FacebookTweetLinkedInPinShares0
Yes, you read that right. Here's the deal:
WPTavern interviews a split-testing service
A split-testing service's site gets flagged for malware ( terrible timing, I know).
Why? Because their style.css had a comment referencing another site with an actual malware infection. And that's it. More information in this comment .
If you are a WordPress consultant, developer, or whatever, and your client comes to you with a “malware” warning issue, you should definitely be aware of this possibility .
The top of a WordPress theme's style.css file
At the top of every WordPress theme's style.css file,russian virtual mobile number a theme can include the following (optional) information to describe itself. Here's an example:
/*
Nombre del tema: Theme Lab
URI del tema:
Descripción: El tema que uso para Theme Lab.
Autor: Leland Fiegel
URI del autor:
Versión: 1.0
License: Not for Release v2.0
License URI:
WordPress uses this to display certain information on the theme page within your admin (more on this later). It is also used to generate a page in the WordPress.org theme directory should you be submitted and accepted there.
If any URLs that appear next to “theme URI” and “author URI” are flagged as malware, you could also be flagged as malware , simply by referencing them.
Sponsored Topics and Suspicious Sites
It is a well-known fact that linking to untrustworthy sites can get you penalized and flagged for malware. This has been a hot topic during the era of “sponsored topics” as well as the discussion about shady thematic sites .
Getting flagged for malware for linking to a malware-infected site is totally understandable since, well… you’re directly linking to a possibly infected site that your visitors could click on and get infected as well.
But getting flagged for malware because of a commented URL reference in a stylesheet? That's news to me. How do you protect yourself from that?
Preemptive removal of URL references in stylesheets
Almost every published theme includes a link to WordPress.org and/or the theme developer’s site. Many remove these outbound links (for “SEO” reasons or whatever).
Many people don't even think about removing credit information from their stylesheets. The only ones who actually check these things are mostly other developers. I know I frequently check the style.css files of WordPress sites to see what theme they're using, if it's pre-made or custom , etc.
It turns out that not only developers check things commented out in your style.css file, but also Google bots.
Considering this is something completely out of your control (i.e. the malware status of a third-party site, likely your theme developer) it might be worth removing the author URI and theme URI from your style.css file. Heck, even the license URI just to be on the safe side.
Hopefully, curious developers can figure out a theme's origins by Googling the author and/or theme name to find their hopefully malware-free website.
Is it simply referencing a commented URL in CSS… Malware?
Possibly the most worrying part of this news is that even if I reference the most spammy, malware-ridden site in my commented CSS, how is that any kind of danger to my visitors?
It's not like I'm loading an external resource from an infected site . It's just a comment. In CSS. Totally harmless, right?
As I mentioned before, most of the people who actually check stylesheet code are other developers. Even if they copy and paste the URL into their browser and get infected with imaginary malware, I think Google's policy is overblown at best (assuming this is actually a policy and not a bug in their malware checking mechanisms).
It's also worth noting that these theme and author URIs are displayed as real links in the WordPress admin . This may be a strange way for Google to protect WordPress users, not necessarily people who sneak into your style.css file.
Conclusion
We all know that Google and other major search engines will scan your CSS for “black hat” text hiding techniques (negative text indents, display: none, visibility: hidden, matching foreground and background colors), among other things.
You can certainly get penalized and banned for doing something stupid like that , that's a well-known fact. Getting a malware warning for commented out CSS code? Not so well-known.
Getting flagged for malware on Google is practically SEO suicide . Thankfully, I’ve never had to deal with one before, though it’s safe to assume my search engine traffic would plummet if I ever received one.
I would also feel pretty bad considering that any site using a Theme Lab theme could also be flagged for malware, simply by referencing the Theme Lab URL in the theme's stylesheet.
One doesn't want to share the blame for another site's malware status if one doesn't have to, even if the original site's malware status was done in error.
So yes, consider removing the author URI and theme URI in your style.css. No matter how good the author/theme's reputation is, anyone can potentially be hacked , and it can save you a headache down the road for something that's not your fault.