Pagespeed is a major factor when it comes to SEO. We all know that. Google Lighthouse is the magic reference to get it to 100 out of 100. Since it can be a tricky task, there are many Freelancers of Upwork specialized that can help out improving your pagespeed.
Personally, I know a thing or two about pagespeed optimization, but I have reached a wall. And this wall stays at 80 out of 100 on Google Lighthouse.
In this post I am sharing my personal experience with a freelancer on Upworker who faked our Google Pagespeed results without us noticing it.
We do not know if he does this to all his clients. I only mentioned our findings briefly in some Facebook Groups, and we have received quite a lot of messages asking about details. They have also worked with Antonio and knew it was fake – but they did not find his method.
Therefore, here we are. I hope this post helps you.
How an Upworker faked Google Pagespeed Results
Quick Background Story
In February 2021 I posted a job offer on Upwork. The “Speed Guy”, named Antonio, applied for the job. He promised a perfect score and a complete money-back guarantee if I am not happy. Well, perfect!
Note: I changed the original name of the freelancer. Every customer of his knows his real name.
See below his first message:
—–
My name is ******, perhaps better known as “The Speed Guy.”
I am the only freelancer on Upwork that offers a 95+ PageSpeed Score, a blazing fast website, AND adaptive optimizations guarantee. You can go through all the other proposals to verify.
– Guaranteed Results: 95+ PageSpeed and GTMetrix score and a super-fast website, or I will provide a FULL refund. If you are unhappy for ANY reason, I will issue a FULL refund.
– Adaptive optimizations: This means the optimization will survive all updates and future modifications to the website.
– All website functionality stays the same.
– My website gets 95+ on PageSpeed Insights. Expect the same result for your website.
– Don’t take my word for it. See my profile for client reviews. https://links.****
– Still got questions? Here is my FAQ page: https://****
Would you be able to send me your website address so I can run a quick assessment, outline how I can help you improve the performance, and send you a quote?
Looking forward to working with you.*****
—–
His second message was:
Thanks for getting back to me with your website link. I have analyzed your website thoroughly and made a report.
Performance Report:
Hosting: Host Europe (Heg Mass)
CDN: N/A
Web Server: Apache
TTFB: 1.6 seconds
Fully Loaded Time: 7 seconds
I know it can get confusing, so I promise to use as little jargons as I can:
1. Initial Response Time (Jargon: TTFB): Whenever someone visits your website, under the hood, your browser talks to the site and says “Hello”. If the site replies after 3 seconds, that is called a TTFB of 3 seconds.
2. Image Optimization (Jargon: Serving images in next-gen WebP formats, deferring off-screen images): On average, images take up around 70% of a website’s total size. We need to compress all existing images to have the best file size possible, serve a modern image format called “WebP” to the supported web browsers, all while maintaining image quality. We also need to load images as they become visible by user scrolling to them rather than just loading everything at once, which is called deferring off-screen images. And also, we need to set up a system to automatically do these for all future images that you may add.
3. Slowdown by scripts (Jargon: Render-blocking CSS and JavaScript, Minify CSS/JavaScript): In a nutshell, render-blocking scripts are scripts that prevent or block the page from starting rendering. I see a lot of render-blocking scripts on the site that is slowing down the render start time for viewport HTML. These scripts need proper optimization and reprioritization.
4. Bloated scripts (Jargon: Unused CSS and JavaScript): The website is using only a small portion of the script files that are loaded. A large chunk of code from these scripts remain unused, and that is impacting the website performance. If we get rid of these unused scripts, the website will load much faster.
5. Compression (Jargon: deflate, gzip, and brotli compression): Compression is pretty much what it sounds like. Compressing a file makes it smaller. A large percentage of the files on the website are served without any compression technique. Ideally, the files need to be served with gzip, deflate, or brotli compression. Brotli is the most reliable but needs server-level support.
6. Caching (Jargon: Full Page, Browser, Object, and Database caching): You will notice that a lot of pages on your website serve the same content to all visitors. Despite this, WordPress generally discards any similarity and regenerates the same thing from scratch for each new visitor.
Proper caching implementation is crucial for the good performance of any WordPress website. Currently, I see although there are some traces of caching on some of the files on your site, there is no effective caching system in place.
7. CDN (Content Delivery Network): Your website does not seem to be using a Content Delivery Network (CDN). A free CDN like Cloudflare can drastically improve your website’s user experience and performance. A CDN works by offloading the static files on your site (e.g. images, JavaScript/CSS files) to a globally distributed network of servers. It provides tremendous performance benefits to end-users because now the network packet travel path is much shorter since the static files load from the nearest CDN server.
8. HTTP/2: Most files on your website still use the aging HTTP/1.1 protocol to transfer requests. HTTP/2 is the latest version of the web protocol and allows many improvements, including parallel requests, prioritization, pipelining, etc.
Current Performance Test:
PageSpeed Insights:
Mobile: 15
Desktop: 50
Guaranteed results:
– Load time under 2.5 seconds
– 95+ PageSpeed Insights score on both Mobile and Desktop.
– Blazing fast website. Unhappy for any reason? Get a full refund.
Quote:
Complete WordPress-side optimization: $300
Delivery time: 72 hours or less.
My optimization will survive all updates and will last a very long time. You can see my FAQs page for more clarification: https://******
Access needed:
To get started with this project, I will need those access:
1. WordPress administrator access.
2. Hosting account access (cPanel/Plesk/SSH, or whatever you have. Or atleast FTP).
3. Cloudflare access. (More below on how to initially setup a free Cloudflare account)
If you need my email: mail@***.**
Cloudflare setup:
Here is the instruction for creating a Cloudflare account and changing the website’s nameservers to complete the initial setup:
1. Create a Cloudflare account here: https://dash.cloudflare…….
2. When you are signed up, add your website there.
3. Choose the free plan.
4. You need to change your nameservers from your domain control panel.
5. Make sure the Cloudflare account email is verified.
When you are done, just send me the logins or grant me access to your Cloudflare account (mail@***.**)
If you are unsure about any step, please let me know. We can screen-share, or I can change the nameservers for you if you provide me access to your domain control panel.
Please, let me know if I can help you with any more information.
Looking forward to working with you on this project.
Best,
Long story short, I hired him. We worked together on the pagespeed, I assisted with the typical access and logins, cloudflare setup and such.
After one week he did not get the results and our pagespeed was fluctuating between 60 and 99 – all the time. I was not satisfied with his work and he got upset. However, he promised to fix it – since he had to honor his guarantee. After 2 more weeks, he was able to fix it and send me the following message:
Good morning.
Finally, I have been able to make the server-side cache completely disabled over-the-fly using Cloudflare Workers. And this is done without NO effect on the website’s performance. 😀
I had to consult with **** engineers from my former workplace (******) to diagnose why the host was not respecting the no-cache headers set by Cloudflare Workers. Together we analyzed the .htaccess file generated by the server and also the Error files.
Turns out, this is a rather simple thing. The hosting is configured to use NGINX proxy-pass variable, while 99.99% servers use NGINX fastcgi-pass variable for static caching. I completely overlooked that possibility. I just had to change one line of code, and it all worked!!
I am feeling very good now because this is finally resolved for good. We were nearly opening a dispute and I had been very rude to you as well. I was just burned out from all the trying. Please accept my sincere apologies for all my behavior. The thing is, I had never faced such an issue before where the host does not want to disable cache even for certain cookies. I had been working on this solution for many nights, I don’t even know how many, lol. I have learned a lot from this project and this will definitely help me in the long-term should I face any such issue.
For all your trouble, I would like to provide you 6 months of FREE follow-up optimization should the PageSpeed of the site drop for any reason. PageSpeed Insights is due to go through an update in August, if that slows down or website, I will do a follow-up optimization free of charge. I would be very grateful if you accept my token of appreciation. 🙂
I have been constantly testing the site for the last 12 hours, and this seems 100% stable now.
Please, feel free to take your time and review this.
This is where the story should end, but well….
Our Google Pagespeed was consistently at 99/ 100 – for both mobile and desktop. Wonderful, perfect!
I always had a feeling that something was not working well, but since we discussed so much, and we had the paid Cloudflare service and pretty much any caching in the world, I forgot about it and moved on. Basically, I ignored my bad feeling – which was not a good idea.
6 Months later, we needed to optimize another website
6 months after the optimization with Antonio, I needed once again optimize a website. The site was slow, it was frustrating. I reached out to Antonio with no luck.
Only due to the reason he did not respond, my CTO and I looked into the settings and code from Antonio. Our goal was actually to understand what he did, so we could redo it on our other sites. We noticed that the results from GTMetrix were different from Google Lighthouse.
We began to consider Antonio was faking these results. With this more open mind, we began going deeper.
Our Research Process
We were going to remove his outer layer of optimization to reach to the core – peeling like an onion.
First, we paused cloudflare to see the result. It did not slow down the site! Meaning, Cloudflare did not have an impact on our Pagespeed – according to Google Speed testing.
In one of his reports he sent to us, he said, he is using the plugin “w3 total cache”. It is a famous caching plugin. Therefore, the next step was to disable it and check the result. Verdict: It did not slow down; surprisingly.
Then we took a look at our htaccess file. As you can see, Antonio mentioned chrome-lighthouse|dareboost|pingdom. This is already a red flag.
Our next steps were disabling the following WordPress plugins:
- a3 Lazy Load
- EWWW Image Optimizer
- Plugin Organizer
- Plugin Organizer CriticalCSS Helper
That worked!! Our page slowed down from 90 to only 25.
Now we had to see which plugins of the 4 had the impact. The following two did not play any role in his faking scores:
- a3 Lazy Load
- EWWW Image Optimizer
But, this one had:
- Without “Plugin Organizer CriticalCSS Helper”, the result was 75 / 97
- With “Plugin Organizer CriticalCSS Helper” the result had an impressive 97/ 100
Oddly enough, this Plugin organizer settings page does not exist on our backend. When you install a plugin, there should be a settings page like the one in the screenshot below.
This plugin helps to disable plugins on certain pages. That is all it does; usually. It seems he removed the page, so no one can access the plugin from the backend.
This add-on is actually not related to “Plugin Organizer” at all. He created a plugin with that name “Plugin Organizer CriticalCSS Helper”. Research on Google showed, this plugin does not exist. We couldn’t find any trace of it. It also doesn’t have an update button. The version is 12.8.9. It is impossible that a plugin in version 12 does not exist on the whole internet.
Within this plugin, he added critical CSS code.
But he didn’t do it right (and didn’t intention to do it right at all). His intention was to put a layer on page while Google analyzes to fix all CSS warnings on Google.
As you can see, Google is not seeing the site correctly. See the screenshot below. It clearly shows a page without any CSS. When I asked Antonio about this, he said this was normal. Once again, I ignored my own experience and bad feeling.
Back to the .htacess file: It is interesting to notice that once we deactivated “w3 total cache” Plugin, the code within .htaccess was removed.
That means, the code in the htaccess is being added by w3 total cache.
We installed w3 total cache on another site, but that piece of script didn’t appear. Then we noticed the version of the installed plugin is different. The W3 Total Cache on WordPress is 2.1.6, whilst the one Antonio installed is 7.1.0.
We assume, he downloaded w3total cache and modified it, so he can inject his code in htaccess. And then add another plugin in the name of plugin organizer CSS helper to fool google in CSS sections.
In conclusion, Antonio modified two plugins:
- Plugin Organizer CriticalCSS Helper
- W3 Total Cache
There are two more things we found out:
1- In the file below, line #67, he commented it out, so settings page of this plugin was not visible and couldn’t access – as mentioned before:
/wp-content/plugins/plugin-organizer/lib/PluginOrganizer.class.php
When removing his out commenting, the page settings are visible and accessible here:
https://*******.com/wp-admin/admin.php?page=Plugin_Organizer
2 – He set versions manually in plugins files to big numbers, so plugins don’t ask for update.
This explains why his W3 Cache version was so “advanced” at 7.1.0.
Moving on, he changed the default list of mobile agents in plugin organizer and added a few of his own, including Chrome-Lighthouse and Chrome/86.04240.193, lighth and even pingdom.
How to manipulate Google Lighthouse?
The main code of fooling google is in htaccess, while the created plugin is only to fool the preview and CSS error messages on Google Pagespeed.
Default list of mobile agents in plugin organizer:
He changed the list to:
(These are the user agents of different speed analyzers)
He used the plugin organizer for detecting user agents, and direct them to the CSS in critical CSS add on which he made himself.
He created the criticalcss plugin and put the very simple html version of the site in this folder.
When lighthouse analyzes the site, it gets that broken version of the site without any CSS. This way, he could get the perfect 100 score for mobile and desktop.
What google sees:
Because even if you disable w3 total cache, there isn’t any major impact on lighthouse scores.
The Cherry on the Cake: He tried to install his Ads on our website
During the end of our work, I received an email by Google Search Console about new ads on our website. Well, say what? I had to confirm this new email address associated with the ads.
It was not mine, not the one from my partners nor CTO.
I immediately checked the code. Antonio was the only one having access besides us. I contacted right after Antonio. Once again, he said he was testing something with the ads and speed. This was a massive red flag, but since I have good training in it, I ignored it once again. I removed the code and that was it.
Have a look at the screenshot below:
One more cherry on the same cake
After I contacted Antonio and confronted him, he obviously denied everything. I insisted on a refund, and although he denied, he agreed to the refund. I did not hear anything back anymore.
1 day later, my servers received heavy DDoS attacks for 48 hours.
Now, I cannot see it was Antonio doing the DDoS attack, but knowing his work, I know he has these skills, no doubt about it. It could be a coincidence, right?
Well, we managed the DDoS attack and recovered. No lasting harm was done.
2 days later, the infamous Antonio got kicked out of Upwork.
Conclusion for me: Trust your Gut and Act Faster
In hindsight, I should have followed my gut and demanded an explanation of the tech behind these 99 out of 100 Google Page speed results. I did not. I was blinded by that golden number, maybe even impressed. Maybe some part of me did not even want to know the actual code behind it?
It was a mistake not questioning it. The final scam of trying to add advertising to our website should have been the last red flag. I did not do anything, except warning him. In hindsight, I should have stopped the collaboration immediately, report him to Upwork and move on with a better Freelancer.
To those saying “when you pay peanuts, you get monkeys“, well, in this case I could have hired someone much cheaper.
Avoid the freelancers that guarantee you +95 score in lighthouse test. They use “Fake Lighthouse Scores” method. This does not work – I heard this several times, and in this case it is certainly true.
Obviously, this does not mean it is impossible.
My takeaway is, I have to check this type of work myself – it really helps to understand the technical part behind it. But, as you can see, it is not a guarantee.
Hi there,
I know exactly what you’ve experienced as I had to deal with the exact same person… Upwork sent me a notification 2 weeks ago saying he was banned indefinitely.
My question are the following:
– what did you do – (how) did you clean his mess?
– and can his cloacking affect our SERPs, or is it just a way to trick Page Speed Insights? I don’t want to risk a Google penalty because of him!
Thanks a lot in advance. And thank you so much for publicly talking about it!
Hi Antione,
Yes, the guy got banned, fortunately for all of us.
– what did you do – (how) did you clean his mess?
I found another great guy on Upwork I vetted before. He took care of it.
– and can his cloacking affect our SERPs, or is it just a way to trick Page Speed Insights? I don’t want to risk a Google penalty because of him!
There is a debate about it. Some would go that far and say, tricking Google is a good thing and since Google thinks your website is fast, it rewards you. Personally, I do not think it is a good idea to trick Google. It’s always best to think long-term.
For the moment being, I think there is no SERP penalty. But better be safe than sorry, in case you are running a long-term business as well.
Good luck with cleaning up this mess and your speed!
Matt
Hello Matt, thanks A LOT for your reply.
One thing I do not understand: how is Google being tricked doing this? It only tricks test sites like Page Speed Insights but Google relies on real-life data (users’ data) to determine the speed of myy site if I’m not mistaken.
I think the only person being tricked here was me as Google does not rely on lab data if I’ve understood correctly.
What do you think of this? Am I wrong?
Is there any chance you could recommend the guy that cleaned the mess? As… I mean, Antonio, had stellar reviews + made quite a bunch of money of Upwork, so there was no way for me to detect the scam. The curse of all non-technical people such as myself, I guess.
I look forward to your reply. Thanks again for the first one.
Hi Antoine,
Google Lighthouse is an official site of Google, so some SEOlers argue that this way you can trick Google. Basically what these “fakers” do is adding the correct agent to the backend. So when Google Lighthouse comes, it shows a different version – instead of the real version.
I am completely with you. In my opinion, Google checks real-life data. In my opinion, you can only fool the person hiring a “speed guy”, but at the end of the day, you won’t have any technical benefits from it or sales, whatsoever. I see no point in faking these stats.
Unfortunately I cannot publicly recommend anyone, sorry about this. Post a job about page speed on Upwork and for sure some great people come along. Ask them if they are familiar with this post of mine – many are – and then they can start cleaning up the mess our friend Antonio left us with.
Do not worry too much about being scammed as a non-tech guy. I am a kind of tech-guy, and he fooled me big time as well. As I wrote, I was most likely blinded by the golden number of 100/100.
Good luck and don’t give up,
Matt
Hey!
Thanks a lot for your reply. Yes, it makes no sense to rely on lab data when you have real-life data. To me PSI is simply given to us to improve our websites according to Google’s standards.
About hiring someone, I found a few people, waiting for answers.
Thanks again, talk soon!
Hey mate,
Idk why people take seriously gsp even google page speed insights don’t measure actually speed! It’s also possible to get 100 scores & have an excruciating slow website.
Google tool only measures the site technical checklist of items that loosely correlate to speed. Not only but its also missing a whole bunch of wins like HTTP, DNS hosting speed, DNS hosting protocol support & speed of 301 redirect you are using on your site
Tricking Google or not: Just check the Chrome UX Report and you know whether you’re having a good speed experience or not:
https://robindirksen.com/tools/chrome-user-experience-report /alternativly you can set up a dashboard by yourself using the PSI API.
Cheers, Ruslan!
Enjoyed reading
Best View i have ever seen !