Multiple user reports have emerged warning that the latest version of WordPress is triggering trojan alerts. At least one individual reported that a web host locked down a website because of the file. This incident turned into a learning experience for many.
Antivirus Flags Trojan In Official WordPress 6.6.1 Download
The first report surfaced in the official WordPress help forums, where a user claimed that the native antivirus in Windows 11 (Windows Defender) flagged the WordPress zip file they had downloaded, identifying it as a trojan.
This is the text of the original post:
“Windows Defender shows that the latest wordpress-6.6.1zip has Trojan:Win32/Phish!MSR virus when I try downloading from the official wp site.
It shows the same virus notification when updating from within the WordPress dashboard of my site.
Is this a false positive?”
They also posted screenshots of the trojan warning, which listed the status as “Quarantine failed” and indicated that the WordPress zip file of version 6.6.1 “is dangerous and executes commands from an attacker.”
Screenshot Of Windows Defender Warning
Another user confirmed experiencing the same issue, pointing out that a string of code within one of the CSS files (style code that governs the look of a website, including colors) was triggering the warning.
They posted:
“I am experiencing the same issue. It seems to occur with the file \wp-includes\css\dist\block-library\style.min.css. It appears that a specific string in the CSS file is being detected as a Trojan virus. I would like to allow it, but I think I should wait for an official response before doing so. Is there anyone who can provide an official answer?”
Unexpected “Solution”
A false positive is generally a result that tests as positive when it’s not actually positive for what is being tested. WordPress users soon started suspecting that the Windows Defender trojan virus alert was a false positive.
An official WordPress GitHub ticket identified the cause as an insecure URL (http versus https) referenced within the CSS style sheet. A URL is not commonly considered part of a CSS file, which may be why Windows Defender flagged this specific CSS file.
Here’s the part where things went in an unexpected direction. Someone opened another WordPress GitHub ticket to document a proposed fix for the insecure URL. The issue should have ended there but instead uncovered the real problem.
The insecure URL that needed fixing was this one:
http://www.w3.org/2000/svgThe person who opened the ticket updated the file with a version containing a link to the HTTPS version, which should have resolved the issue. However, this URL is not a link to a source of files (and thus not insecure) but rather an identifier that defines the scope of the Scalable Vector Graphics (SVG) language within XML.
The real issue ended up being with Windows Defender, which mistakenly flagged an "XML namespace" as a URL linking to downloadable files.
Takeaway
The false positive trojan file alert by Windows Defender and the ensuing discussion provided a learning moment for many people, myself included, about a relatively obscure bit of coding knowledge regarding the XML namespace for SVG files.
Read the original report:
Virus Issue: wordpress-6.6.1.zip shows a virus from windows defender
Featured Image by Shutterstock/Netpixi
