensure that your theme and plugin codes are safe as well.

So, these were some of the ways through which you can keep the code safe. Try it and prevent hackers from getting inside your website.

Disclaimer: This is a guest post by CyberChimps. The opinions and ideas expressed herein are author’s own, and in no way reflect Cloudways position.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Saud Razzak

Saud is the WordPress Community Manager at Cloudways - A Managed WooCommerce Hosting Platform. Saud is responsible for creating buzz, spread knowledge, and educate the people about WordPress in the Community around the globe. In his free time, he likes to play cricket and learn new things on the Internet. You can email him at

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

BFCM 2019