Antivirus Flags Trojan in Official WordPress 6.6.1 Download: What Really Happened?
A recent alert by Windows Defender caused a stir among WordPress users, flagging the latest version, WordPress 6.6.1, as containing a antivirus flags trojan. The situation quickly escalated, leading to websites being locked down and widespread confusion. Here’s a detailed look at what happened and what was learned from the experience.
Initial Reports and Panic
The first report appeared on the official WordPress.org help forums. A user noted that their antivirus software, Windows Defender, flagged the WordPress 6.6.1 zip file as containing the Trojan
/Phish!MSR virus. The same alert appeared when attempting to update from within the WordPress dashboard. This raised immediate concerns about the integrity of the official WordPress download.
Here’s the text from the original post:
“Windows Defender shows that the latest wordpress-6.6.1.zip has Trojan
/Phish!MSR virus when I try downloading from the official WP site. It shows the same virus notification when updating from within the WordPress dashboard of my site. Is this a false positive?”
The user also shared screenshots showing the trojan warning, with the status marked as “Quarantine failed” and the file described as “dangerous and executes commands from an attacker.”
The Investigation
Another user confirmed the issue, pinpointing a specific file:
“I am experiencing the same issue. It seems to occur with the file \wp-includes\css\dist\block-library\style.min.css. It appears that a specific string in the CSS file is being detected as a Trojan virus. I would like to allow it, but I think I should wait for an official response before doing so. Is there anyone who can provide an official answer?”
As more users reported similar problems, it became evident that this was not an isolated incident. The community speculated that the alert might be a false positive, a situation where antivirus software mistakenly identifies a harmless file as malicious.
Official Response and Discovery
The WordPress team responded quickly, filing an official GitHub ticket to investigate the issue. The root cause was identified as an insecure URL (http instead of https) within a CSS file. The URL in question was:
https://core.trac.wordpress.org/ticket/61777
In typical circumstances, URLs within CSS files are not considered security risks. However, Windows Defender flagged this particular URL, mistaking it for a trojan.
The unexpected twist came when it was clarified that the URL was not an external link but an XML namespace identifier used to define the scope of the SVG (Scalable Vector Graphics) language. This nuance was crucial as it meant the URL wasn’t pointing to any downloadable file but was merely a reference within the SVG standard.
Resolution and Learning Points
A fix was proposed to update the URL to its secure counterpart, but it was realized that the URL functioned as an identifier rather than an active link. This revelation highlighted a gap in how antivirus software interprets code, leading to the false positive.
This incident served as a valuable learning experience for developers and users alike:
- Understanding False Positives: It underscored the importance of recognizing and diagnosing false positives in antivirus software.
- Nuances of Coding Standards: It brought attention to the intricacies of coding standards, especially how specific identifiers within files are handled.
- Quick Response and Community Support: The swift action by the WordPress team and the community’s collaboration demonstrated the strength of open-source support systems.
Conclusion
The trojan alert in WordPress 6.6.1 by Windows Defender turned out to be a false positive caused by a misinterpreted XML namespace in a CSS file. The incident not only caused temporary disruption but also provided an educational moment about the complexities of software security and the importance of precise coding practices. Moving forward, both developers and users can take these lessons to enhance their understanding and response to similar issues.
For more updated WP news, check out our page!