I love WordPress themes, really, I do, even when they were just a couple colors and fonts changes here and there they already had great potential, allowing people with very little design knowledge to easily brand a website built on WP which will also make it easily updatable.

Themes kept evolving though, and quickly they weren’t just colors and fonts, but also page templates, and even some custom settings that allowed you to modify things such as the header paddings, showing/hiding sidebars, etc. You could set up your WordPress, upload some content, activate your theme, click a few checkboxes here and there and… voilà! Wait, not quite convinced of that theme anymore? You simply activated a different one and… voilà again! Life was beautiful.

But people wanted more, it’s in the human nature I guess, so what one day was simply amazing the next day just wasn’t enough, people got used to the options themes made available to them and wanted more. Users who didn’t know how to read a <p> tag wanted full control over each and every single pixel of their websites, they got greedy… Lucky for them there were some very talented developers out there ready to accomplish this, and make their sites suck in the process.

This is when plugins came in the game, plugins like Page Builder or Visual Composer which offered a world of possibilities when it came creating layouts for your pages. You might be thinking I’m against these kind of plugins, but I’m not, I think they are great tools and their creators deserve all the credit they can get for the amazing plugins they’ve put together. What I am against though is theme developers who build themes that rely so heavily on these plugins they just won’t work without them.

You start browsing through WP themes these days and you see some incredible designs, really, it’s great that designers have chosen this platform as one of the favorites because the quality of the design you see is simply astonishing, thousands of dollars spend on a custom designed website wouldn’t guaranty that level of standards. But wait, how do I make my website look like the one in the demo? Well in most cases… good luck with that!

Theme developers have bounded their themes with these plugins and taken them to such an extreme were it will be close to impossible for someone else to replicate what they’ve done on their demo pages. Some of them realize that and provide you with the demo content so that you can import it and replicate exactly what you saw before buying, but then it’s up to you to reverse engineer how that was accomplished to introduce your own content. As a result people get frustrated, make poor design decisions (since the theme itself doesn’t make those decisions for them any more) and end up publishing websites that look nothing like what they had in mind and way worse than they would’ve look like with a more “restrictive” theme. Things only keep getting worse when the site owner tries to update the site after six months and not remembering the little he was able to figure out the first time he ends up breaking the site even further.

But if you really want to have fun then you should try to switch to a new theme once you got your site up and running with one of those…

Visual Composer and Co. are, like I said, great plugins, and when someone who has been running a WP site for a while wants to achieve a level of customization that the theme itself doesn’t allow it’s a great tool for them to achieve that. But they are plugins and NOT themes.

In my opinion there are two rules every theme should follow in order to be considered a good theme:

1. A good theme should not require ANY plugin to be fully functional.

2. A good theme should allow to switch to a different theme with minimum migration efforts.

Some people might agree, other might not, but since I’m considering starting to build my own themes, and potentially make them available to the public, I’ll keep coming back to make sure any theme I release meets these two simple rules.

A few days ago I woke up and found one of my websites down. Not being very technical I tried everything I knew; does the site responds to ping? Yes. Do other websites in the same server work? No. Reset the server, did it work? No…

So I contacted my hosting company to see if they could help me figure out what was going on and they sure did, they told me by website was sending around 10K e-mails per hour, which was considered spam (no kidding) and therefore my website had been added to several black lists that prevented it to load on most browsers.

Shit! 10K e-mails per hour? What happened here?

So I contacted my tech guy (girl actually) and asked her to take a look at it. She got back to me almost immediately and said our server was indeed sending out tons of e-mail but it wasn’t our website (weird when you are talking about a dedicated server that is supposed to host only one website), it was a WordPress installation that I did a couple of week earlier as a side project, I told her that and she asked; did you make a secure WordPress Installation?

What? I just installed it, isn’t that supposed to be secure? Well apparently not as much as it should be since that installation was hacked and was being used to send tons of spam.

So my obvious question once the issue was solved (it took a few weeks to go 100% back to normal) was; nest time, how do I set up a secure WordPress Installation?

According to my tech team it’s not that hard at all, you just have to follow a few more step after the installation, some obvious (but worth being reminded of), others not so much. So here is a list of the 5 steps you should follow to set up a secure WordPress installation:

  1. This is obvious, but choose strong passwords and never set up a user called admin since most robots will try that when trying to hack your site.
  2. Use a random database prefix instead of the standard i39fw1_
  3. Insert this line of code at the end of your wp-config.php file: define(‘DISALLOW_FILE_EDIT’, true);
    This will disable file editing from your admin panel, which means that even if someone does hack your admin password and access your dashboard they won’t be able to insert malicious code into your files.
  4. Install a theme called Login Lockdown and take a minute to set it up properly. This will block anyone attempting to log in to your website a suspicious number of times in a relatively short time (what robots usually do to hack you password) and will block them for a certain period of time.
  5. Last but not least, keep your WordPress and plugin versions updated. Even if it’s tempting not to once everything is working you should always update. I’ll take the rist to contradict myself though and say you should not update the first day a new WP release comes out, give it a week or two to make sure all the plugins you are using also come out with an update that’s compatible with the new WP version.

And that’s it! I hope this helps many websites prevent the numerous hacker attacks that happen every day.