Support » Plugin: WP-Optimize - Cache, Clean, Compress. » Identified minify code issue in WP-Optimize – in progress

Identified minify code issue in WP-Optimize – in progress

  • Plugin Author David Anderson

    (@davidanderson)


    6 months, 3 weeks ago

    In the last hour, I have been alerted to the presence of some code in WP-Optimize’s “minify” module whose alleged purpose is to “game” speed-measuring tools (e.g. Google PageSpeed).

    On the initial investigation of that last hour, we have ascertained that the code in question was innocently adapted from another popular/respected WordPress plugin at the time that we created the “minify” module, in January 2020, under “open source” principles. (WP Optimize itself is open source and all developers are encouraged, as per the purpose of the GPL licence, to freely use and adapt its code and use it in their own creations as they see best). As part of a series of code merges to adapt that plugin’s minify code to WP Optimize styling and conventions, the particular lines that have been identified as questionable did not get specifically noticed as unusual when they were added, and have remained in WP Optimize since that time.

    This code is now being carefully examined, and I have agreed in my initial assessment that there are compelling questions about why it exists, and it has definitely suspicious features. Our main JavaScript/optimization developer is not in my time zone, and right now can be presumed to be fast asleep. I have sent him an initial summary of my investigations into the code history and apparent intentions, for his evaluation and conclusions.

    If it is concluded that the code has no legitimate purpose (I personally am not a JavaScript optimization expert and have not worked on that area of the code, so want to make sure we have the full picture) then we will certainly remove it and post a clear statement of why we have done so in the plugin release changelog, in accordance with our normal practice of not obfuscating reasons for embarrassing changes in changelogs (e.g. changelog entries for security updates).

    To be clear and set users’ minds at rest: the code in question is not dangerous, a virus, an infection, useful to hackers, or anything of that kind. The allegation is that its only purpose in existing is effectively to cheat on speed tests. Such code, if so, does not belong in WP Optimize and we will remove it with a new release. Our products’ integrity, and our customers’ trust, are essential for us (and deliberately putting things in open source code that compromises that is, frankly, a stupid thing to do). Thank you for bearing with us whilst we work this out over, hopefully, the next few days.

    Finally: we have contacted the wordpress.org plugins team to keep them informed (and let them know of the other plugin in case they feel that further notifications or investigations on their end are needed).

    Thank you,
    David

Viewing 1 replies (of 1 total)
  • Plugin Author David Anderson

    (@davidanderson)

    6 months, 3 weeks ago

    Now that our main developer is awake (he was in a different timezone) and in his working day, things look quite different. The controversy was entirely mistaken, and we’ve been unreasonably treated by WP Tavern who rushed to print after hours at the end of the day during a UK public holiday before allowing time for a proper investigation, and by the original Tweeter (who is also a direct competitor who used the resulting storm to promote his products).

    Details will be forthcoming when we’ve completed our work on it – thank you for your patience!

    • This reply was modified 6 months, 3 weeks ago by Steven Stern (sterndata). Reason: removed ping to archived message, closed topic as "news"
Viewing 1 replies (of 1 total)
  • The topic ‘Identified minify code issue in WP-Optimize – in progress’ is closed to new replies.

Views