ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Get The Google Malware Hammer For Commented Out CSS

Last Updated on by

Get The Google Malware Hammer For Commented Out CSS

Yes, you read that right. Here’s the deal:

If you’re a WordPress consultant, developer, or whatever, and your client comes to you with a “malware” warning problem, you should definitely be aware of this possibility.

The top of a WordPress theme’s style.css file

At the top of every WordPress theme’s style.css file, a theme may include the following (optional) info to describe itself. Here’s an example:

/*
Theme Name: Theme Lab
Theme URI: http://www.themelab.com/
Description: The theme I use for Theme Lab.
Author: Leland Fiegel
Author URI: http://leland.me/
Version: 1.0

License: Not Applicable License v2.0
License URI: http://example.com/not-for-release-i-dont-need-a-license
*/

WordPress uses this to display certain information on the themes page within your admin (more on this later). It’s also used to generate a page on the WordPress.org theme directory should it be submitted and accepted there.

If whatever URL is listed next to “theme URI” and “author URI” is flagged for malware, you could also be flagged for malware, simply for referencing them.

Sponsored Themes and Sketchy Sites

It’s been a well known fact that actually linking out to sketchy sites can potentially get you penalized and potentially flagged for malware. This has been a hot topic during the “sponsored themes” era as well as shady theme site discussion.

Getting flagged for malware for linking out to a malware-infected site is totally understandable as, well… you’re directly linking to a possibly infected site that your visitors could then click on and get infected too.

But getting flagged for malware because of a commented out URL reference in a stylesheet? That’s certainly news to me. How do you protect yourself from that?

Premptively Removing URL References In Stylesheets

Pretty much all released themes include a link back to WordPress.org and/or the theme developer’s site. Many remove these outgoing links (for “SEO” reasons or whatever).

Not many even think about removing credit info from their stylesheet. The only people who actually check this stuff out are mostly other developers. I know I frequently check WordPress sites’ style.css files to see what theme they’re using, whether it’s pre-made or custom, etc.

Turns out, it’s not just developers who check out commented-out stuff in your style.css file, but also Google bots.

Considering this is something totally out of your control (i.e. the malware status of a third-party site, likely your theme developer) it might be worth removing the Author URI and Theme URI in your style.css file. Heck, even the License URI just to be on the safe side.

Hopefully curious developers can find out the origins of a theme through Googling the theme author and/or name to find their hopefully-non-malware-infected site.

Is Merely Referencing A Commented Out URL In CSS… Malware?

Possibly the most concerning part of this news, is that even if I referenced the most spammy, malware-ridden site in my CSS with commented out code, how is that any sort of danger to my visitors?

It’s not like I’m loading an external resource from an infected site. It’s just a comment. In CSS. Totally harmless, right?

Like I mentioned above, most people who typically check stylesheet code are other developers. Even if they copy and paste the URL into their browser and get infected with imaginary malware, I feel Google’s policy is overreaching at best (assuming this actually is a policy, not a bug within their malware checking mechanisms).

It’s also worth considering that these theme and author URIs are displayed as actual links within the WordPress admin. It may be Google’s odd way of protecting WordPress users, not necessarily people creeping through your style.css file.

Conclusion

We all know Google and other major search engines will scan your CSS to check for boneheaded “black hat” text hiding techniques (negative text indents, display: none, visibility: hidden, matching background and foreground colors), among other things.

You can certainly get penalized and banned for doing something stupid like that, that’s a well-known fact. Getting a malware warning for commented out code in CSS? Not so well known.

Getting flagged for malware in Google is pretty much SEO suicide. I’ve thankfully never had to deal with one before, although it’s safe to assume my search engine traffic would take a nosedive if I ever did get one.

I would also feel really bad considering that any site that uses a Theme Lab theme could also potentially be flagged for malware as well, just for simply referencing Theme Lab’s URL in the theme stylesheet.

You don’t want to share the blame with another site’s malware status if you don’t have to, even if that original site’s malware status was made by mistake.

So yeah, consider removing the Author URI and Theme URI in your style.css. No matter how good a reputation the author/theme has, anybody can potentially be hacked, and it may save you a headache in the future for something that’s no fault of your own.

  • http://imanto.com/blog Anto

    Yeah man ive seen this before and removed my links. Even though its giving credit to the theme author. I still leave there name in if I’m using a custom theme thats been modified or something like that.

    Crazy how bots work tbh, can be a little annoying and people have asked me this before.

    Im sure this post will help them out in the long shot :)

    • Leland

      Hey Anto, when did you first see something like this? I couldn’t find any other previous reports of it.

  • http://jaypeeonline.net JP

    Thanks for sharing about this Leland! This is the first time for me to hear about this kind of issue.

    WordPress users need to know about this. I’ll feature this on my Weekend Roundup and if I have time, I might post about it too.

    It really is important to choose carefully where you download or purchase WordPress themes from.

    • Leland

      Thanks JP, likewise, I’ve never heard of it before I posted this.

      The scary part is, even a reputable theme company can potentially be infected with malware. They might even be the target of such attacks because they’re so popular.

      It’s not just a warning from using themes from sketchy sites.

  • http://themesquirrel.com Joe

    Great to know, thanks!