This is malware

  • This plugin is a classical malware:
    1) it acts hidden: it integrates in WordPress core, don’t identificate itself for site owner, don’t allow any management of it’s activity or control for site owner.

    2) It secretly and non-stop (every minute) allocates all server resources displacing all useful processes like processing user’s requests and all others too. It slow down site in times. From my experience “server response time” decreased from 7-8s to 1,2s just as I started to limit this malware, but I still can’t stop or remove it completely (there is no woocommerce on my site, but I believe that it were the result would be more impressive).

    3) It acts as extension to WordPress’s wp_cron service. All that it does can be done under pure wp_cron but not hidden and without slowing down site. So, it’s crear to understand that if some other plugin use Scheduled Actions it does it only to hide something from site owner eyes or/and slow down site (probably to upsale pro version that acts without Scheduled Actions.

    4) There is no way how to completely stop neither uninstall it neither remove it’s actions neither it’s wp_cron task.

    5) It’s impossible just to short circle some functions in it to stop it’s working – it’s code made the way that it break site down if someone try to stop it. I have found the way to limit it’s activity but can’t stop it completely.

    6) All question to developers regarding this behavior return with answer like “it runs as we wish, keep enjoying slow down your site” or buy our other plugins or employ us to find why your site is slow down. Explanations about clear difference with Scheduled Actions working as they with and limited they just ignore.

    I strictly advice plugin developer run a mile of this malware otherwise site owners have to remove already your plugins accusing already you in the fatal slow of their sites and probably with criminal charge (at least in EU).

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Barry

    (@barryhughes-1)

    This plugin is a classical malware.

    Of course, we disagree entirely.

    Action Scheduler is not malware, and our team is not in the business of producing malware. We’re all deeply invested in WordPress, its community and ecosystem—and the idea we would knowingly cause harm is offensive.

    In case it helps others, I’ll also just point out that there is a closely related forum thread over here, in which we’ve already addressed some of the key points raised in the current version of this review. So, rather than go through the individual points you raised here one-by-one, I’ll just make a few observations:

    • Action Scheduler is a library, like many other libraries, that other pieces of software can decide to use if they feel it will help them to achieve their goals.
    • Lots of plugins, including our very own WooCommerce, do just that. With 5+ million active installs to its name, that means Action Scheduler is in use on a lot of websites—and that’s just WooCommerce: many other popular WordPress plugins also include it.
    • Given the above, if it was causing widespread disruption across the WordPress ecosystem, I’d expect there to be many more threads and reviews like this one than actually exist … web hosts in particular would not shy away from letting us know that it’s claiming all their resources. The reality is, it runs well and without issue for the overwhelming majority.
    • Clearly, the fact it is in such widespread use suggests many plugin teams also have faith in it and understand it offers more than WP Cron can provide, else why would they use it? Certainly, they don’t decide to use it on a whim: it’s because it offers them (and therefore their users) an advantage.

    By itself, Action Scheduler doesn’t really do much, and doesn’t sit there consuming all the server’s resources: if nothing is waiting to be processed, it quickly hands back control.

    Action Scheduler simply offers a pipeline for getting work done. It means a plugin author can decide to defer something (sending an email, or updating some stats, or really whatever they want) so that the current request is not unduly slowed down. Of course, generally speaking, the work still needs to happen—and if too much work is deferred, or the size of the workload is excessive, then that can lead to problems.

    However, that’s entirely in the control of plugin authors, and essentially the same thing is true even if Action Scheduler is taken out of the picture (stick around long enough, and you are sure to come across a case where a plugin attempts to handle intensive workloads on every single request).

    All question to developers regarding this behavior return with answer like “it runs as we wish, keep enjoying slow down your site” or buy our other plugins or employ us to find why your site is slow down. Explanations about clear difference with Scheduled Actions working as they with and limited they just ignore.

    I’m not sure where this is coming from or what you are referring to.

    Clearly, you weren’t happy when you last interacted with us, but we also didn’t suggest you go out and buy additional plugins or propose that everything was fine in your case. Perhaps you are at least partly referring to your interactions with other teams besides our own?

    What I will say though is that, on our side, we always want to hear from our users and learn how we can do better. Now, the support forums here on www.remarpro.com are not our preferred channel, but, as you can tell, we do still monitor them and respond.

    If you want to request extra resources or documentation to help you exercise finer control over the way Action Scheduler runs, please feel free to research existing open and closed issues, or raise new ones of your own if needed.

    We should gather all together and ask www.remarpro.com to do change the policy when it comes to this kind of review! No one in a healthy mind would suspect that a team with some history behind, and live products in the repository – being that stupid to smuggle malware in their own plugin!

    I was reading https://actionscheduler.org/ while trying to optimize my DB, when I came across this plugin, and from all the contributions the guys gave – I got stunt the rating of the plugin was so low! It is shameful that one bad rating, based on “I am sure it is a scam because it looks like it” is legit to ruin peoples’ hard work.

    There should be an option to vote against bad (or good) reviews when they are not well-supported by concrete proofs.

    • This reply was modified 8 months, 2 weeks ago by lezgubeaux.
    Thread Starter Alexander Guskov

    (@forcesail)

    I believe that the community will pay attention to the terms and the figures of speech used in the comment and recognize and respond to this hate speech.

    kpdavis

    (@kpdavis)

    I have to say that I agree, this is malware, if not then it is very close.
    I have just been given an invoice generated from the application this generates for my CPU and RAM on the server. I did NOT want this plugin, I do not WANT this plugin and I cannot delete this plugin.

    All 3 tell me this is MALWARE

    Plugin Author Barry

    (@barryhughes-1)

    I have just been given an invoice generated from the application this generates for my CPU and RAM on the server.

    We’re sorry to hear it.

    Though it’s already been covered, I will again note that Action Scheduler exists primarily to function as a library that other plugins can choose to use, if they believe it will be helpful. We don’t force anyone to use it.

    Additionally, by itself, it shouldn’t incur much overhead at all. It is certainly possible for it to be overloaded but, if so, this is very much the sort of thing those plugins need to address. Action Scheduler just helps them to move work out of the critical path and process it later … the scale and nature of that work, however, is not something it controls.

    I did NOT want this plugin, I do not WANT this plugin and I cannot delete this plugin.

    Right, but that is again because it is a library that some of your plugins depend on. Generally, one wouldn’t delete a required library from an application: it would stop it from working. If you have concerns about the way some of your plugins are using Action Scheduler, you need to speak to their teams.

    If you don’t know which plugins are using it, take a look at the Tools ? Scheduled Actions screen and look at the hook names: these often provide a pretty good clue.

    Calling it malware is ridiculous. Malware is created to intentionally run something harmful or is designed to reveal private information. Whether you like the way it operates or not, this is simply another way to schedule automated actions within WordPress.

    Is it better than WP CRON? It is probably a better concept since WP CRON can fail for a number of common reasons, and can overload a rarely-visited site with actions before it displays anything if it does run. Having said that, disabling WP CRON and using a server scheduled CRON is a simpler method of ensuring that automation occurs without overload.

    The downsides to Action Scheduler is that it steadily fills up the database with cancelled, failed and completed entries and there is no simple built-in automated option to flush the scheduler – an additional plugin needs to be installed to handle this. Many of our WP databases are twice as big as they used to be simply due to Action Scheduler. We have additional work added to remove the gigabytes across our many sites that is taken up simply from over-active persistent logging of Action Scheduler.

    Personally I’d rather have the option of choosing CRON or Action Scheduler, than being forced into this method, and on some of our sites we have experienced recurring issues with some plugins having continuing failed scheduled items and have been unable to resolve them – in the end we have simply removed the plugins or moved to an alternative plugin. And at times we’ve had to entirely delete Action Scheduler tables and re-install everything to get things working, taking many hours which we never had to do before.

    I may be wrong, but it does seem to increases the processing footprint on sites.

    I can’t say I’m a fan so far.

    Thread Starter Alexander Guskov

    (@forcesail)

    @gpenglase it’s very pity that you are not reader but writes instead. Were you reader the first you would read all detailed proofs and explanation why Action Scheduler is the clear malware:
    it has ALL properties of malware and all are detailed above.
    Please read before to write.

    According the classification Action Scheduler is a graymalware.
    https://en.wikipedia.org/wiki/Malware

    Other point is that it always good to get know how works what you are writing about. And it’s described above too:
    Action Scheduler is not an alternative for CRON and a parasitic superstructure over CRON, that in contrast with CRON can NOT be stoped, paused and it’s IMPOSIBLE to get rid of it.
    It comes with some plugins. You never install it buy yourself. So you can’t chose.
    Another point is that it’s not a plugin as it is but a malware that comes with a number of plugins. And, ever if you manage to hack it out from one – Action Scheduler malware from another one works for all.

    The only thing that this superstructure over CRON does that CRON doesn’t – leaks the performance?of the site. All other can be developed using just CRON.



Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this review.