Setting up a demo for your WordPress themes is a common task, probably the most important task, if you have a premium WordPress themes business. There are several technical stuff you have to care about such as setting up the content, theme options, upload images. But that’s not all. This post will show you 3 problems that most theme authors forget. And of course, how to solve them.

1. Do not let Google index your demo sites

This is the biggest problem that you should fix immediately. But why do you need to tell Google to not index your demo sites? Well, there are several major issues such as:

  • You will receive a massive attacks from bots by crawling your websites. Instead of reserving your server / hosting resources for real users, you’re wasting it for bots with no purpose of purchasing your themes.
  • You will receive a massive attacks from hackers. When Google index your site, it will be visible to hackers. And then you will receive some crappy pings, trackbacks. Probably something worse like brute force attacks or XML-PRC attacks. Again, you’re wasting your server resources for nothing. And worse than that, you might be hacked!
  • You will receive harmful backlinks. As the demo sites has no valuable content, links from those sites (to your business site) are crappy. They will harm you in term of SEO. Someday, you wonder why traffic to your business sites decreases, this is one answer.

So, it’s better to not index your websites, isn’t it? How to do that?

There are many ways to do that. Here are 3 ways:

1.1. Disable Search Engine Visibility Option

Go to Settings → Reading and tick the checkbox “Search Engine Visibility”:

Disable search engine visibility
Disable search engine visibility

As described clearly, this option discourages search engines from indexing your site.

1.2. Using robots.txt File

A robots.txt file is a file at the root of your site that indicates those parts of your site you don’t want accessed by search engine crawlers. Using robots.txt, you can tell the bots to not access to some parts or the whole of your sites.

To disable the whole site, create a file robots.txt at the root of your website and put the following content:

User-agent: *
Disallow: /

1.3. Using Robots Meta Tags

Another way to tell robots to stay away from website is using meta tags. All we need to do is put the following code in the <head> section of your site:

<meta name="robots" content="noindex, nofollow">

But doing that manually is a bad idea. As you’re setting up demo sites for WordPress themes, you can hook to wp_head to output it.

The best way to hook to wp_head is creating a Must-Use Plugin. Basically, a must use plugin is a PHP file put in the wp-content/mu-plugins folder and is always loaded when WordPress runs. So, in this situation, just create a file named demos.php in that folder and put the following code:

add_action( 'wp_head', function() {
    echo '<meta name="robots" content="noindex,nofollow">';
} );

2. Disable Comment Posting But Still Show Comment Form

Comment is a very popular way to attack your website. By using some automation tools, you can get hundreds to thousands spam comments per day. Stopping comments save you a lot of database space and CPU from handling them.

You can easily disable comments in Settings → Discussion. However, this method has a problem: the comment form doesn’t show at all. And it might be bad for your demo sites, cause you need to show how your themes work with comments.

So, in this situation, we can use a hook to stop comment from being processed. That means the comment form still display on your pages, but whenever someone submit a comment, WordPress immediately stops processing it. No data is inserted in the database.

We’ll continue using the must-use plugin method above, cause we need some code. Just open the file demos.php again and add the following code:

add_action( 'pre_comment_on_post', function() {
    wp_die( 'Sorry, this demo is used only for presentation purpose. We do not allow comments here.' );
} );

The hook pre_comment_on_post is documented here (although not much info, actually). It fires before a comment is processed. We use wp_die to stop immediately, cause we don’t want any comment, either from users nor bots. Normal users will see the message and understand why we do that.

3. Disable Emails

Contact page seems to be a very common page that must be setup in almost all demos. Contact page has a contact form and where there is a form, there is a way to attack. Automated bots will keep submitting the contact forms with crappy content: suggestion for buying viagra, SEO link building, re-design your website (thanks, I’m selling WordPress themes!). Sometimes, real users submit pre-sale questions, but not too many. So it’s a good idea to stop contact forms from sending emails.

There are several ways to disable emails on WordPress. You can hook to PHPMailer to die. But I found the easiest way (and probably the fastest way) is overriding wp_mail function. The wp_mail is a pluggable function, which means it’s replaceable. These functions let you override certain core functions via plugins. WordPress loads the built-in functions only if they are undefined after all plugins have been loaded.

So, to do that, simply register a wp_mail function in our must-use plugin demos.php file by putting the following code:

function wp_mail( $to, $subject, $message, $headers = '', $attachments = [] ) {
    return true;

Here we return true to tell WordPress emails are sent successfully (they are not, actually) and WordPress can continues its work such as display a successful message to users. That might makes real users think the contact form is working well.

I’ve been using these small tips for a while and they work well. No more high CPU load. No more spam emails. Everything is better than it was. If you’re having premium WordPress themes business and have good tips on setting up the demos site, please share in the comments.

Leave a Reply