For self-hosted situations, installing a theme is step two of a three-step process of swapping out your WordPress theme: 1) download, 2) install, 3) activate. It’s also a step that can get a little tricky for some. In fact, there are probably thousands of requests for help from theme developers because the installation caused a “Theme install failed” message.
For WordPress.com situations, you get to skip this chapter since you cannot install a theme. You must choose from one of the themes in the marketplace found in the Themes screen (Appearance > Themes).
What Does Installing a WordPress Theme Mean?
It simply means that you are uploading the theme files to your server (we will cover a few ways to do this.) It’s also important to note that when you upload a theme, WordPress is going to look for a specific set of files before it will recognize it as a valid theme (a “valid theme” was covered in chapter 2.)
If you have purchased/downloaded a theme from a marketplace or website, you will likely get a .zip file during download. Expand the .zip file to see its contents. The image below shows a typical download (from a major theme marketplace) that contains folders for licensing, Photoshop files (PSD), a read me doc, screenshots, and the theme.
In some cases you will see even more folders and .zip files. In other cases your .zip file may just contain files with .php, .css, and .txt at the end of their names (like what you see on the right in the above image.)
The key takeaway here is that you will need to open/expand the .zip file you downloaded before you upload it to your server to ensure WordPress will accept it. In the case above, the “simplefolio.zip” file (center column) is what you want to upload. Why? WordPress is looking for files style.css and index.php in order to consider it a theme, and both of these must be the first level of the theme folder (middle column.)
Ok, so you got it? You are looking for a .zip file that has style.css and index.php inside. Photoshop files and other stuff can remain on your computer.
Where Are WordPress Themes Installed?
All WordPress themes are installed in the “themes” folder inside the “wp-content” folder of the WordPress Core (../wp-content/themes/). The “wp-content/themes” folder is an inherent part of the WordPress Core. Inside this folder are sub-folders, one for each theme installed, and (hopefully) aptly named by the theme developer so you can identify them.
This is the only place WordPress will look to find themes. If you move theme folders out of this folder, they will no longer be visible in the Admin Panel’s Themes screen.
If the theme is active at the time you deleted or moved the folder, WordPress will deactivate it and then activate the default theme for the version of WordPress you are running. If the default theme is not found in your “themes” folder, you may end up with a blank white website. Default themes were discussed in chapter 1.
What Not to Install
You may find that the .zip file delivered by many theme marketplaces is chock full of secondary files like plugins and documentation, tertiary items like Photoshop files, and even non-related items like hidden system files (Mac’s .dstore files) or GitHub files (usually .md and .gitignore files.) Worse-case scenarios are themes with malware, viruses and other harmful crap.
Upload just the theme
Only upload the actual theme files, and none of the other stuff listed above. There is little to no value in storing it on your server, unless storing it locally is not an option. If you do have to store these additional files, create a folder in the root directory of your website and store them there.
Scan for malware
While I wish all theme marketplaces were scanning their theme for malware before they allow people to download them, this is simply not the case. In fact, I have yet to see any marketplace overtly state their theme download packages are 100% malware, spyware and junk free.
Never upload a theme that you downloaded from a website until you have had your anti-virus program scan it for malware. You should get in the habit of scanning every file before you upload it to your website.
Once uploaded, you should scan your installed themes using one or both of the following free plugins before you activate them:
- Theme Authenticity Checker (TAC): https://wordpress.org/plugins/tac/ to scan “for malicious or potentially unwanted code.”
- Sucuri Security – SiteCheck Malware Scanner: https://wordpress.org/plugins/sucuri-scanner/ to scan for “various types of malware, SPAM injections, website errors, disabled sites, database connection issues and code anomalies.”
Three Ways to Install a Theme
There are three common ways to get the theme onto your server: WordPress Admin Panel, file transfer protocol (FTP), and using the cPanel on your web host. Which one you use is up to you, though the Admin Panel may be the most common method used. We will briefly cover what each means.
Install WordPress theme via Admin Panel
Your WordPress Admin Panel has the ability to upload theme packages (.zip files), unzip them, and place them in the Themes folder for you. Log in and navigate to Appearance > Themes, then click the “Add new” button at the top of the page, and then the “Upload Theme” button. Click on the “Choose File” button and select your theme’s .zip file from your computer. Click on “Install Now” button to upload the file.
Depending on the size of the .zip file and how fast your internet connection is, this can take a few seconds to a few minutes or longer. At this point, WordPress is uploading the .zip file, unzipping it and inspecting it for properly formatted style.css and index.php files. Upon successful upload and verification, you should see the following screen:
CAUTION: Please read the next chapter “Activating a theme” before you click on the “Activate” link you see here.
Oh crap: If you see a “Theme install failed” message, please see the “Shooting the Troubles” chapter near the end of this book.
You can also install themes directly from the WordPress Theme Directory by navigating to Appearance > Themes, then look for the “Add new” button at the top of the page, and clicking on the “Search”, “Featured”, “Popular” or “Latest” links. This will allow you to search through the Directory and install a theme directly from there.
Install WordPress theme via FTP
Since there are numerous FTP applications in the world I cannot go over the details for each one. If you are choosing to use an FTP to install your theme, I am going to assume you know how to use it.
Installing your theme via FTP is another option. Keep in mind that this is only placing the files on your server in the “themes” folder. You cannot activate a theme by using FTP.
The only real difference with FTP is that you will be unzipping the theme’s .zip file to find the theme folder. It’s the folder with the style.css and index.php files in it that you want to upload to the ../wp-content/themes/ folder. Unlike the steps in the section above, you do not want to upload the .zip file since WordPress will ignore it when looking in the ../wp-content/themes/ folder.
Once the new theme’s folder is uploaded to the themes folder, check the WordPress Themes page in the Admin Panel (Appearance > Themes) to see your new theme listed.
Oh crap: If you fail to see your theme listed in the Themes screen, please see the “Shooting the Troubles” chapter near the end of this book.
Install WordPress theme via cPanel
Many web hosting plans come with some version of cPanel, or at least an admin control panel of some kind. Since there are numerous control panels for all the numerous web hosts in the world I cannot go over the details for each one. If you are choosing to use a control panel to install your theme, I am going to assume you know how to use it.
Similar to FTP above, the main reason you would use a cPanel instead of the supplied uploader in the WordPress Admin Panel is because your theme exceeds WordPress’ max file size limit for uploads.
Once you find the file manager in your web host’s cPanel, you need to locate the theme’s .zip file (the one with the style.css and index.php files in it) and upload it to ../wp-content/themes/. Once the .zip file is in place, you can use the file manager’s “extract” or “unzip” feature to unzip the theme in place. You should now see a folder in ../wp-content/themes/ with the name of your new theme. Check its contents to make sure the theme files are there. Then check the WordPress Themes page in the Admin Panel (Appearance > Themes) to see your new theme listed.
You can, and should, delete the .zip file after you are done extracting it. It is not needed.
Oh crap: If you fail to see your theme listed in the Themes screen, please see the “Shooting the Troubles” chapter near the end of this book.
Look under the hood
After your new theme passes the TAC and Sucuri tests mentioned above, you can then run the Theme-Check plugin to “test your theme for all the latest WordPress standards and practices.”
Below you will see a screen capture of a theme that passed. A scan can present action items that are labeled as “Warning,” “Required,” and “Recommended,” as well ones that are simply informative, “Info.” A well-built theme will have few or no action items.
Review your scan and make a judgment call on whether you want to proceed using the theme, or contact the developer to see if they are aware of the problems. In some cases, a line item stating the theme is missing support for a ‘custom background’ may not be of any importance to you. Though, a missing navigation menu might be a deal breaker for your needs.
Store the documentation for later
In the section above we learned about all the extra stuff that can come with a theme. I highly recommend you store this somewhere you can access later, like a Dropbox account or on your local drive. You’ll thank me later.
Low-level bot protection
CAUTION: This tip is only for those of you that downloaded your theme from a marketplace and know you will never update the theme (for whatever reason.) Changing the theme name will remove you from being able to receive theme update notifications, if they are available.
There are people that scour WordPress sites’ plugins and themes looking for exploits (like the infamous timthumb.php exploit.) Once an exploitable file is found in a theme (or plugin), hackers deploy bots to make quick work of finding websites using that theme.
How this works is that they already know all themes are stored in the ../wp-content/themes/ folder, so all they have to do is put your domain on the front of ../wp-content/themes/ and the location of the theme’s exploitable file on the end, and they have direct access to it. The bot can do this all day, every day, on virtually every website known to man until it finds a match. Then it executes upon that vulnerability and your website is “hacked.”
Since the bot is looking for a known theme name, you can rename the folder, re-compress the folder into a .zip file, and then upload your theme. So, if your theme’s folder is named “awesome-theme” change it to “awesome-theme-1234” by adding something unique to the end of the name. This way your theme’s folder is still easy to find in file manager/FTP, but also now sports a unique URL. The bot will be looking for example.com/wp-content/themes/awesome-theme/exploitable-file.php and it will get a 404 error (file not found) and move on.
More detailed information on renaming your theme package and theme can be found in Appendix A “FAQs”, section “New Themes: How can I install a theme update as a new, separate theme without overwriting the old theme?”
Caution: Do not rename the folder of an active theme. See next chapter on why this will cause you serious problems.
Stronger bot protection
While the ‘low-level bot protection’ above is easy to do, the following tip is pretty advanced and can cause issues with some plugins you’ll need to be aware of.
You can move the wp-content folder to hide it from bots. Again, the bot will be looking for a known exploit at example.com/wp-content/themes/awesome-theme/exploitable-file.php, but moving the wp-content folder to example.com/assets/ folder will cause the bot to get a 404 error. Do a web search for “how to move wp-content folder” for plenty of tutorials on this.
Note: Know that moving a theme around and hiding it does NOT take care of the fact that it has an exploit. You still need to update your themes and hound developers to fix these problems.
Two WordPress themes installed, one activated
I have seen WordPress sites with hundreds of themes installed, and some with five or so installed. Either way, you only need two themes: one that is activated (plus its Parent, if it’s a Child theme) and the latest WordPress default themes (“Twenty Sixteen” or “Twenty Fifteen”) as a backup theme. If there is ever a problem where the current theme has to be disabled, you will want to have a backup theme to keep your site up and running.
The biggest reason you do not want a bunch of deactivated themes in your themes folder is that one or a bunch of them could contain a known exploit. Even if you’ve renamed all those theme folders, why would you want to take the risk for a theme that is not in use? If you must keep them, make a copy of them on your local drive, then delete them from the server.
The other reason to remove extra themes is that your backups will be all that much larger for having to backup all those extra files.
You cannot have two theme folders with the exact same name. Unless you are planning to overwrite an old theme, make sure that any theme you are uploading has a different name than what is already there. Even a “1” at the end of the theme name is enough to be different. Know that, depending on the server, just capitalizing some letters is NOT enough of a difference.
More detailed information on renaming your theme package and theme can be found in Appendix A “FAQs”, section “New Themes: How can I install a theme update as a new, separate theme without overwriting the old theme?” (until I get that chapter up, you can read my original blog post here.
If you must hoard themes
If you really, absolutely have to store dozens of your old, unused themes on the server, then use FTP or cPanel file manager to create a new folder in the root directory called “old_themes”, place them in there and tell your backup plugin to ignore this folder. You will have to use FTP or cPanel file manager to access them since WordPress will not find them there. But, seriously, keep them off your server.
Back it up!
I will be repeating this statement throughout this book: you should get in the habit of backing up your entire website—especially the database—before you make major changes, additions, deletions to your website. (See previous chapter “Backing up your entire WordPress website” for details.)