Support » Plugin: Fast Velocity Minify » A word of caution

  • Resolved vwondra

    (@vwondra)


    On of our clients installed this plugin 2 days ago. We spend a good part of yesterday tracking down. The hosting server was experiencing high resources usage. Late last night we isolated the issue to a lone IP address from Romania hammering one of the websites on that server. In looking at the time logs this started about the time that Fast Velocity Minify was installed on that site. We have since then blocked that IP and removed the Fast Velocity Minify plugin from that site.

    We suspect that either there was some bad coding in the plugin, or some possible malware hidden in it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Raul P.

    (@alignak)

    This is not true and I am I’m 100% sure that any Romania IP has nothing to do with our plugin. I do not know where you install the plugin, and neither the plugin collects any information about your site.
    Furthermore, I have no servers or any IP addresses in eastern europe.

    a) Plugins on the public repositories, are scanned for malware before being published live. There is zero chance of it containing any, unless your site already had some malware somewhere else. I suggest using wordfence to do a complete scan on your site.

    b) The plugin works without requests to any other server. There is zero information leaving your site through FVM to any server.

    c) FVM needs to download your JS and CSS files in order to merge them. High load can only occur, if you have dynamic css or js code, which will then trigger a request on every pageview.

    This is explained o our faqs:
    https://wordpress.org/plugins/fast-velocity-minify/faq/

    And that’s one of the reasons, why we clearly state that the plugin is for developers or advanced users, than can configure it properly. If you don’t understand what it does, I suggest trying a simpler plugin or ask for a developer’s help to setup the plugin.

    d) Because FVM will merge your CSS and JS files, sometimes it needs to use wordpress to request files which cannot open directly from disk. Please make sure that the IP you blocked, is actually not your own server IP (or reverse proxy, or cdn if you use it).

    e) The fact that the high load started at roughly the same time you installed the plugin is irrelevant. If you have access to the logs, you should be able to see exactly which requests are being made, which urls, how many times they are being requested, by whom, and you should be able to trace back the IP to some origin.

    FVM will only make requests to JS or CSS files, using your own server IP and only if, it cannot open those files directly on the disk.

    High load is also explained in our faqs.
    Basically, if you have a css or js file that keeps changing the url on every pageview, FVM will assume it’s a new file and recreate the cache.

    The method is correct.
    Any different code, is different, thus FVM will have to recreate the cache files everytime it sees a different code.

    That being the case… if there is bad coding, it’s somewhere else on your site.
    Styles or javascript code should not be dynamic, as it’s meant to be static.

    You may not notice high load without FVM even with the dynamic css/js code, simply because of the amount of data.
    If you have one line of dynamic code, wordpress only needs to regenerate that one if files are loading separately. But obviously, if you are installing a plugin to merge all files, any small different is going to trigger the whole cache file to be recreated.

    Finally, even if you have no dynamic css or js code, note that FVM will create a cache file for any new requirements it finds. That could be one file per conditional or even per page.

    The first hit cache regeneration is expensive (again it’s explained on our faqs), so if your server is under-powered and you have a lot of traffic, enabling FVM may cause an initial high load while it generates the cache files for each url that requires, different set of css/js files.

    If your classes or js code keep changing names (some plugins generate inline code wrongly, that way, such as some modules on wpbakery)… this is even more visible.

    Note that I am not stating that FVM will cause high load.
    I’ only saying that IF you have a lot of different requirements per page, it needs to generate them (once only) per each difference it sees.
    And IF you have dynamic CSS code or dynamic JS file names, that also trigger a new cache generation, because practically, it’s brand new code in every pageview (use page caching).

    If you have a well built website, without dynamic classes or js code, or if the request per page hardly change, then FVM will only generate a few cache files and use them for all pages that match that usage (it’s very efficient in that sense).
    It also uses static files, instead of PHP to serve the generated files, and those files are only created once, not always (unless you have dynamic code, a explained).

    Again, make sure you are an advanced user or a developer before using the plugin, or test it properly on a staging version, before implementing it on a live site.

    Speed optimization is not as easy as to install a plugin.
    You have the tools, but you need to know how to use it.

    There is absolutely, zero possibility of any Romania or any other IP which is not your own server or under your network architecture, remotely causing high load related to our plugin.

    If that IP was causing high load, make sure to track down what exactly was it doing and check it’s useragent (could be a scrapper, bot, etc).

    Also please make sure you understand what FVM does and how it works, before implying here, that we are using some sort of malware to try to hack you server, or that we are in any way affiliated with some other random IP which decided to DoS your site.

    It may have been a coincidence, but regardless, if it’s your client you should make sure of what was the reason for that, rather than to just assume that “it must have been that new plugin” (which happens to be open source for anyone to review).

    I also remind you as well, that the plugin is used in over 80,000 sites, mostly managed by programmers and developers. All plugins are reviewed by the wordpress team before publishing as well.

    What you are basically saying… is that your client bought an umbrella, and then because it suddenly started raining, you went and return the umbrella because it must have been the umbrella’s fault.

    I’m sorry if I sound too critical, but I work very hard on this plugin and I am proud of my work. Therefore, if you have no technical evidence and irrefutable details to sustain your claims that my plugin can be related to your issue, you should not post this kind of topic.

    Thanks again,

    Raul Peixoto

    Hi Raul,

    I too had a client’s site hacked and traced it to this plugin. I got a notification this morning from Wordfence stating that you patched the issue but I remember this thread from my research.

    I think you may owe @vwondra an apology.

    Plugin Author Raul P.

    (@alignak)

    @marzipandigital It’s incorrect.

    Neither there was bad coding or malware hidden on it.

    In fact, you cannot even publish malware on an open source plugin, as it would be immediately seen by the wordpress team, or a substantial number of the 80k+ users using it happily.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    In fact, you cannot even publish malware on an open source plugin, as it would be immediately seen by the wordpress team, or a substantial number of the 80k+ users using it happily.

    That’s not what ‘cannot’ means @alignak — I think you mean to say “you can’t publish without getting caught” which is true. Also you get perma-banned if you do it intentionally, so the risk is not worth the reward.

    EVERYONE has bad code. Somewhere. Don’t be so arrogant as to claim you NEVER have bad code anywhere. That immediately makes anyone experienced with software start to doubt you. This goes to everyone in this conversation.

    Also multiple replies in a row makes you look aggressive. I’d caution against it.

    Now.

    There’s no code in the plugin that appears to cause this. The Wordfence report is unrelated to the hack.

    A very common act of hackers is to use a backdoor in one plugin to edit another. For example, a lot of malicious actors will use a vulnerable plugin to insert malicious code into Hello Dolly. That plugin isn’t vulnerable, but since it’s easy to find, it’s a target.

    Most likely what happened here is the plugin compressed another file that had the suspect code in it. After all, this plugin minifies existing code on your site.

    Plugin Author Raul P.

    (@alignak)

    @ipstenu thank you for your clarification and sorry if I sounded arrogant (that was without intention).

    You are right on what you said and on the rephrasing you did. I meant exactly “you can’t publish without getting caught” when I said we cannot publish malware.

    And I am also aware everyone has bad code sometimes… (that’s not the point).
    What I meant to say is that “the situation here reported” was certainly not caused by any bad code on the plugin (either malware, hack or some random bot IP from Romania hitting the site after installing FVM).

    I am aware that code is never going to be perfect and there is always things to improve, always. Either way, I accept I may have gone too far on my explanation and I could have phrased things better.

    Apologies for using your time on this.

    Thanks

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Reads. Archives many replies and closes this topic.*

    @marzipandigital These forums are not a blog, these are not blog comments. If you need support then start a support topic. If it’s a blog post then it will get removed. That’s not for here though I do know of some good software that you can create your own blog with.

    @alignak I’ve done the same to your replies for the same reasons. I’ve left the one that Ipstenu replied to as it makes sense and well, you were way off in what you wrote.

    I’m closing this topic now. If anyone needs support for this plugin then per the forum guidelines please start your own topic.

    https://wordpress.org/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

    You can do so here.

    https://wordpress.org/support/plugin/fast-velocity-minify/#new-post

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘A word of caution’ is closed to new replies.