WP-Optimize Plugin Accused of Cheating PageSpeed and Other Performance Testing Tools

Gijo Varghese, a developer who calls himself a “internet efficiency fanatic,” shocked WordPress customers around the globe over the weekend when he tweeted a screenshot of how WP-Optimize is explicitly stopping choose JavaScript recordsdata from loading when customers take a look at their websites via common efficiency testing instruments.

“When a website is loaded, the JavaScript recordsdata are loaded solely when the user-agent/browser isn’t Lighthouse/GTmetrix/Headless Chrome/Pingdom,” Varghese stated. “No JS = excessive scores. However for actual customers, these JS recordsdata are loaded!”

How "WP Optimize" is dishonest PageSpeed and different testing instruments

When a website is loaded, the JavaScript recordsdata are loaded solely when the user-agent/browser isn’t Lighthouse/GTmetrix/Headless Chrome/Pingdom.

No JS = excessive scores. However for actual customers, these JS recordsdata are loaded! pic.twitter.com/uuOiAOgvoo

— Gijo Varghese (@GijoVarghese_) August 26, 2022

Varghese confirmed that he was testing the free model of WP-Optimize, which is used on greater than one million WordPress websites. UpdraftPlus acquired WP-Optimize in 2016 and claims that the instrument “has the whole lot you might want to maintain your web site quick and totally optimized.” A commercial version can be promoted via the free plugin that’s hosted on WordPress.org.

“Inform me, UpdraftPlus, how I’m alleged to proceed trusting your organization with my shoppers’ backups whenever you use these misleading and fraudulent practices?” one buyer Adam Lowe said in response to Varghese’s discovery of the plugin not loading JS for efficiency instruments.

“Wow, all I can say is what an utter disappointment,” WordPress company proprietor and developer Brian Jackson stated.

The sort of deception is eerily much like a scam reported by somebody who contracted a efficiency freelancer on Upwork who artificially manipulated Google Pagespeed outcomes. Others collaborating within the dialogue on Twitter in contrast it to the Volkswagon emissions scandal the place the carmaker was discovered to activate its emissions controls solely throughout laboratory testing with the intention to meet the EPA’s necessities after a violation. The autos on the street emitted as much as 40 occasions extra nitrogen oxides whereas driving, as in comparison with how they carried out within the rigged laboratory exams.

Varghese and a number of other different members within the dialog concluded that that is why website homeowners ought to give attention to what actual world customers are experiencing, as a substitute of efficiency instrument take a look at scores.

Hopefully they marvel why their CrUX report knowledge (or higher, RUM knowledge) didn't budge. The entire causes we launch CrUX publicly is to provide builders some floor fact. There's limitless methods to trick your self into believing your lab knowledge is consultant of actual customers .

— Rick Byers (@RickByers) August 29, 2022

Even when specializing in actual person experiences, website homeowners typically depend on the exams to diagnose points and see how a website’s efficiency will be improved. They don’t count on {that a} plugin will likely be hiding JS recordsdata from efficiency instruments. Tricking the exams has eroded WP-Optimize’s credibility.

“Wow. If true, that is as brief sighted as it’s inexcusable,” UpdraftPlus buyer Johnathon William said. “And it makes me marvel if I can belief their different product, UpdraftPlus, which I take advantage of to backup a number of consumer websites.”

I contacted UpdraftPlus and lead developer David Anderson stated the corporate was not conscious of the difficulty with the code however associated a number of the backstory. UpdraftPlus was briefly in talks with the creator of the Fast Velocity Minify plugin about the potential of combining forces, wherein he would preserve the minification module inside WP-Optimize and acquire extra customers. Finally they may not come to an settlement, however throughout that point WP-Optimize’s builders forked and tailored Quick Velocity Minify beneath the GPL. The builders who labored on that adaption are not with the corporate.

“Within the decide to our personal supply repository, 2.5 years in the past (Jan 2020), the commit was labelled ‘Resolve ‘Add CSS and JS Minification GPL code from ‘Quick Velocity Minify’ – Half 6′,” Anderson stated. “A part of a sequence of preliminary merges of code that was re-factored to be cleaner and use our coding type preferences (however not change any performance). So the obvious intention of the merge of these traces was to deliver over refactored code with out at that stage making any adjustments.

“Based on the commit historical past (i.e. the ‘git blame’ perform) no adjustments have been made to that code since, i.e. it’s as-imported. (The historical past for WP Optimize is public in WordPress SVN too).”

After a cursory examination of the code, Anderson concluded that his staff might must reexamine it, as they weren’t conscious of what was added two years in the past.

“As I attempt to hint that perform via the code throughout the plugins, the intention on the face of it seems to be that if the web site customer is a ‘bot,’ then code that’s pointless for bots received’t be carried out,” he stated.

“Nevertheless having stated that, 1) the bot names look to be closely obfuscated/redacted, which is unusual (why?), and  2) there are many extra apparent bots that aren’t listed there, such because the Googlebot itself. If that perform was being put earlier than me for assessment in the present day, I’d definitely query why that’s so. I can’t mind-read myself again 32 months in the past, however, I keep in mind it as being an extended sequence of huge patches, so it wasn’t being intently analysed on a line-by-line foundation. We knew that we had recognized FVM as a great plugin and our predominant focus was on adapting it to our construction and elegance, and people had been the issues I personally was taking a look at as the ultimate reviewer.”

In abstract, UpdraftPlus’ improvement staff was not conscious of this code till the Twitter thread was revealed over the weekend.

“I’m definitely glad to have it dropped at our intention,” Anderson stated. “The related code touch upon a associated fragment in its unique supply that it’s supposed to stop pointless requests for bots, however on a more in-depth examination than that line received on the time, that’s one thing we’ll wish to take a look at, because it does look questionable/unusual, and we’ll be doing that by assigning it to a staff member who’s our professional in JavaScript optimizations.”

Anderson additionally stated that if the JavaScript optimization specialists can’t discover any authentic function for the code, “it would definitely be eliminated,” with a transparent and unambiguous disclosure for the reasoning behind it.

Within the meantime, UpdraftPlus has published a notice within the plugin’s assist discussion board to tell customers that the code is at the moment beneath investigation.

“To be clear and set customers’ minds at relaxation: the code in query isn’t harmful, a virus, an an infection, helpful to hackers, or something of that sort,” Anderson stated. “The allegation is that its solely function in current is successfully to cheat on velocity exams. Such code, in that case, doesn’t belong in WP Optimize and we are going to take away it with a brand new launch. Our merchandise’ integrity, and our prospects’ belief, are important for us (and intentionally placing issues in open supply code that compromises that’s, frankly, a silly factor to do).”