WordPress 4.0 is out, and since it’s a major upgrade, you’ll need to manage the upgrade yourself. It’s easy (just click a button), but while you’re in there, there’s some house cleaning your probably should do.
WordPress themes and plugins are an awesome part of the WordPress ecosystem. Need a feature that WordPress doesn’t have out of the box? Someone has probably built a plugin. Want to give your site a fresh coat of paint? Go grab a theme.
The problem is, you’re now installing someone else’s potentially bad code into your site.
Not only can your site get hacked, but your site could end up being used to hack or attack others, which could lead to you getting your site shut down. You probably don’t want that.
While you’re in your WordPress admin area, after you clicked the upgrade to 4.0 button, take a little time to clean up your install.
- Make a backup of your site. (You should always have a backup of your site.)
- Go to the Updates section of the Dashboard and make sure your themes and plugins are up-to-date. 
- Go through your plugins and identify any that you’re not using any more, deactivate them (if active), and delete them. You can always install them again. By deleting old, unused plugins, you’re reducing the surface area that can be used to compromise your site.
- Do the same for your themes. Yeah, we all went through and installed 50 themes one day, thinking how great it would be to switch themes at will. How many did you really use? How many even look good any more? Delete them.
- Now, if you’re using a caching plugin (which you should be to get great performance), clear your cache to ensure that you get any of that potentially bad code off of disk.
Set a reminder in your calendar to do this every couple of months (at a minimum). It’ll only take you a few minutes, and reduce the likelihood that your site becomes a victim.
- If you’ve got a theme or a plugin that you can’t update because you’ve hacked modifications into it, you should see if you can download the newest version and port your modifications into that version of the code. Yeah, it’s a pain, but less painful than having to go through looking to see how badly compromised it is.