WordPress 6.6.1 Was Flagged For Trojan Malware
Multiple user reports have surfaced warning that the latest version of WordPress is triggering trojan alerts and at least one person reported that a web host locked down a website because of the file. What really happened turned into a learning experience.
The Search Engine Journal is reporting that the first report was filed in the official WordPress.org help forums where a user reported that the native antivirus in Windows 11 (Windows Defender) flagged the WordPress zip file they had downloaded from WordPress contained a trojan.
This is the text of the original post:
Windows Defender shows that the latest wordpress-6.6.1zip has Trojan:Win32/Phish!MSR virus when i try downloading from the official wp site. It shows the same virus notification when updating from within the WordPress dashboard of my site. Is this a false positive?
The insecure URL that needed fixing was this one:
http://www.w3.org/2000/svg
So the person who opened the ticket updated the file with a version that contained a link to the HTTPS version which should have been the end of the story but for a nuance that was overlooked.
The (‘insecure’) URL is not a link to a source of files (and therefore not insecure) but rather an identifier that defines the scope of the Scalable Vector Graphics (SVG) language within XML.
So the problem ultimately ended up not being about something wrong with the code in WordPress 6.6.1 but rather an issue with Windows Defender that failed to properly identify an “XML namespace” instead of mistakenly flagging it as a URL linking to downloadable files.
The false positive trojan file alert by Windows Defender and subsequent discussion was a learning moment for many people (including myself!) about a relatively arcane bit of coding knowledge regarding the XML namespace for SVG files.