Gijo Varghese, a developer who calls himself a âweb performance enthusiast,â shocked WordPress users around the world over the weekend when he tweeted a screenshot of how WP-Optimize is allegedly preventing select JavaScript files from loading when users test their sites through popular performance testing tools.
âWhen a site is loaded, the JavaScript files are loaded only when the user-agent/browser is not Lighthouse/GTmetrix/Headless Chrome/Pingdom,â Varghese said. âNo JS = high scores. But for real users, these JS files are loaded!â
Varghese confirmed that he was testing the free version of WP-Optimize, which is used on more than a million WordPress sites. UpdraftPlus acquired WP-Optimize in 2016 and claims that the tool âhas everything you need to keep your website fast and thoroughly optimized.â A commercial version is also promoted through the free plugin that is hosted on WordPress.org.
âTell me, UpdraftPlus, how Iâm supposed to continue trusting your company with my clientsâ backups when you use these deceptive and fraudulent practices?â one customer Adam Lowe said in response to Vargheseâs discovery of the plugin not loading JS for performance tools.
âWow, all I can say is what an utter disappointment,â WordPress agency owner and developer Brian Jackson said.
This type of alleged deception is eerily similar to a scam reported by someone who contracted a performance freelancer on Upwork who artificially manipulated Google Pagespeed results. Others participating in the discussion on Twitter compared it to the Volkswagon emissions scandal where the carmaker was found to activate its emissions controls only during laboratory testing in order to meet the EPAâs requirements after a violation. The vehicles on the road emitted up to 40 times more nitrogen oxides while driving, as compared to how they performed in the rigged laboratory tests.
Varghese and several other participants in the conversation concluded that this is why site owners should focus on what real world users are experiencing, instead of performance tool test scores.
Even when focusing on real user experiences, site owners often rely on the tests to diagnose issues and see how a siteâs performance can be improved. They donât expect that a plugin will be hiding JS files from performance tools. Tricking the tests has eroded WP-Optimizeâs credibility.
âWow. If true, this is as short sighted as it is inexcusable,â UpdraftPlus customer Johnathon William said. âAnd it makes me wonder if I can trust their other product, UpdraftPlus, which I use to backup several client sites.â
I contacted UpdraftPlus and lead developer David Anderson said the company was not aware of the issue with the code but related some of the backstory. UpdraftPlus was briefly in talks with the author of the Fast Velocity Minify plugin about the possibility of combining forces, in which he would maintain the minification module within WP-Optimize and gain more users. Ultimately they could not come to an agreement, but during that time WP-Optimizeâs developers forked and adapted Fast Velocity Minify under the GPL. The developers who worked on that adaption are no longer with the company.
âIn the commit to our own source repository, 2.5 years ago (Jan 2020), the commit was labelled âResolve âAdd CSS and JS Minification GPL code from âFast Velocity Minifyâ â Part 6â˛,â Anderson said. âPart of a series of initial merges of code that was re-factored to be cleaner and use our coding style preferences (but not change any functionality). So the apparent intention of the merge of those lines was to bring over refactored code without at that stage making any changes.
âAccording to the commit history (i.e. the âgit blameâ function) no changes have been made to that code since, i.e. it is as-imported. (The history for WP Optimize is public in WordPress SVN too).â
After a cursory examination of the code, Anderson concluded that his team may need to reexamine it, as they were not aware of what was added two years ago.
âAs I try to trace that function through the code within the plugins, the intention on the face of it appears to be that if the website visitor is a âbot,â then code that is pointless for bots wonât be carried out,â he said.
âHowever having said that, 1) the bot names look to be heavily obfuscated/redacted, which is strange (why?), and 2) there are plenty of more obvious bots that arenât listed there, such as the Googlebot itself. If that function was being put before me for review today, Iâd certainly question why that is so. I canât mind-read myself back 32 months ago, but, I remember it as being a long series of large patches, so it wasnât being closely analysed on a line-by-line basis. We knew that we had identified FVM as a good plugin and our main focus was on adapting it to our structure and style, and those were the things I personally was looking at as the final reviewer.â
In summary, UpdraftPlusâ development team was not aware of this code until the Twitter thread was published over the weekend.
âIâm certainly glad to have it brought to our intention,â Anderson said. âThe associated code comment on a related fragment in its original source that itâs intended to prevent unnecessary requests for bots, but on a closer examination than that line got at the time, thatâs something weâll want to look at, as it does look questionable/strange, and weâll be doing that by assigning it to a team member whoâs our expert in JavaScript optimizations.â
Anderson also said that if the JavaScript optimization experts cannot find any legitimate purpose for the code, âit will certainly be removed,â with a clear and unambiguous disclosure for the reasoning behind it.
In the meantime, UpdraftPlus has published a notice in the pluginâs support forum to inform users that the code is currently under investigation.
âTo be clear and set usersâ minds at rest: the code in question is not dangerous, a virus, an infection, useful to hackers, or anything of that kind,â Anderson said. âThe allegation is that its only purpose in existing is effectively to cheat on speed tests. Such code, if so, does not belong in WP Optimize and we will remove it with a new release. Our productsâ integrity, and our customersâ trust, are essential for us (and deliberately putting things in open source code that compromises that is, frankly, a stupid thing to do).â