Identified minify code issue in WP-Optimize – in progress

In the last hour, I have been alerted to the presence of some code in WP-Optimize’s “minify” module whose alleged purpose is to “game” speed-measuring tools (e.g. Google PageSpeed).

On the initial investigation of that last hour, we have ascertained that the code in question was innocently adapted from another popular/respected WordPress plugin at the time that we created the “minify” module, in January 2020, under “open source” principles. (WP Optimize itself is open source and all developers are encouraged, as per the purpose of the GPL licence, to freely use and adapt its code and use it in their own creations as they see best). As part of a series of code merges to adapt that plugin’s minify code to WP Optimize styling and conventions, the particular lines that have been identified as questionable did not get specifically noticed as unusual when they were added, and have remained in WP Optimize since that time.

This code is now being carefully examined, and I have agreed in my initial assessment that there are compelling questions about why it exists, and it has definitely suspicious features. Our main JavaScript/optimization developer is not in my time zone, and right now can be presumed to be fast asleep. I have sent him an initial summary of my investigations into the code history and apparent intentions, for his evaluation and conclusions.

If it is concluded that the code has no legitimate purpose (I personally am not a JavaScript optimization expert and have not worked on that area of the code, so want to make sure we have the full picture) then we will certainly remove it and post a clear statement of why we have done so in the plugin release changelog, in accordance with our normal practice of not obfuscating reasons for embarrassing changes in changelogs (e.g. changelog entries for security updates).

To be clear and set users’ minds at rest: the code in question is not dangerous, a virus, an infection, useful to hackers, or anything of that kind. The allegation is that its only purpose in existing is effectively to cheat on speed tests. Such code, if so, does not belong in WP Optimize and we will remove it with a new release. Our products’ integrity, and our customers’ trust, are essential for us (and deliberately putting things in open source code that compromises that is, frankly, a stupid thing to do). Thank you for bearing with us whilst we work this out over, hopefully, the next few days.

Finally: we have contacted the wordpress.org plugins team to keep them informed (and let them know of the other plugin in case they feel that further notifications or investigations on their end are needed).

Thank you,
David