Beware what WordPress plugins may hide

While I was doing a Google page speed check to see if I can optimize my site speed, I noticed the below script being called and I have never seen it before.  They say the best things in life are free but in this case a free Cache plugin actually was doing the opposite of what it was meant to do.  It was meant to optimize and speed up my site and not install a very dense JavaScript tracking and AD code. The sheer density and its Cookie usage shocked me.

WordPress plugin malware

I could not believe a WordPress plugin developer would hide a horrible tracking script like this into a plugin that a Webmaster would last suspect could cause harm. Of all my plugins there were only 2 that I suspected could be injecting this JS into my site and I highly doubted it was Async JS and CSS.  I have used Async JS and CSS in the past and have never noticed this.  It turned out the culprit was WP-HTML-COMPRESSION by Steven Vachon.

After I removed it and did a new pagespeed test, I noticed the below JS URL wasn’t showing up any longer in PageSpeed results.  I hope WordPress bans people that do this kind of thing because Google used page speed and other optimization factors, and when people hide JS in plugins that cause sites to load slow, Google in turn may not rank that site as high as it deserves. When I scanned through the code, I noticed calls to iframes and width=100% which can only hint that script can embed anything to my site. WordPress Malware


It turns out regular websurfers are complaining about the script on