Autoptimize ‘suspicious javascript code’ warning

Autoptimize combines the JavaScript that is added by your theme & plugins (and WordPress core) James, so one of those is (or was) adding suspicious code. Try disabling JS aggregation to see if a specific JS-file is identified. You might have to try different pages, as most plugins only add JS on pages where the plugin is active).

hope this clarifies,
frank

Thanks for your reply Frank. I do understand what you’re saying, that it’s not the plugin, one of the aspects it is combining.

I did test the scanner by disabling JS optimising (but maintaining the HTML and CSS) optimisation and that did actually sort the problem, seemingly. Once JS was turned off, it reported no errors. Could it be because when the code itself is combined, it seems suspicious?

Either way, I will follow your advice to try different pages and see what happens.

Thank you again for your help.

Best wishes,

James

Could it be because when the code itself is combined, it seems suspicious?

can’t say with 100% certainty, but I would be surprised if that would be the case, as a lot of sites would get flagged that way?

you can always try the “don’t aggregate but defer” and “defer inline JS” options, which might actually be better from a performance point of view? ??

Yeah, I think you’re right. All the other websites I have built that use your plugin would all have the same issue as well, which they don’t.

It’s also odd that when I removed the combining, the error went, which suggests that the individual js scripts weren’t a problem either. You’d think the problem has to be somewhere.

I’ll try the defer option at some point to see if that helps. The website is lightweight enough that even without deferring the js, the performance penalties aren’t too great, thankfully.

Thanks so much for your input.

so what would be interesting to know; does the problem re-appear when “aggregate JS” is back on and if so can you save the contents of one or more flagged JS-files to a github gist or pastebin paste so I can review the contents?

Apologies for the delayed reply! So I’ve just switched the js optimisation on again and completed the same scan as before. Here’s a link to the three files which are marked as suspicious by the pcrisk.com scan.

https://drive.google.com/drive/folders/1hLK3KjKcrKKKAxzI3im-2aZYNh127GHL?usp=sharing

I’ve had to do them as Google Docs, rather than pastebin or anything like that.

I just thought I’d say that I have switched it off again, since I want to avoid the website being perceived as malicious. Looking forward to your feedback. Thanks!

Based on the contents of the warning in your original post (“Detected encoded JavaScript code commonly used to hide suspicious behaviour”) and the JS source, my money is on the JS which even has the string “suspiciousStrings” in it and which indeed also does encoding. The likely culprit; wp-content/plugins/popup-builder/public/js/PopupBuilder.js, can you try excluding wp-content/plugins/popup-builder/ from JS optimization and test if that makes the warnings go away?

So that has had a positive effect. Thanks so much for the feedback. The new scan shows only one file that is the issue now, rather than three. I’ve added the newest error in a new document to the same Google Drive folder. What do you think this one is?

Thanks so much again for your help!

that’s the same wp-content/plugins/popup-builder/public/js/PopupBuilder.js, which is now excluded but is still minified by AO as the original file is not. untick the “minify excluded js/ css” option (near the bottom of the screen) and that warning should disappear too.

Hi. So I followed your advice and it did result in no suspicious files, which is in itself great. I of course missed the option, with it being at the bottom of the page.

The only issue now (which perhaps might not have much to do with the plugin) is that it is now marked as blacklisted by the pcrisk scanner, where it wasn’t before. I’ll see what I can do about that.

Thanks again for the help.

It would make sense for them to limit the amount of scans for a domain per time unit (24h), so maybe that’s what’s happening.

Also, I see “The scanner crawlers are blocked by the web application firewall on this domain/website. The scan result could be incomplete.” -> did you activate cloudflare bot fighting mode maybe?

You might be right. As it happens, I checked and bot fighting mode is not active. It perhaps is something else. Either way, I hope it will sort itself out, as there just isn’t anything I can see as being wrong.

Thanks so much for your support in understanding why the issues were happening in the first place. I’m happy to mark this as resolved now, since the issues don’t seem to have anything to do with your plugin any more.

you’re welcome, feel free to leave a review of the plugin and support here! ??

Done ??