Trojan alert detected in WordPress 6.6.1? Understand the case
Posted: Sat Feb 01, 2025 5:17 am
Recently, several users reported a trojan in WordPress 6.6.1, an update to the popular content management system. The threat was detected by Windows Defender.
This incident, which initially caused concern among website administrators , turned out to be an interesting case of false positives. Let's take a look at what happened, how it was resolved, and what we can learn from it.
The WordPress 6.6.1 Trojan Alert
In a post on the official WordPress.org forum , a user reported that when trying to download the WordPress 6.6.1 zip file, Windows Defender, Windows 11's native antivirus program, identified the file as a trojan.
The alert pointed to “Trojan/Phish!MSR,” indicating that the file was dangerous and could execute commands from an attacker. Other users confirmed the same issue, mentioning that a specific string in a CSS file was triggering the alert.
The problem with the CSS file
Initial investigation indicated that the problem was in a cryptocurrency data csslocated in the .css directory \wp-includes\css\dist\block-library\. The CSS code, which is responsible for the appearance of the website, contained a string that Windows Defender mistakenly identified as a trojan. While it is uncommon to identify viruses in CSS files, it did highlight a potential vulnerability.
The resolution of the false positive
Let's now see what was done to solve the case.
Investigation and identification of the cause
The WordPress community quickly began investigating the root cause of the issue. A ticket was opened on the official WordPress GitHub , where it was discovered that the source of the issue was an insecure URL (HTTP instead of HTTPS) within the CSS file.
This URL, however, did not point to a download resource, but rather to an identifier for the XML namespace used by SVG (Scalable Vector Graphics).
The problem was that Windows Defender failed to correctly identify the XML namespace, treating it as a potentially dangerous URL. This misinterpretation by the antivirus resulted in the trojan alert. Therefore, it was a false positive.
website creation or optimization
Correction and learning
To resolve the issue, the WordPress team updated the URL to use HTTPS, even though the URL is not a file source. This adjustment was more of a preventative measure to prevent antivirus software from incorrectly flagging the CSS file as malicious.
This incident served as a valuable learning experience about the importance of using secure URLs (HTTPS) in all aspects of web development, even in cases that may seem trivial, such as XML namespace references in CSS files.
Lessons learned and preventive measures
Below are the lessons learned from this case and how we can protect ourselves from real threats.
This incident, which initially caused concern among website administrators , turned out to be an interesting case of false positives. Let's take a look at what happened, how it was resolved, and what we can learn from it.
The WordPress 6.6.1 Trojan Alert
In a post on the official WordPress.org forum , a user reported that when trying to download the WordPress 6.6.1 zip file, Windows Defender, Windows 11's native antivirus program, identified the file as a trojan.
The alert pointed to “Trojan/Phish!MSR,” indicating that the file was dangerous and could execute commands from an attacker. Other users confirmed the same issue, mentioning that a specific string in a CSS file was triggering the alert.
The problem with the CSS file
Initial investigation indicated that the problem was in a cryptocurrency data csslocated in the .css directory \wp-includes\css\dist\block-library\. The CSS code, which is responsible for the appearance of the website, contained a string that Windows Defender mistakenly identified as a trojan. While it is uncommon to identify viruses in CSS files, it did highlight a potential vulnerability.
The resolution of the false positive
Let's now see what was done to solve the case.
Investigation and identification of the cause
The WordPress community quickly began investigating the root cause of the issue. A ticket was opened on the official WordPress GitHub , where it was discovered that the source of the issue was an insecure URL (HTTP instead of HTTPS) within the CSS file.
This URL, however, did not point to a download resource, but rather to an identifier for the XML namespace used by SVG (Scalable Vector Graphics).
The problem was that Windows Defender failed to correctly identify the XML namespace, treating it as a potentially dangerous URL. This misinterpretation by the antivirus resulted in the trojan alert. Therefore, it was a false positive.
website creation or optimization
Correction and learning
To resolve the issue, the WordPress team updated the URL to use HTTPS, even though the URL is not a file source. This adjustment was more of a preventative measure to prevent antivirus software from incorrectly flagging the CSS file as malicious.
This incident served as a valuable learning experience about the importance of using secure URLs (HTTPS) in all aspects of web development, even in cases that may seem trivial, such as XML namespace references in CSS files.
Lessons learned and preventive measures
Below are the lessons learned from this case and how we can protect ourselves from real threats.