Support » Plugin: Rank Math - SEO Plugin for WordPress » Obfuscated JavaScript – is it malicious?

  • All the JavaScript files in assets/admin/js are deliberately obfuscated.

    This means we can’t verify that the code in them is not malicious.

    It also means that as developers we can’t investigate bugs or work on integrations.

    I’ve reported this to the WordPress main plugins email.

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Author Rank Math

    (@rankmath)

    Hello Andy

    Please do not accuse of malicious code when we have everything open-sourced.

    We have linked to all the unminified files from our readme file. Here’s a screenshot:
    https://i.rankmath.com/huOXsN

    Here’s a link for your convenience:
    https://github.com/RankMath/seo-by-rank-math/

    We have reported the review as well. Thank you.

    So:

    1. Why obfuscate at all?

    2. Why not place a link to the Github repo in the source code of the plugin (e.g. the readme file)?

    I quote from the guidelines:

    “We require developers to provide public, maintained access to their source code and any build tools in one of the following ways:

    – Include the source code in the deployed plugin
    – A link in the readme to the development location”

    You haven’t done the first, and the second isn’t exactly easy to spot, otherwise I would have spotted it.

    Plugin Author Rank Math

    (@rankmath)

    Hello Andy,

    The files are minified for faster performance.

    From the guidelines, it says:
    build tools in one of the following ways

    Not both ways. We have done that.

    Sorry to say but your lack of research and attention does not make the plugin bad or deserves a 1-star rating. Especially, when the SEO plugin for the ClassicPress is the fork of Rank Math.

    You could have opened a new support topic to ask and we would have been more than happy to assist.

    We can understand that these days are hard for everyone but please don’t make them harder by getting furious over small things that could be handled in a much better way.

    Take care!

    I’m not providing any SEO plugin. I was simply hoping to debug the problem with ACF custom fields not updating the SEO score when loading the page editor.

    Get your facts right.

    Plugin Author Rank Math

    (@rankmath)

    Hello Andy,

    You are here on WordPress for longer than we have been and you know to get the support, one should open a support topic and not leave a review.

    With that said, we are more than happy to assist with the issue you are facing.

    Please open a new support topic here so we can help you debug the issue together:
    https://wordpress.org/support/plugin/seo-by-rank-math/#new-topic-0

    Looking forward to helping you. Thank you.

    Moderator Marius L. J.

    (@clorith)

    Hiya @zigpress & @rankmath,

    Marius here, one of the moderators here at WordPress.org

    Looks like things are starting to heat up a little here, that’s perfectly natural.

    Firstly, @rankmath, I see you flagged this review to be looked at by a mod (that would be me 🙂 ), and although I understand the frustration, that the user couldn’t find your documentation in the plugin description area is kind of understandable. If I didn’t see your reply stating documentation exists, I would have given up before reaching the very end. This might be a good opportunity to improve on them based on the feedback received though, so I’d call that a win!

    Basically, reviews are user experiences, and if someone tried debugging but gave up before finding your documentation useful, that’s a perfectly valid experience.

    @zigpress I’m removing your last remarks, as hearsay isn’t your own experiences, and as such isn’t relevant to your review.

    I’ve also removed the link and post to a 3rd party forum, what happens on other forums have no relation to reviews here on WordPress.org and you are of course free to hold a discussion on that platform as well if you wish.

    If you should have any questions or concerns about this, please feel free to reach out to the moderators in the #forums channel on Slack (a Slack account is required)

    Why not simply put the authored JS right next to the minified? (and load as .min.js—maybe even provide a switch in the admin to choose which to load)

    Plugin Author Rank Math

    (@rankmath)

    Hello @born2webdesign

    To keep the plugin file size small.

    One can download and access all the unminified files from the GiHub’s repo from here:
    https://github.com/rankmath

    Hope that helps. Thank you.

    Thanks, but at a first glance, I was only able to find the minified scripts, e.g. https://github.com/rankmath/seo-by-rank-math/blob/master/assets/admin/js/common.js

    Now, your whole plugin weighs in at almost 9 M, 1.5 M of which is JS—if you added ~3-4 M of authored JS (just a generous estimate) for people to look at, do you really think that would be a problem?
    Your call, obviously, but I could see some real benefits for people wanting to look at the code for whatever reason.

    Plugin Author Rank Math

    (@rankmath)

    Hello @born2webdesign

    That is the incorrect folder, following is the correct folder path to look for the unminified files:
    https://github.com/rankmath/seo-by-rank-math/tree/master/assets/admin/src

    Hope that helps. Thank you.

    Ah, thanks—still, I don’t think the original files in the plugin would hurt 😉
    Then, you could also use SCRIPT_DEBUG to determine which version to include on the page …

    Plugin Author Rank Math

    (@rankmath)

    Hello @born2webdesign

    Thank you for your valuable feedback.

    There are existing feature requests, so I’ve added your vote to our internal suggestions lists. If your suggestions are something that we’re able to introduce, I’ll be sure to let you know.

    Have a great weekend!

    • This reply was modified 3 months, 1 week ago by Rank Math. Reason: Requested moderators for some moderation
    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    @rankmath @born2webdesign @zigpress

    The review has been made. If you’d like to discuss this as a SUPPORT issue, please open a new support topic at https://wordpress.org/support/plugin/seo-by-rank-math/. Reviews are meant to be a statement of one user’s experience with a plugin, not a discussion/RFE.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Obfuscated JavaScript – is it malicious?’ is closed to new replies.