Managing WP NO. 1 | It's been a while, WP-Optimize, admin-ajax.php, Cloudflare WAF

I'm still alive!

It's been a while. This isn’t easy.

I am sorry that I haven’t been filling your inboxes with excellent WordPress content. But I see you, all 33 of you and hope to keep this up 😊

Now let’s get into it!

---

📰WordPress News

There’s been a lot going on, but I haven’t been collecting anything to share with you, so there isn’t much here.

🎭WP-Optimize Drama

If you haven’t heard, WP-Optimize pulled in some code from another plugin and, unfortunately, didn’t vet it from the top down. There are lots of people posting about it and giving their take on the whole situation.

Gijo from Flying Press posted something on Twitter about WP-Optimize cheating PageSpeed and other testing tools.

Gijo Varghese @GijoVarghese_

🚨 How "WP Optimize" is cheating PageSpeed and other testing tools 👇 When a site is loaded, the JavaScript files are loaded only when the user-agent/browser is not Lighthouse/GTmetrix/Headless Chrome/Pingdom. No JS = high scores. But for real users, these JS files are loaded!

9:35 AM ∙ Aug 26, 2022

---

Then WPTavern reported on it rather quickly, which some have taken issue with due to how quickly they published it.

• WP-Optimize Plugin Accused of Cheating PageSpeed and Other Performance Testing Tools - WPTavern

Some people in the community defended WP-Optimize, even putting up a video.

Gijo also posted a video showing how the feature isn’t adequately described, and if you defer all javascript, it’s impossible to turn off the cheating portion.

WP-Optimize responded, WP Tavern posted another article with quotes from the original plugin developer of the code.

• WP-Optimize completely rejects false allegations of ‘gaming’ page speed results

• WP-Optimize Denies Allegations of Cheating Performance Tools

Here’s the quote from FVM3 Developer Piexoto

Fast forward some time, and I realized that some developers were actually using this to cheat on the tests for their clients, so I felt compelled to make the decision on FVM 3 (already late 2020) to remove this feature, which was met by a lot of protests of angry developers when their clients started complaining that their scores went down.

I tried at that time, to explain that having a good score was not the same as having good web vitals metrics, but eventually I gave up on that, as some people cared more about the test results than the actual performance.

After FVM 3 release, I am basically just maintaining it and doing small bug fixes when reported, as I have to focus on other things. I have removed that function and fixed a couple of bugs that were pending on version 3.2.9 and pushed an update, so thank you for referring this to me.

Just here to inform you might post something further.

WordPress Performance Team - Object Cache Improvements

Looks like @tillkruess is cooking up some performance magic 🧙‍♂️

---

🧻News Headlines

🔗WordPress

• What’s new in Gutenberg 14.0? (31 August)

• Performance team meeting summary 30 August 2022

• Module Proposal: Database Performance Health Checks

• WooCommerce Blocks 8.4.0 Release Notes

• My WooCommerce vs. Shopify Speedrun

• WooCommerce 6.9 Beta 2

  • With the latest version of WooCommerce Blocks, the beta versions of the Cart & Checkout blocks are now available for use within WooCommerce Core.

• WordPress Community Engagement: The best WordPress accounts to follow on Twitter

• Plan to update WooCommerce block templates

• WordPress Leadership has a Public Relations Problem

🔐Security

As always, security affects everyone and things, including WordPress and what we use daily while working with WordPress.

• LastPass developer systems hacked to steal source code

• Cloudflare maintenance on Sept 7th!

• Dashlane Launches Passkey Support!

  • What are Passkeys?

• Over 1,800 Android and iOS Apps Found Leaking Hard-Coded AWS Credentials

• Final Thoughts on Ubiquiti - Kerbs

• Experts Find Malicious Cookie Stuffing Chrome Extensions Used by 1.4 Million Users

• Listen:Patchstack Weekly #38: What is Your Time to Patch?

• Facebook agrees to settle class action lawsuit related to Cambridge Analytica data breach

• Twilio Breach Also Compromised Authy Two-Factor Accounts of Some Users

• Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

• Mac users urged to update Zoom, after security patch released for previously-flawed security patch

• Signal -Encrypted Messaging Service Hack Exposes Phone Numbers

• PayPal Phishing Scam Uses Invoices Sent Via PayPal

💼Business

Bizness.

• 7 decisions that improved my freelance business

🔗Misc News

This doesn’t belong here.

• ARM Architecture Keeps Trending in 2022

• Cloudflare Support Portal gets an overhaul

---

✍Content Updates

Live Blog!

I’ve been trying to get more into live blogging the issues and struggles I face daily as I love doing it and feel it provides value to people also dealing with the same issues. Check it out!

WPGuide - Live Blog

How admin-ajax.php sucks!

I wrote a short article on how plugin developers use admin-ajax.php for front and backend ajax queries which can cause performance issues for any site. I started listing plugins currently using this method; PixelYourSite was the first plugin I encountered but not the last.

»WordPress Plugins utilizing admin-ajax.php causing Performance Issues

Removing Litespeed Caching Plugin Warning About Other Plugins

Litespeed made an update that now puts an admin notice up whenever you have a plugin that might conflict with the LSCache plugin installed.

» Removing Litespeed Caching Plugin Warning About Other Plugins

Locking Down your WordPress site with Cloudflare WAF Rules

I wrote an article on how to lock down your WordPress site using Cloudflare. You can do this with the free plan. There is also a github bash script that I’ve started working on to help deploy the rules automatically to sites on your Cloudflare account, however it’s a WIP.

» Locking Down your WordPress site with Cloudflare WAF Rules

Dealing with High CPU Usage on your WordPress Server

The title sells itself, started a draft on how to deal with High CPU Usage on a server with multiple WordPress sites.

» Dealing with High CPU Usage on your WordPress Server

---

👩‍💻Github Repository Updates

managingwp/wordpress-code-snippets

• Improved ajax-log.php a ton, logging those bad admin-ajax.php calls!

• Turn your post titles in to links post-title-permalink.php

managingwp/wp-shelltools

• Was original gp-tools, but now universal support for everything is the goal and so the repository was renamed to wp-shelltools

• Created attackscan.sh which will scan your OLS and Nginx logs for top requests and for common WordPress resource attacks.

managingwp/cloudflare-wordpress-rules

• Created a shell script to automate creating firewall rules within Cloudflare.

jordantrizz/zshbop

• This newsletter forced me to release v2.4.0 of my ZSH shell script.

• Lots of awesome changes!

---

📁Featured Projects

Snicco

Calvin, who is a regular in the GridPane Self-Managed WordPress Facebook group, has a monorepo with a ton of great projects to improve WordPress for developers.

Snicco on Github

Submit a Project!

If you know of a project around managing WordPress, let us know!

---

💸LTD’s (Affiliate Links)

Some are plus exclusive deals, which is a yearly subscription on Appsumo.

• Lots of stuff leaving AppSumo (Affiliate Links)

• WordPress Specific

  • SliceWP

  • WP 301 Redirects

  • EWWW Image Optimizer

  • Just Review

  • Bit Intergrations

  • WP Reset Team Plan

  • WP Maintenance

  • Kali Forms

• DinoRank

• Screpy

• Blurweb.app

• BackupSheep

👊Feedback/Suggestions

I want to hear from you! I’m always looking to improve this newsletter! Let me know your thoughts!

Submit Feedback