5 September 2022

WP Optimize plugin accused of scamming PageSpeed and other performance testing tools

A developer accused WP-Optimize of disabling JavaScript files while being tested by benchmarking tools.

WP-Optimize, one of the most popular performance enhancement plugins for websites WordPress , was accused of cheating on benchmarks. Gijo Varghese , a performance enthusiast developer, found some evidence showing that WP-Optimize disable JavaScript when tested with benchmarking tools.

Gijo Varghese , a developer who defines himself as a "web performance enthusiast“, Probable inventor of the technique of Delay JS and developer of the FlyngPress optimization plugin, which we talked about in the post on JS Delay shocked WordPress users worldwide over the weekend when he tweeted a screenshot of how WP-Optimize is allegedly preventing selected JavaScript files from loading when users test their sites through popular performance test tools.

When a site is loaded, the JavaScript files are loaded only when the user agent / browser is not Lighthouse / GTmetrix / Headless Chrome / Pingdom“, Stated Varghese. No JS = high scores. But for real users, these JS files are loaded!

Varghese confirmed that he was testing the free version of WP-Optimize, which is used on over a million WordPress sites. UpdraftPlus acquired WP-Optimize in 2016 and states that the instrument "has everything you need to keep your website fast and fully optimized". A commercial version is also promoted via the free plugin hosted on WordPress.org.

"Tell me, UpdraftPlus, how should I continue to trust your business with my customer backups when you use these deceptive and fraudulent practices?Said customer Adam Lowe in response to Varghese's discovery of the plug-in not loading JS for performance tools.

"Wow, all I can say is total disappointment“Said the owner and developer of the WordPress agency Brian Jackson.

This kind of alleged deception is eerily similar to a scam reported by someone who hired a performance freelancer on Upwork who artificially manipulated Google Pagespeed results. Other participants in the discussion on Twitter likened it to Volkswagen's emissions scandal, in which the automaker was found activating its emissions controls only during laboratory tests to meet EPA requirements after a breach. Vehicles on the road emitted up to 40 times more nitrogen oxides while driving, compared to how they performed in rigged lab tests.

Wp Optimize does not reflect the actual user experience

Varghese and several other participants in the conversation concluded that this is why site owners should focus on what real-world users are experiencing, rather than performance tool test scores.

Even when focusing on real user experiences, site owners often rely on tests to diagnose problems and see how they can improve a site's performance. They don't expect a plug-in to hide JS files from performance tools. Cheating on testing has eroded WP-Optimize's credibility.

"Oh. If true, this is as shortsighted as it is unforgivable“Said Johnathon William, UpdraftPlus client. "And I wonder if I can trust their other product, UpdraftPlus, which I use to back up several customer sites".

I contacted UpdraftPlus and lead developer David Anderson said the company was unaware of the problem with the code, but reported some of the background. UpdraftPlus has been briefly in talks with the author of the Fast Velocity Minify plugin about joining forces, in which it would keep the minification module within WP-Optimize and gain more users. They ultimately failed to reach an agreement, but during that time the developers of WP-Optimize forked and adapted Fast Velocity Minify under the GPL. The developers who worked on that adaptation are no longer with the company.

“In the commit in our source repository, 2,5 years ago (January 2020), the commit was labeled 'Resolve' Add CSS and JS Minification GPL code from 'Fast Velocity Minify' - Part 6 ′,” Anderson said. “Part of a series of initial code merges that have been refactored to be cleaner and use our coding style preferences (but not change any functionality). So the apparent intention of merging those lines was to bring the refactored code back without making any changes at that stage.

“According to the commit history (ie the 'git fault' function) there have been no changes to that code since then, ie it is as imported. (WP Optimize history is also public in WordPress SVN). "

After a cursory review of the code, Anderson concluded that his team may need to review it, as they were unaware of what was added two years ago.

As I try to trace that function through the code within the plugins, the intention  at first sight  it appears to be that if the website visitor is a 'bot', code that is useless to bots will not be executed

He said.

“However, with that said, 1) the bot names seem to be heavily obfuscated / redacted, which is weird (why?) And 2) there are a lot of more obvious bots that aren't listed there, like the Googlebot itself. If that feature had been submitted to me for review today, I would definitely wonder why this is the case. I don't mind rereading 32 months ago, but I remember it was a long series of great patches, so it wasn't going through closely line by line. We knew we had identified FVM as a good plug-in and our main goal was to adapt it to our structure and style, and these were the things I was personally looking at as a final reviewer. "

In summary, UpdraftPlus's development team was unaware of this code until the Twitter thread was posted over the weekend.

"I am certainly happy to have brought it to our intentions," Anderson said. “The associated code comments on a related snippet in its original source that is meant to prevent unnecessary bot requests, but upon closer inspection of what that line got at the time, it's something we'd like to look into, as it looks questionable. / weird, and we'll do that by assigning it to a team member who is our JavaScript optimizations expert ”.

Anderson also said that if JavaScript optimization experts fail to find a legitimate purpose for the code, it "will definitely be removed," with a clear and unambiguous disclosure for the reasoning behind it.

Meanwhile, UpdraftPlus has posted a notice in the plugin's support forum to inform users that the code is currently under investigation.

To be clear and to reassure users: the code in question is not dangerous, a virus, an infection, useful for hackers or something like that, ”Anderson said. “The charge is that its only purpose in existence is actually to cheat the speed tests. That code, in this case, does not belong to WP Optimize and we will remove it with a new version. The integrity of our products and the trust of our customers are essential to us (and deliberately putting things in compromising open source code which is, frankly, a stupid thing to do).

The code in question is not ours is Wp Optimize's answer

WP-Optimize lead developer David Anderson gave WPTavern an interesting explanation. According to Anderson, the code disabling JS files when he detects the benchmarking tools dates back 2,5 years, when the company was considering joining forces with the Fast Velocity Minify plugin.

In the decision period, the developers of WP-Optimize forked and adapted Fast Velocity Minify . In the end, they couldn't agree. This is when Anderson thinks the code is mixed into the WP-Optimize codes. Those codes haven't been touched for 2,5 years, and the developers weren't aware of those lines.

David Anderson added that if the JavaScript optimizer can't find a purpose for the code, they will definitely remove it. David Anderson, developer of WP-Optimize said;

“The code in question is not dangerous, a virus, an infection, useful for hackers, or something like that. The charge is that its only purpose in existence is to actually cheat the speed tests. That code, in this case, does not belong to WP Optimize and we will remove it with a new version. The integrity of our products and the trust of our customers are essential to us (and deliberately coding things open source which compromises which is, frankly, a stupid thing to do). "

Our advice on optimizing the Core Web Vitals

For our part we dismiss the interesting when sterile conversation and issues raised, reminding our readers that the data of type Labs, indicate but do not prove. What matters are the real user experience data (CRUX data) and the related core web vitals scores that will determine rewards or penalties by Google.

Field data is determined by monitoring all users who visit a page and measuring a certain set of performance metrics for each of those users' individual experiences. Since the field data is based on visits from real users, it reflects the actual devices, network conditions, and geographic locations of your users.

We therefore refer you to this reading: Core Web Vitals and CRUX data to understand how to cheat and deceive speed and performance tests such as Google Pagespeed Insight are of no use in real life and that you can exceed the requirements of Core Web Vitals even with scores in the orange area and not necessarily in the green area (above 90) as you can see for example from the following image of one of our customers who with a score of 78, it still surpasses Google's Essential Web Signals rating.

Pagespeed insight CRUX core web vitals

If you have a website developed on populated CMS such as WordPress for example and you are evaluating a performance optimization service that can bring real added value and a real improvement in the speed of your site and values Core Web Vitals, feel free to contact us.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds owns the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Facebook, Inc. owns the rights to Facebook®; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV This site is not affiliated, sponsored, or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a registered trademark at European level by MANAGED SERVER SRL Via Enzo Ferrari, 9 62012 Civitanova Marche (MC) Italy.

JUST A MOMENT !

Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top