pre-defined theme file exclusions #94
Description
Part of the discussion in WP support forums (again): https://wordpress.org/support/topic/virus-alert-since-1-4-0/#post-13851120
With manual scan restores in 1.4.1 (broken in 1.4.0) and all theme files of the current and parent theme(s) being evaluated, quite a lot of false positives can occur when using themes (or theme builders to be more precise) like Divi.
Especially builders that do act like parent theme themselves will likely raise warnings, because they do e.g. file handling by design. That is not part of the actual theme processing, but in the end is's PHP files and they are scanned.
Open for discussion:
We might consider adding pre-defined filter patterns to exclude such files for popular themes.
One possibility could be extending theme_scandir_exclusions (since WP 4.7.4) which defaults to
array( 'CVS', 'node_modules', 'vendor', 'bower_components' )Another possibility is a custom filter hook.
And last but not least we can extend the quite simple RegEx patterns with certain conditions.
Combination with pre-shared checksums (#82) sound like a reasonable solution, i.e. if official checksums match, the files can be considered unmodified. Won't help in case of Divi for themes that are not listed in the official repo.