[theme-reviewers] Fwd: Theme Lab

Daniel danielx386 at gmail.com
Fri Aug 23 00:20:09 UTC 2013 

Hi guys,

I just saw this in my inbox and I suppose it a good reminder why reviewers
need to check the URLs that are in the stylesheet and so on.

Daniel

---------- Forwarded message ----------
From: Theme Lab <leland at themelab.com>
Date: Fri, Aug 23, 2013 at 10:05 AM
Subject: Theme Lab
To: danielx386 at gmail.com


**
   Theme Lab <http://www.themelab.com>   [image: Link to Theme Lab]
<http://www.themelab.com>
------------------------------

Get The Google Malware Hammer For Commented Out
CSS<http://www.themelab.com/2013/08/22/google-malware-css/>

Posted: 22 Aug 2013 05:06 AM PDT

Yes, you read that right. Here’s the deal:

   - WPTavern interviews a split-testing
service<http://www.wptavern.com/wp-abtesting-split-testing-as-a-service>
   - Split-testing service site gets flagged for
malware<http://wp-abtesting.com/worst-timing-google-flagged-our-site-as-malware-on-our-prelaunch-announcement/>(terrible
timing, I know).
   - Why? Because their
style.css<http://poststat.us/flagged-by-google-in-style-css/>had a
comment referencing another site with an actual malware infection.
   That’s it. Read more about it in this
comment<http://wp-abtesting.com/worst-timing-google-flagged-our-site-as-malware-on-our-prelaunch-announcement/#comment-23>
   .

If you’re a WordPress consultant, developer, or whatever, and your client
comes to you with a “malware” warning problem, *you should definitely be
aware of this possibility*.
The top of a WordPress theme’s style.css file

At the top of every WordPress theme’s style.css file, a theme may include
the following (optional) info to describe itself. Here’s an example:

/*
Theme Name: Theme Lab
Theme URI: http://www.themelab.com/
Description: The theme I use for Theme Lab.
Author: Leland Fiegel
Author URI: http://leland.me/
Version: 1.0

License: Not Applicable License v2.0
License URI: http://example.com/not-for-release-i-dont-need-a-license
*/

WordPress uses this to *display certain information on the themes page
within your admin* (more on this later). It’s also used to generate a page
on the WordPress.org theme directory should it be submitted and accepted
there.

If whatever URL is listed next to “theme URI” and “author URI” is flagged
for malware, *you could also be flagged for malware*, simply for
referencing them.
Sponsored Themes and Sketchy Sites

It’s been a well known fact that actually *linking out to sketchy sites can
potentially get you penalized* and potentially flagged for malware. This
has been a hot topic during the “sponsored themes” era as well as shady
theme site<http://www.themelab.com/2009/12/08/stop-downloading-wordpress-themes-from-shady-sites/>discussion.

Getting flagged for malware for linking out to a malware-infected site is
totally understandable as, well… *you’re directly linking to a possibly
infected site* that your visitors could then click on and get infected too.

But getting flagged for malware because of a commented out URL reference in
a stylesheet? That’s certainly news to me. How do you protect yourself from
that?
Premptively Removing URL References In Stylesheets

Pretty much all released themes include a link back to WordPress.org and/or
the theme developer’s site. Many remove these outgoing links (for “SEO”
reasons or whatever).

Not many even think about removing credit info from their stylesheet. The
only people who actually check this stuff out are mostly other developers.
I know I frequently check WordPress sites’ style.css files to see what
theme they’re using, whether it’s pre-made or custom<http://customtheme.com>,
etc.

Turns out, *it’s not just developers* who check out commented-out stuff in
your style.css file, but also Google bots.

Considering *this is something totally out of your control* (i.e. the
malware status of a third-party site, likely your theme developer) it might
be worth removing the Author URI and Theme URI in your style.css file.
Heck, even the License URI just to be on the safe side.

Hopefully curious developers can *find out the origins of a theme through
Googling the theme author* and/or name to find their
hopefully-non-malware-infected site.
Is Merely Referencing A Commented Out URL In CSS… Malware?

Possibly the most concerning part of this news, is that even if I
referenced the most spammy, malware-ridden site in my CSS with commented
out code, *how is that any sort of danger to my visitors?*

It’s *not like I’m loading an external resource from an infected site*.
It’s just a comment. In CSS. Totally harmless, right?

Like I mentioned above, most people who typically check stylesheet code are
other developers. Even if they copy and paste the URL into their browser
and get infected with imaginary malware, I feel *Google’s policy is
overreaching at best* (assuming this actually is a policy, not a bug within
their malware checking mechanisms).

It’s also worth considering that these theme and author URIs are *displayed
as actual links within the WordPress admin*. It may be Google’s odd way of
protecting WordPress users, not necessarily people creeping through your
style.css file.
Conclusion

We all know Google and other *major search engines will scan your CSS* to
check for boneheaded “black hat” text hiding techniques (negative text
indents, display: none, visibility: hidden, matching background and
foreground colors), among other things.

You can certainly get penalized and banned for *doing something stupid like
that*, that’s a well-known fact. Getting a malware warning for commented
out code in CSS? Not so well known.

Getting flagged for malware in Google is *pretty much SEO suicide*. I’ve
thankfully never had to deal with one before, although it’s safe to assume
my search engine traffic would take a nosedive if I ever did get one.

*I would also feel really bad* considering that any site that uses a Theme
Lab theme <http://www.themelab.com/free-wordpress-themes/> could also
potentially be flagged for malware as well, just for simply referencing
Theme Lab’s URL in the theme stylesheet.

You don’t want to share the blame with another site’s malware status if you
don’t have to, even if that original site’s malware status was made by
mistake.

So yeah, consider removing the Author URI and Theme URI in your style.css.
No matter how good a reputation the author/theme has, *anybody can
potentially be hacked*, and it may save you a headache in the future for
something that’s no fault of your own.

Related posts:

   1. Commercial WordPress Theme Directory
Launches<http://www.themelab.com/2009/07/02/commercial-wordpress-theme-directory-launches/>
   2. Dear Theme Devs, Stop Pasting Random Snippets of Code in
functions.php<http://www.themelab.com/2011/01/21/theme-devs-random-snippets/>
   3. Stop Downloading WordPress Themes from Shady
Sites<http://www.themelab.com/2009/12/08/stop-downloading-wordpress-themes-from-shady-sites/>

<http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:hJo_UCMZ9e0>
<http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:D7DqB2pKExk>
<http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:F7zBnMyn0Lo>
<http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:yIl2AUoC8zA>
<http://feeds.feedburner.com/~ff/ThemeLab?a=9uaJ4McGalc:RKjY1Lem4bw:3Nb2VdUv6vk>
   You are subscribed to email updates from Theme Lab<http://www.themelab.com>
To stop receiving these emails, you may  Email delivery powered by
Google  Google
Inc., 20 West Kinzie, Chicago IL USA 60610
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20130823/8acf8237/attachment.html>

More information about the theme-reviewers mailing list