WP-Optimize plugin accused of cheating PageSpeed ​​and other performance testing tools – WP Tavern

Meta description

Gijo Varghese, a developer who calls himself “passionate about web performance,” shocked WordPress users around the world over the weekend when he tweeted a screenshot of how WP-Optimize would prevent some JavaScript files when users test their sites through popular performance. testing tools.

“When a site is loaded, JavaScript files are only loaded when the user/browser agent is not Lighthouse/GTmetrix/Headless Chrome/Pingdom,” Varghese said. “No JS = high scores. But for real users, these JS files are loaded!”

Varghese confirmed that he was testing the free version of WP-Optimize, which is used on over a million WordPress sites. UpdraftPlus acquired WP-Optimize in 2016 and claims the tool “has everything you need to keep your website fast and perfectly optimized.” A commercial version is also promoted through the free plugin hosted at WordPress.org.

“Tell me, UpdraftPlus, how am I supposed to continue to trust your company with my customers’ backups when you use these deceptive and fraudulent practices?” an Adam Lowe customer said in response to Varghese finding plugin not loading JS for performance tools.

“Wow, all I can say is what a complete disappointment,” said WordPress agency owner and developer Brian Jackson.

This kind of alleged deception sounds suspiciously like a scam reported by someone who hired a performance freelancer on Upwork who artificially manipulated Google Pagespeed results. Other participants in the Twitter discussion compared it to the Volkswagen emissions scandal where the automaker activated its emissions controls only during lab testing to meet EPA requirements after a breach. Vehicles on the road emitted up to 40 times more nitrogen oxides while driving, compared to their performance in rigged lab tests.

Varghese and several other participants in the conversation concluded that this is why site owners should focus on what real-world users are experiencing, rather than performance tool test results.

Even when focusing on real user experiences, site owners often rely on testing to diagnose problems and see how a site’s performance can be improved. They don’t expect a plugin to hide performance tools JS files. Misleading the tests eroded the credibility of WP-Optimize.

“Wow. If that’s true, that’s as short-sighted as it is inexcusable,” UpdraftPlus customer Johnathon William said. “And I wonder if I can trust their other product, UpdraftPlus, which I use to back up multiple client sites.”

I contacted UpdraftPlus and lead developer David Anderson said the company was unaware of the issue with the code, but provided some backstory. UpdraftPlus was briefly in talks with the author of the Fast Velocity Minify plugin about the possibility of combining forces, in which he would keep the minification module in WP-Optimize and gain more users. In the end, they couldn’t come to an agreement, but meanwhile WP-Optimize developers forked and adapted Fast Velocity Minify under the GPL. The developers who worked on this adaptation are no longer part of the company.

“In our own source repository commit 2.5 years ago (January 2020), the commit was labeled ‘Resolve’ Add CSS and JS Minification GPL code from ‘Fast Velocity Minify’ – Part 6′”, said said Anderson. “Part of a series of initial code merges that have been refactored to be cleaner and use our coding style preferences (but without changing any functionality). The apparent intent of merging these lines was therefore to bring refactored code without making any changes at this stage.

“According to the commit history (i.e. the ‘git blame’ function), no changes have been made to this code since, i.e. it is as imported . (WP Optimize history is also public in WordPress SVN).

After a quick review of the code, Anderson concluded that his team might need to revisit it, as they weren’t aware of what was added two years ago.

“As I try to trace this function through the code in the plugins, the intention all in front seems to be that if the website visitor is a ‘bot’, then code that is unnecessary for bots will not be executed,” he said.

“However, having said that, 1) the names of the bots seem to be heavily obscured/redacted, which is odd (why?), and 2) there are a lot of more obvious bots that aren’t listed here, like the Googlebot itself If this function were to come under my scrutiny today, I would certainly wonder why this is so. I can’t reread 32 months ago, but I remember it as a long series of big fixes so it wasn’t parsed line by line closely We knew we had identified FVM as a good plugin and our main focus was to make it fit our structure and style and those are the things that I was personally watching as a final reviewer.

In summary, the UpdraftPlus dev team was unaware of this code until the Twitter feed went live over the weekend.

“Certainly glad it’s been brought to our attention,” Anderson said. “The associated code comment on a related fragment in its original source that it’s intended to prevent unnecessary bot requests, but on closer examination of this line at the time, it’s something we’ll want review, as it seems questionable/strange, and we will do so by assigning it to a team member who is our JavaScript optimization expert.

Anderson also said that if JavaScript optimization experts find no legitimate purpose for the code, “it will definitely be removed,” with a clear and unambiguous disclosure of the reasoning behind it.

In the meantime, UpdraftPlus has posted a notice in the plugin’s support forum to let users know that the code is currently under review.

“To be clear and reassure users: the code in question is not dangerous, a virus, an infection, useful to hackers, or anything like that,” Anderson said. “The allegation is that its only purpose in existence is effectively to cheat on speed tests. Such code, if it does, does not belong to WP Optimize and we will remove it with a new release. L he integrity of our products and the trust of our customers are essential to us (and deliberately putting things into open source code that compromises this is, frankly, a dumb thing to do).

Comment here