Maintenance May 7, 2026

Inactive WordPress Themes: Why Leaving Them Hurts

Unused themes remain reachable code editable from wp-admin. Here is how to keep only what you need and remove the rest.

An inactive theme is just like an inactive plugin: code on the server, reachable from the theme editor, potentially carrying vulnerabilities. The only difference is that themes get less attention, so many of them are older and worse-maintained than the average plugin.

Why this matters

An installed theme exposes its files at /wp-content/themes/THEME-NAME/. Static assets (CSS, JS, images) are reachable directly over HTTP, and PHP files are editable through the theme editor in wp-admin. If a theme has a known flaw - the historical PageLines screenshot.php LFI is the canonical example - a bot can exploit it whether the theme is active or not. Beyond that, an old commercial theme that no longer receives updates (the marketplace closed, the developer moved on) becomes fossilised code that will never get a security patch.

Practical considerations too: modern themes (Twenty Twenty-Four, Twenty Twenty-Five) weigh megabytes; with five old themes plus the active one you pay for it in backup size, deploy time and security-scan duration.

How to detect

Go to Appearance > Themes. Anything not marked "Active" is inactive. Via WP-CLI:

wp theme list --status=inactive --format=table

RankPlus compares the active stylesheet (get_stylesheet()) and its template (get_template()) against the installed themes and flags everything else.

How to fix

  1. Decide what stays:
    • The active theme - mandatory.
    • Its parent, if you are using a child theme - mandatory. Delete it and the child breaks.
    • One fallback core theme (Twenty Twenty-Four) - recommended. If the active theme ever breaks, WordPress falls back to it automatically.
    • Everything else - delete.
  2. Visit Appearance > Themes, hover the theme, click Theme Details, then Delete in the corner.
  3. If a warning appears saying "This theme is the parent of an active theme" - do not delete. That is the parent of the active child.
  4. WP-CLI alternative: wp theme delete THEME-SLUG.
  5. Check for orphaned customiser data in wp_options (search by theme slug).

Common mistakes

  • Deleting the parent of an active child theme: instantly breaks the site. Confirm parent/child relationships first.
  • Removing every Twenty* theme: zero fallback. If the active theme breaks, WordPress cannot fall back to a default theme.
  • Keeping "Twenty Eleven" from 2011: a 14-year-old theme with no updates. Replace it with Twenty Twenty-Four.
  • Deleting via FTP without flushing: cache plugins may still serve assets from the deleted theme. Flush caches after.

Verifying the fix

Run wp theme list again. There should be roughly 2-3 themes: the active one (and its parent if applicable) plus one fallback. RankPlus turns green. Browse the site - removing inactive themes should produce zero visible change.

Tip: If you use Full Site Editing (FSE) with a block theme, global styles can survive theme deletion. That is not a security issue but it can clash if you reinstall the same theme later - wp option delete theme_mods_THEME-SLUG cleans up. Be especially careful with themes from defunct marketplaces - even if they still work, they will never receive security updates. Either find an actively maintained replacement or fork into a child theme with manual patches. Schedule a quarterly theme-update review: visit Appearance > Themes and click "Check again" to confirm you are on the latest version. Commercial themes that do not auto-update accumulate risk over time, especially when they bundle older versions of libraries like Slick, Bootstrap or jQuery that may have known CVEs.
More in this category ← Back to all docs