My personal blog got hacked last month. Ouch. Visitors who clicked a search result link to my site were getting redirected to some Russian site. Luckily I realized it pretty quickly and fixed it within 24 hours, but the damage had been done – I lost almost a day’s worth of traffic and some new visitors.

I did however, learn an important lesson from the experience – website clutter can get you hacked.

What’s lying in the hidden corners of your website?

After fixing my site I immediately investigated the source of the hack to make sure it doesn’t happen again. I realized that the attack vector was an old inactive theme laying around on my web server.

Yes, not clearing out my old theme files got me hacked. I can just hear my mom’s voice telling me to pick up my room…

This outdated theme was vulnerable to the TimThumb exploit. Although it was inactive, the vulnerable script was still there on my web server. A bot probably just checked whether /wp-content/themes/themename/timthumb.php exists on my server and when it found the script there, it proceeded to exploit my site.

If you have the Thesis or Headway 2.x themes, or older WooThemes you should go into your WordPress dashboard and delete the old versions of those themes from your server immediately. These are a few themes that I’ve used and that I know may trip you up because of how the update mechanisms work.

Note: Headway 3.x does not have this problem any more so you should definitely upgrade if you’re still sticking with version 2.x

Outdated plugins and themes

I’ve stressed the importance of keeping WordPress updated before, but here’s another piece of advice that should be taken to heart: delete your inactive plugins and themes.

We all love installing plugins and themes. Unfortunately we’re not so good at clearing out old plugins and themes. As I learnt the hard way, having inactive themes and plugins just laying around on the server can pose a security risk.

Clear out the clutter. If a theme or plugin is not in use, don’t just leave them laying inactive on your site. Delete them to make sure that they don’t come back to bite you in the ass.

Old backup files

Other pieces of clutter that are potential disasters waiting to happen are backup files left in your root directory. I’ve logged into many web servers and I see stuff like this:

- sitename.com_v1
- wp-admin
- wp-content_old
- wp-content
- ...

Do you see the problem? Outdated files in the the backup folders can contain outdated plugins and themes, and vulnerable files that can be used to exploit your site. If you need to store backup files on your web server, don’t let them clutter up the public_html directory. You should zip up your files and put them above the public_html directory.

Outdated files are dangerous, even if they’re not active

Your website clutter is just waiting to trip you up

WordPress is actually a very secure platform but we constantly overlook “the little stuff” which then compromises our sites. Remember that inactive themes and plugins can contain vulnerable code which can be executed by anyone with a web browser.

If a hacker finds it, you can be sure their next step is to exploit your site. The next thing you know, your site will be redirecting people to phishing sites, spreading malware or worse, be used in phishing scams.

So before that happens, have a quick look around your web server and clear out any clutter that may be waiting to trip you up. If you need help, give us a shout on Twitter by tweeting @clickwp or get in touch via our contact form.

Hassle-free WordPress Security, Updates & Backups

Let ClickWP take care of your website security. We implement measures to keep your site safe, update your plugins and themes regularly, and make daily backups of your site content and files.

Find out more about our WordPress Website Care Plans

About David

David has over 15 years of experience with web geekery and WordPress. That experience spans every­thing from cre­at­ing affordable websites for small businesses, developing custom themes to opti­miz­ing WordPress sites for thou­sands of page views in a day. Say hi to David on Twitter at @blogjunkie.

Reader Interactions


  1. Linden Hills Florist

    Thanks for the tip – I’m pretty sure I’ve got one site with some old themes still sitting inside the server gathering digital dust (and potentially some nasty bugs by the sounds of it).

    • David

      You’re welcome! I’m glad that you got something out of it and I hope it saves you the trouble of getting hacked.

  2. carolm

    Oh no! I had no idea! My unused themes are going to be deleted today. I also didn’t know about checking old backups on the server.

    Thanks for the tips! Many people only think about security after they’ve been hacked – so now I’m hoping I still haven’t missed any gaping security holes on my sites that I haven’t found out about yet.

    • David

      Hi David. Inactive plugins and themes can be updated too. However even up to date plugins can have vulnerabilities – the vector of attack in my case was an up to date theme with such a vulnerability. Therefore it’s best to only install the ones you use. Hope that explains things!