Are you thinking about using WordPress to build your website, but aren’t sure about its security? If you’ve ever heard horror stories about hacked, malware-infected WordPress sites, you may have found yourself wondering: is WordPress secure?

WordPress is generally secure, so long as you follow certain best practices like installing regular updates and exercising caution when using third-party themes and plugins.

WordPress now powers over 40 percent of the web. While this is impressive, it also makes the Content Management System (CMS) a popular target for hackers.

Fortunately, you don’t have to migrate to a new platform. By taking some simple precautions, you can continue to use one of the world’s most popular systems while also protecting your site against cyberattacks. 

In this article, we’ll look at why themes and plugins may be the biggest threat facing your WordPress website. Then we’ll share five simple ways to boost your security, and ensure that you’re using these themes and WordPress plugins safely. Let’s get started!

An Introduction to WordPress Security (And Why It’s Important)

With WordPress powering over 28 million websites, it’s become a popular target for hackers. If a malicious third party manages to break into one WordPress site, they could potentially use the same attack against millions of subsequent websites. 

While no software is perfect, the WordPress team has a solid track record of identifying and addressing vulnerabilities in the platform. However, many website owners choose to extend WordPress’ core with themes and plugins.

While third-party software is excellent for creating unique and feature-rich sites, it can also make your site more vulnerable to attack. In its 2021 report, WP White Security discovered almost 4,000 known WordPress plugin vulnerabilities and 443 known theme vulnerabilities. Hackers have a habit of actively targeting these weak spots.

In fact, Wordfence recorded 4.3 billion attempts to exploit vulnerabilities in a single year. If you’re using any third-party themes or plugins, it’s important to harden your site against these intrusions.

How to Safely Use WordPress Themes and Plugins (5 Tips)

You don’t have to limit yourself to the designs and features in WordPress core. Although they come with some risks, there are ways to extend the CMS’ functionality and features without compromising your site. Below are five methods for using themes and WordPress plugins safely.

1. Use Reputable, Well-Researched Sources

Some malicious third parties embed malware and other digital threats inside themes and plugins. To help protect your website, therefore, it’s important to only install software from reputable sources.

If you’re looking for free themes and plugins, the official WordPress Plugin Directory is a quality resource due to its strict security policies:

The WordPress Plugin Directory.

There is also a wide range of reputable third-party marketplaces specializing in premium themes and plugins, such as CodeCanyon. Even if you’re downloading your software from a reliable source, it’s smart to check the reviews, particularly the newest ones:

The ratings section of a WordPress plugin.

A plugin might have a positive overall rating, but a recent spate of poor reviews may indicate a security issue with the latest release. In addition, the theme or plugin listing may not be the only place where people are discussing this information.

In fact, it’s worth running the software’s name through your favorite search engine as well. This extra step only takes a few seconds, and may reveal miscellaneous locations, such as forums, where people talk about the software. If there is a serious issue with a tool, the search may even return news stories or blog posts detailing the problem.

2. Install the Latest WordPress Security Updates

It’s not uncommon for the community to discover security vulnerabilities, even in established themes and plugins. However, a reputable developer will work hard to release an update that addresses these issues. To ensure that you’re using themes and WordPress plugins safely, it’s important to install updates as soon as they’re available.

You can check for new versions by selecting Updates from WordPress’ side menu. Then, if there are upgrades available, you can install them directly from this screen:

WordPress's update screen.

However, it’s often better to enable auto-enables to ensure that you receive the latest fixes without having to manually check the WordPress dashboard. To auto-update your plugins, you can navigate to Plugins > Installed Plugins, and then select the Plugin checkbox.

Next, in the Bulk actions dropdown, click on Enable Auto-Updates > Apply:

Updating WordPress plugins as part of a bulk action.

To streamline updates for your WordPress theme, you can browse to Appearance > Themes. On this screen, hover over your current theme and select Theme Details:

Finally, click on the Enable auto-updates link under the theme name. Your WordPress theme will then update automatically.

3. Delete Unused Plugins

Sometimes, you may need to temporarily deactivate a plugin. For example, you might be troubleshooting an error and want to check and see whether a particular plugin is causing the issue. In this scenario, you can deactivate the tool, test your website, and then reactivate the plugin if the problem persists. 

However, if you no longer require a plugin, it’s wise to delete it completely. Even in a deactivated state, a plugin’s PHP files will remain accessible, and may therefore still be exploitable. By removing the plugin, you close this security loophole. 

Before pressing Delete, we recommend testing to see how your site will function without access to this software. If you haven’t already, deactivate the plugin and verify that your site continues to display and run correctly. Once you’re confident that your site is performing as expected, you can eliminate the tool entirely

You can both deactivate and delete plugins on your site by navigating to Plugins > Installed Plugins in your admin dashboard. Once you click on the Deactivate link, there will be the option to delete it.

4. Consider Using a Web Application Firewall (WAF)

Ideally, theme and plugin developers will identify any problems with their products and immediately issue the necessary patches. However, this isn’t always possible. 

In the worst-case scenario, a vulnerability may become public knowledge before the developer has a chance to release an update. If you’re running a compromised theme or plugin, your site could become a prime target for hackers who are eager to exploit known vulnerabilities. 

Fortunately, a Web Application Firewall (WAF) can offer you some protection by filtering out malicious requests before they have a chance to reach your site. There are several WAF plugins available, but Wordfence is a popular option:

The Wordfence WordPress plugin.

After installing and activating Wordfence, it’s a smart idea to place it in “Learning Mode” for at least a week before enabling the firewall. This feature is designed to help you avoid false positives, which occur when the plugin blocks legitimate activities. 

During this mode, it’s important to interact with your site normally. Wordfence can then learn your patterns and behaviors, and understand how to permit normal actions while still protecting your site.

To place the tool into Learning Mode, navigate to Wordfence > Firewall:

A WAF can help you use WordPress plugins safely.

Next, open the Web Application Firewall Status drop-down menu and choose Learning Mode. Wordfence will now begin monitoring your site.

Once you’re confident that Wordfence has experienced all of the actions you typically perform on your site, it’s time to activate your firewall. In the WordPress dashboard, you can browse to Wordfence > Firewall, open the drop-down menu, and then select Enabled and Protecting.

5. Monitor Your WordPress Site for Suspicious Behavior

It’s common for developers to avoid publicly announcing a vulnerability until they’ve issued a patch. However, you don’t necessarily have to wait for an announcement to identify an issue that’s putting your website at risk.

By monitoring your traffic carefully, you can develop a baseline of what’s normal for your particular website. This puts you in a strong position to identify changes that may indicate you’re under attack – even when those signs are extremely subtle. 

Common indicators may include a surge in visitors from unexpected geographical locations, or unusual activity targeting your site’s most vulnerable pages, such as your login page. You can analyze your traffic using a platform such as Google Analytics:

The Google Analytics dashboard.

This tool provides detailed user demographic information, which can be invaluable for identifying whether anything is amiss. You can even display Google Analytics data inside your dashboard by using a plugin such as Google Site Kit:

The Google Site Kit plugin.

Downtime can be another red flag that your site is under attack. Some infiltrations are even designed specifically to take your site offline, such as Distributed Denial-of-Service (DDoS) attacks. There are plenty of services that can notify you about downtime, including UptimeRobot:

The Uptime Robot monitoring service.

This free service will test your website once every five minutes. However, if you want more frequent checks, paid plans are also available. 


While WordPress itself is generally secure, themes and plugins are likely the weak link in your site’s defenses. Fortunately, by following some straightforward safety precautions, you can continue using these key tools without endangering your site.

Let’s recap five ways that you can use themes and WordPress plugins safely:

  1. Do your research and use reputable sources.
  2. Install the latest updates.
  3. Delete unused plugins.
  4. Consider using a WAF, such as the Wordfence plugin.  
  5. Monitor your WordPress site with tools such as Google Analytics and UptimeRobot.

Do you have any questions about how to keep your site secure? Let us know in the comments section below!

Notify me of

Inline Feedbacks
View all comments

WordPress Masterclass: The Free Beginner Website Course

Learn how to build beautiful, functional websites without writing a single line of code. Completely free—no registration required.