WPHammer
Log in
  • Themes and security
  • Update suppression
  • Related

    • Theme Management

    WPHammer tracks installed themes alongside plugins as part of the WordPress inventory. Theme data helps you monitor which themes are active across your sites, which have pending updates, and whether any are inactive and potentially unnecessary.

    Theme inventory

    When inventory collection is enabled, WPHammer records each theme on a site with:

    • Name — the display name of the theme
    • Slug — the theme directory name
    • Version — the currently installed version
    • Status — whether the theme is active or inactive
    • Update available — whether a newer version exists

    The WordPress dashboard shows themes aggregated across all sites. You can see which theme versions are deployed where and identify sites running outdated themes.

    Theme actions

    From the site detail page, you can manage themes:

    Update

    Update a theme to the latest version via WP-CLI. Theme updates run as background jobs and are tracked in the site's activity history.

    Activate

    Switch the active theme for a site. Only one theme can be active at a time. Activating a new theme deactivates the current one.

    Delete

    Remove an inactive theme from the site. Active themes cannot be deleted — deactivate first, then delete. WordPress requires at least one default theme to remain installed as a fallback.

    Themes and security

    While themes are less commonly targeted than plugins, they still represent a potential attack surface — especially if they include custom PHP code, are sourced from untrusted repositories, or have not been updated in a long time. Theme files are included in integrity checks during security scans.

    Inactive themes are a common recommendation from WordPress Site Health. If a theme is installed but not active and you do not need it as a fallback, removing it reduces the files available to potential attackers.

    Update suppression

    Just like plugins, theme updates can be suppressed with team-level rules if you intentionally run a specific version. Suppression rules match by type, slug, and optionally version.

    Related