<div dir="ltr"><div><div>Hi guys,<br><br></div>I just saw this in my inbox and I suppose it a good reminder why reviewers need to check the URLs that are in the stylesheet and so on.<br><br></div>Daniel<br><div><div><div><br>
<div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Theme Lab</b> <span dir="ltr"><<a href="mailto:leland@themelab.com">leland@themelab.com</a>></span><br>Date: Fri, Aug 23, 2013 at 10:05 AM<br>
Subject: Theme Lab<br>To: <a href="mailto:danielx386@gmail.com">danielx386@gmail.com</a><br><br><br><u></u>
<div>
<div style="line-height:140%;font-size:13px;font-family:Georgia,Helvetica,Arial,Sans-Serif;margin:0 2em">
<table style="border:0;padding:0;margin:0;width:100%">
<tbody><tr>
<td style="vertical-align:top" width="99%">
<h1 style="margin:0;padding-bottom:6px">
<a style="color:#888;font-size:22px;font-family:Arial,Helvetica,sans-serif;font-weight:normal;text-decoration:none" href="http://www.themelab.com" title="(http://www.themelab.com)" target="_blank">Theme Lab</a>
</h1>
</td>
<td width="1%">
<a href="http://www.themelab.com" target="_blank">
<img src="http://www.themelab.com/themelab-125x125.jpg" alt="Link to Theme Lab" style="padding:0 0 10px 3px;border:0">
</a>
</td>
</tr>
</tbody></table>
<hr style="border:1px solid #ccc;padding:0;margin:0">
<table>
<tbody><tr>
<td style="margin-bottom:0;line-height:1.4em">
<p style="margin:1em 0 3px 0">
<a name="140a87d3292df66d_1" style="font-family:Arial,Helvetica,sans-serif;font-size:18px" href="http://www.themelab.com/2013/08/22/google-malware-css/" target="_blank">Get The Google Malware Hammer For Commented Out CSS</a>
</p>
<p style="font-size:13px;color:#555;margin:9px 0 3px 0;font-family:Georgia,Helvetica,Arial,Sans-Serif;line-height:140%;font-size:13px">
<span>Posted:</span> 22 Aug 2013 05:06 AM PDT</p>
<div style="line-height:140%;font-size:13px;font-family:Georgia,Helvetica,Arial,Sans-Serif;margin:0"><p>Yes, you read that right. Here’s the deal:</p>
<ul>
<li><a href="http://www.wptavern.com/wp-abtesting-split-testing-as-a-service" target="_blank">WPTavern interviews a split-testing service</a></li>
<li><a href="http://wp-abtesting.com/worst-timing-google-flagged-our-site-as-malware-on-our-prelaunch-announcement/" target="_blank">Split-testing service site gets flagged for malware</a> (terrible timing, I know).</li>
<li>Why? <a href="http://poststat.us/flagged-by-google-in-style-css/" target="_blank">Because their style.css</a> had a comment referencing another site with an actual malware infection. That’s it. Read more about it in <a href="http://wp-abtesting.com/worst-timing-google-flagged-our-site-as-malware-on-our-prelaunch-announcement/#comment-23" target="_blank">this comment</a>.</li>
</ul>
<p>If you’re a WordPress consultant, developer, or whatever, and your client comes to you with a “malware” warning problem, <b>you should definitely be aware of this possibility</b>.<span></span></p>
<h3>The top of a WordPress theme’s style.css file</h3>
<p>At the top of every WordPress theme’s style.css file, a theme may include the following (optional) info to describe itself. Here’s an example:</p>
<p><code>/*<br>
Theme Name: Theme Lab<br>
Theme URI: <a href="http://www.themelab.com/" target="_blank">http://www.themelab.com/</a><br>
Description: The theme I use for Theme Lab.<br>
Author: Leland Fiegel<br>
Author URI: <a href="http://leland.me/" target="_blank">http://leland.me/</a><br>
Version: 1.0</code></p>
<p>License: Not Applicable License v2.0<br>
License URI: <a href="http://example.com/not-for-release-i-dont-need-a-license" target="_blank">http://example.com/not-for-release-i-dont-need-a-license</a><br>
*/</p>
<p>WordPress uses this to <b>display certain information on the themes page within your admin</b> (more on this later). It’s also used to generate a page on the WordPress.org theme directory should it be submitted and accepted there.</p>
<p>If whatever URL is listed next to “theme URI” and “author URI” is flagged for malware, <b>you could also be flagged for malware</b>, simply for referencing them.</p>
<h3>Sponsored Themes and Sketchy Sites</h3>
<p>It’s been a well known fact that actually <b>linking out to sketchy sites can potentially get you penalized</b> and potentially flagged for malware. This has been a hot topic during the “sponsored themes” era as well as <a href="http://www.themelab.com/2009/12/08/stop-downloading-wordpress-themes-from-shady-sites/" title="Stop Downloading WordPress Themes from Shady Sites" target="_blank">shady theme site</a> discussion.</p>
<p>Getting flagged for malware for linking out to a malware-infected site is totally understandable as, well… <b>you’re directly linking to a possibly infected site</b> that your visitors could then click on and get infected too.</p>
<p>But getting flagged for malware because of a commented out URL reference in a stylesheet? That’s certainly news to me. How do you protect yourself from that?</p>
<h3>Premptively Removing URL References In Stylesheets</h3>
<p>Pretty much all released themes include a link back to WordPress.org and/or the theme developer’s site. Many remove these outgoing links (for “SEO” reasons or whatever).</p>
<p>Not many even think about removing credit info from their stylesheet. The only people who actually check this stuff out are mostly other developers. I know I frequently check WordPress sites’ style.css files to see what theme they’re using, whether it’s pre-made or <a href="http://customtheme.com" title="My Custom WordPress theme company!" target="_blank">custom</a>, etc.</p>
<p>Turns out, <b>it’s not just developers</b> who check out commented-out stuff in your style.css file, but also Google bots.</p>
<p>Considering <b>this is something totally out of your control</b> (i.e. the malware status of a third-party site, likely your theme developer) it might be worth removing the Author URI and Theme URI in your style.css file. Heck, even the License URI just to be on the safe side.</p>
<p>Hopefully curious developers can <b>find out the origins of a theme through Googling the theme author</b> and/or name to find their hopefully-non-malware-infected site.</p>
<h3>Is Merely Referencing A Commented Out URL In CSS… Malware?</h3>
<p>Possibly the most concerning part of this news, is that even if I referenced the most spammy, malware-ridden site in my CSS with commented out code, <b>how is that any sort of danger to my visitors?</b></p>
<p>It’s <b>not like I’m loading an external resource from an infected site</b>. It’s just a comment. In CSS. Totally harmless, right?</p>
<p>Like I mentioned above, most people who typically check stylesheet code are other developers. Even if they copy and paste the URL into their browser and get infected with imaginary malware, I feel <b>Google’s policy is overreaching at best</b> (assuming this actually is a policy, not a bug within their malware checking mechanisms).</p>
<p>It’s also worth considering that these theme and author URIs are <b>displayed as actual links within the WordPress admin</b>. It may be Google’s odd way of protecting WordPress users, not necessarily people creeping through your style.css file.</p>
<h3>Conclusion</h3>
<p>We all know Google and other <b>major search engines will scan your CSS</b> to check for boneheaded “black hat” text hiding techniques (negative text indents, display: none, visibility: hidden, matching background and foreground colors), among other things.</p>
<p>You can certainly get penalized and banned for <b>doing something stupid like that</b>, that’s a well-known fact. Getting a malware warning for commented out code in CSS? Not so well known.</p>
<p>Getting flagged for malware in Google is <b>pretty much SEO suicide</b>. I’ve thankfully never had to deal with one before, although it’s safe to assume my search engine traffic would take a nosedive if I ever did get one.</p>
<p><b>I would also feel really bad</b> considering that any site that uses a <a href="http://www.themelab.com/free-wordpress-themes/" target="_blank">Theme Lab theme</a> could also potentially be flagged for malware as well, just for simply referencing Theme Lab’s URL in the theme stylesheet.</p>
<p>You don’t want to share the blame with another site’s malware status if you don’t have to, even if that original site’s malware status was made by mistake.</p>
<p>So yeah, consider removing the Author URI and Theme URI in your style.css. No matter how good a reputation the author/theme has, <b>anybody can potentially be hacked</b>, and it may save you a headache in the future for something that’s no fault of your own.</p>
<p>Related posts:</p><ol><li><a href="http://www.themelab.com/2009/07/02/commercial-wordpress-theme-directory-launches/" rel="bookmark" title="Permanent Link: Commercial WordPress Theme Directory Launches" target="_blank">Commercial WordPress Theme Directory Launches</a></li>
<li><a href="http://www.themelab.com/2011/01/21/theme-devs-random-snippets/" rel="bookmark" title="Permanent Link: Dear Theme Devs, Stop Pasting Random Snippets of Code in functions.php" target="_blank">Dear Theme Devs, Stop Pasting Random Snippets of Code in functions.php</a></li>
<li><a href="http://www.themelab.com/2009/12/08/stop-downloading-wordpress-themes-from-shady-sites/" rel="bookmark" title="Permanent Link: Stop Downloading WordPress Themes from Shady Sites" target="_blank">Stop Downloading WordPress Themes from Shady Sites</a></li>
</ol><p></p><div>
<a href="http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:hJo_UCMZ9e0" target="_blank"><img src="http://feeds.feedburner.com/~ff/ThemeLab?d=hJo_UCMZ9e0" border="0"></a> <a href="http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:D7DqB2pKExk" target="_blank"><img src="http://feeds.feedburner.com/~ff/ThemeLab?i=9uaJ4McGalc:RKjY1Lem4bw:D7DqB2pKExk" border="0"></a> <a href="http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:F7zBnMyn0Lo" target="_blank"><img src="http://feeds.feedburner.com/~ff/ThemeLab?i=9uaJ4McGalc:RKjY1Lem4bw:F7zBnMyn0Lo" border="0"></a> <a href="http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:yIl2AUoC8zA" target="_blank"><img src="http://feeds.feedburner.com/~ff/ThemeLab?d=yIl2AUoC8zA" border="0"></a> <a href="http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:3Nb2VdUv6vk" target="_blank"><img src="http://feeds.feedburner.com/~ff/ThemeLab?d=3Nb2VdUv6vk" border="0"></a>
</div></div>
</td>
</tr>
</tbody></table>
<table style="border-top:1px solid #999;padding-top:4px;margin-top:1.5em;width:100%">
<tbody><tr>
<td style="text-align:left;font-family:Helvetica,Arial,Sans-Serif;font-size:11px;margin:0 6px 1.2em 0;color:#333">You are subscribed to email updates from <a href="http://www.themelab.com" target="_blank">Theme Lab</a>
<br>To stop receiving these emails, you may </td>
<td style="font-family:Helvetica,Arial,Sans-Serif;font-size:11px;margin:0 6px 1.2em 0;color:#333;text-align:right;vertical-align:top">Email delivery powered by Google</td>
</tr>
<tr>
<td colspan="2" style="text-align:left;font-family:Helvetica,Arial,Sans-Serif;font-size:11px;margin:0 6px 1.2em 0;color:#333">Google Inc., 20 West Kinzie, Chicago IL USA 60610</td>
</tr>
</tbody></table>
</div>
</div>
</div><br></div></div></div></div>