Yes, you read that right. Here’s the deal:
- WPTavern interviews a split-testing service
- Split-testing service site gets flagged for malware (terrible timing, I know).
- Why? Because their style.css had a comment referencing another site with an actual malware infection. That’s it. Read more about it in this comment.
If you’re a WordPress consultant, developer, or whatever, and your client comes to you with a “malware” warning problem, you should definitely be aware of this possibility.
The top of a WordPress theme’s style.css file
At the top of every WordPress theme’s style.css file, a theme may include the following (optional) info to describe itself. Here’s an example:
Theme Name: Theme Lab
Theme URI: http://www.themelab.com/
Description: The theme I use for Theme Lab.
Author: Leland Fiegel
Author URI: http://leland.me/
License: Not Applicable License v2.0
License URI: http://example.com/not-for-release-i-dont-need-a-license
WordPress uses this to display certain information on the themes page within your admin (more on this later). It’s also used to generate a page on the WordPress.org theme directory should it be submitted and accepted there.
If whatever URL is listed next to “theme URI” and “author URI” is flagged for malware, you could also be flagged for malware, simply for referencing them.
Sponsored Themes and Sketchy Sites
It’s been a well known fact that actually linking out to sketchy sites can potentially get you penalized and potentially flagged for malware. This has been a hot topic during the “sponsored themes” era as well as shady theme site discussion.
Getting flagged for malware for linking out to a malware-infected site is totally understandable as, well… you’re directly linking to a possibly infected site that your visitors could then click on and get infected too.
But getting flagged for malware because of a commented out URL reference in a stylesheet? That’s certainly news to me. How do you protect yourself from that?
Premptively Removing URL References In Stylesheets
Pretty much all released themes include a link back to WordPress.org and/or the theme developer’s site. Many remove these outgoing links (for “SEO” reasons or whatever).
Not many even think about removing credit info from their stylesheet. The only people who actually check this stuff out are mostly other developers. I know I frequently check WordPress sites’ style.css files to see what theme they’re using, whether it’s pre-made or custom, etc.
Turns out, it’s not just developers who check out commented-out stuff in your style.css file, but also Google bots.
Considering this is something totally out of your control (i.e. the malware status of a third-party site, likely your theme developer) it might be worth removing the Author URI and Theme URI in your style.css file. Heck, even the License URI just to be on the safe side.
Hopefully curious developers can find out the origins of a theme through Googling the theme author and/or name to find their hopefully-non-malware-infected site.
Is Merely Referencing A Commented Out URL In CSS… Malware?
Possibly the most concerning part of this news, is that even if I referenced the most spammy, malware-ridden site in my CSS with commented out code, how is that any sort of danger to my visitors?
It’s not like I’m loading an external resource from an infected site. It’s just a comment. In CSS. Totally harmless, right?
Like I mentioned above, most people who typically check stylesheet code are other developers. Even if they copy and paste the URL into their browser and get infected with imaginary malware, I feel Google’s policy is overreaching at best (assuming this actually is a policy, not a bug within their malware checking mechanisms).
It’s also worth considering that these theme and author URIs are displayed as actual links within the WordPress admin. It may be Google’s odd way of protecting WordPress users, not necessarily people creeping through your style.css file.
We all know Google and other major search engines will scan your CSS to check for boneheaded “black hat” text hiding techniques (negative text indents, display: none, visibility: hidden, matching background and foreground colors), among other things.
You can certainly get penalized and banned for doing something stupid like that, that’s a well-known fact. Getting a malware warning for commented out code in CSS? Not so well known.
Getting flagged for malware in Google is pretty much SEO suicide. I’ve thankfully never had to deal with one before, although it’s safe to assume my search engine traffic would take a nosedive if I ever did get one.
I would also feel really bad considering that any site that uses a Theme Lab theme could also potentially be flagged for malware as well, just for simply referencing Theme Lab’s URL in the theme stylesheet.
You don’t want to share the blame with another site’s malware status if you don’t have to, even if that original site’s malware status was made by mistake.
So yeah, consider removing the Author URI and Theme URI in your style.css. No matter how good a reputation the author/theme has, anybody can potentially be hacked, and it may save you a headache in the future for something that’s no fault of your own.