What to do when popular plugins or themes contain malicious URLs.

A couple of weeks ago a popular theme started showing up in Wordfence scans as containing a malicious URL. I received a few questions from our customers about why we’re flagging such a well known theme as potentially malicious.

Today a popular plugin has been flagged as containing a malicious URL.This happens from time to time and today I’ve already received a couple of questions about this via email, so I’m going to clarify why this happens and what to do about it.

Google maintain a list of websites that are dangerous because they host malware or they engage in malicious activities like Phishing. This list is the most reliable and real-time list on the Internet today of bad websites.

Wordfence uses this list to scan your website and let you know if your site has any source code, blog entries, pages, comments, files or other media that contains any URL’s that point to these websites.

Why do we do this and why is it so incredibly valuable? Because if you link to a malicious website, your site’s SEO rankings will be hurt. This could take the form of an SEO penalty where your ranking in the search results drops. Or the worst case scenario is that your site is also flagged as malware by Google.

The list that Google maintains of known bad sites is constantly changing. So a website that was good today may be listed as malicious by Google tomorrow. So even if your website doesn’t change, you may see a new alert telling you that you are now linking to a known bad website and you’d better do something about it.

When Wordfence tells you that a post, comment, piece of source code or something else contains a bad URL, you need to get rid of that URL to preserve your search engine ranking.

Today we’re seeing reports that the readme.txt file of a popular plugin contains a URL that is listed on Google’s Safe Browsing list as a known bad site. Because this URL is publicly accessible, it means that your site is now linking to a known malicious site and you may incur an SEO penalty. You can access this URL by visiting:

www.example.com/wp-content/plugins/[plugin-directory]/readme.txt

And replace example.com with your own site domain. This link will work unless you have a non-standard site structure.

So what you need to do is go into the readme.txt file in question and delete the URL we’ve told you is bad. Then drop an email to the plugin author and let them know there’s a URL that has been flagged as malicious in their readme.txt. I’ve already contacted the author of this particular plugin.

Who’s to blame? No one. What likely happened here is that someone who contributed to the plugin is mentioned in the readme.txt. Google flagged their website as malicious. Google may have done this because that person’s site was hacked or for some other reason. So the way this should play out is:

  • The person who owns the site will fix whatever problem they have with their site and send a “request for reconsideration” to Google to get their site removed from the Google Safe Browsing list.
  • The plugin author will remove the URL from the readme.txt until the site is cleared by Google.
  • Plugin users (that’s you) will manually remove the URL from the readme.txt file. If they upgrade the plugin they will make sure the URL is still removed until the site is cleared by Google.

If you don’t like that Wordfence is telling you your site is linking to sites listed as malicious in Google’s Safe Browsing list, simply disable that option in your Wordfence titled:

“Scan file contents for backdoors, trojans and suspicious code”

Personally I love this feature and we keep it enabled on all production sites run by our parent company (some of which receive 5 million+ uniques monthly). I also keep it enabled on all my personal sites to ensure my ranking in Google stays high.

Regards,

Mark Maunder – Wordfence creator and Feedjit Inc. CEO.

Did you enjoy this post? Share it!

Comments

2 Comments
  • every time I upgrade wordfence on my wp site, I receive a notification from my hosting company, namecheap that your plugin readme.txt is being quaranteed ('[PHP Exploit [P0167]]': /home/xxx/public_html/addonsites/xxx/wp-content/plugins/wordfence/readme.txt)

    Since this article address the issue, please update your readme.txt and remove URL that are considered malicious. Meanwhile I will let namecheap know that this is false positive.

    Thanks.

    • Please contact namecheap about this. They appear to be using this product:

      http://configserver.com/cp/cxs.html

      Tell them to fix the false positive.

      Regards,

      Mark.