Autoptimize & Trojan.Cryxos.2960: false positive

I’ve had a couple of reports of Bitdefender flagging optimized JS as infected by Trojan.Cryxos.2960. I investigated earlier today and this almost certainly is a false positive. If you want you can “solve” this hiccup by excluding wp-includes/js/imagesloaded.min.js from JS optimization.

Async Javascript: urgent update available

There’s an update for Async Javascript that needs your urgent attention. Update asap!

[Update] I was warned by WordFence about a vulnerability in Async JavaScript that was being actively exploited. Based on their input I updated the plugin to fix the bug. WordFence in the meantime published a post about this and other affected plugins and with regard to AsyncJS writes:

Async JavaScript’s settings are modified via calls to wp-admin/admin-ajax.php with the action aj_steps. This AJAX action is registered only for authenticated users, but no capabilities checks are made. Because of this, low-privilege users including Subscribers can modify the plugin’s settings.

Similar to Flexible Checkout Fields above, certain setting values can be injected with a crafted payload to execute malicious JavaScript when a WordPress administrator views certain areas of their dashboard.

Autoptimize 2.7 with Critical CSS integrated, beta out

The title says it all; I just pushed the first beta of Autoptimize 2.7 which has some small fixes/ improvements but which most importantly finally sees the “Autoptimize CriticalCSS.com power-up” fully integrated.

Next to the actual integration and switching to object-oriented for most (but not all) of AOCCSS files, there are some minor functional changes as well, most visible ones being buttons to clear all rules and to clear all jobs from the queue.

I hope to be able to release AO27 officially in April, but for that I need the beta thoroughly tested off course. Most important part to test is the critical CSS logic obviously, so if you have the power-up running, download/ install the beta and simply disable the power-up to have Autoptimize fill that void (if the power-up is active, AO refrains from loading it’s own critical CSS functionality).

Music from Our Tube: King Krule – Alone, Omen 3

Wow …

The ache and thunder in the storms of your mind
Soak it in, for the rain will pass in time
Nothing wrong in sinking low
in the omen of paradise
You’re the ghost they put aside,

But don’t forget you’re not alone
Sometimes you’re stretched

King Krule - Alone, Omen 3
Watch this video on YouTube.

Autoptimize 2.6 released

I just released AO26, which comes with a bunch of new features, improvements and bugfixes.

  • New: Autoptimize can be configured at network level or at individual site-level when on multisite.
  • Extra: new option to specify what resources need to be preloaded.
  • Extra: add display=swap to Autoptimized (CSS-based) Google Fonts.
  • Images: support for lazyloading of background-images when set in the inline style attribute of a div.
  • Images: updated to lazysizes 5.2.
  • CSS/ JS: no longer add type attributes to Autoptimized resources.
  • Improvement: cache clearing now also integrates with Kinsta, WP-Optimize & Nginx helper.
  • Added “Critical CSS” tab to highlight the criticalcss.com integration, which will be fully included in Autoptimize 2.7.
  • Batch of misc. smaller improvements & fixes, more info in the GitHub commit log.

The release has been tested extensively (automated unit testing, manual testing on several of my own sites and testing by users of the beta-version on Github), but as with all software it is very unlikely to be bug-free. Feel free to post any issue with the update here or to create a separate topic in this forum.

Happy holidays to all!
frank