Manipulating Google Lighthouse Results - Scam by Upwork Freelancer

Manipulating Google Lighthouse Results – Scam by Upwork Freelancer

Pagespeed is a major factor when it comes to SEO. We all know that. Google Lighthouse is the magic reference to get it to 100 out of 100. Since it can be a tricky task, there are many Freelancers of Upwork specialized that can help out improving your pagespeed.

Personally, I know a thing or two about pagespeed optimization, but I have reached a wall. And this wall stays at 80 out of 100 on Google Lighthouse.

In this post I am sharing my personal experience with a freelancer on Upworker who faked our Google Pagespeed results without us noticing it.

We do not know if he does this to all his clients. I only mentioned our findings briefly in some Facebook Groups, and we have received quite a lot of messages asking about details. They have also worked with Antonio and knew it was fake – but they did not find his method.

Therefore, here we are. I hope this post helps you.

How an Upworker faked Google Pagespeed Results

Quick Background Story

In February 2021 I posted a job offer on Upwork. The “Speed Guy”, named Antonio, applied for the job. He promised a perfect score and a complete money-back guarantee if I am not happy. Well, perfect!

Note: I changed the original name of the freelancer. Every customer of his knows his real name.

See below his first message:

—–

My name is ******, perhaps better known as “The Speed Guy.”

I am the only freelancer on Upwork that offers a 95+ PageSpeed Score, a blazing fast website, AND adaptive optimizations guarantee. You can go through all the other proposals to verify.

– Guaranteed Results: 95+ PageSpeed and GTMetrix score and a super-fast website, or I will provide a FULL refund. If you are unhappy for ANY reason, I will issue a FULL refund.
– Adaptive optimizations: This means the optimization will survive all updates and future modifications to the website.
– All website functionality stays the same.
– My website gets 95+ on PageSpeed Insights. Expect the same result for your website.
– Don’t take my word for it. See my profile for client reviews. https://links.****
– Still got questions? Here is my FAQ page: https://****

Would you be able to send me your website address so I can run a quick assessment, outline how I can help you improve the performance, and send you a quote?

Looking forward to working with you.*****

—–

His second message was:

Thanks for getting back to me with your website link. I have analyzed your website thoroughly and made a report.

Performance Report:
Hosting: Host Europe (Heg Mass)
CDN: N/A
Web Server: Apache
TTFB: 1.6 seconds
Fully Loaded Time: 7 seconds

I know it can get confusing, so I promise to use as little jargons as I can:

1. Initial Response Time (Jargon: TTFB): Whenever someone visits your website, under the hood, your browser talks to the site and says “Hello”. If the site replies after 3 seconds, that is called a TTFB of 3 seconds.

2. Image Optimization (Jargon: Serving images in next-gen WebP formats, deferring off-screen images): On average, images take up around 70% of a website’s total size. We need to compress all existing images to have the best file size possible, serve a modern image format called “WebP” to the supported web browsers, all while maintaining image quality. We also need to load images as they become visible by user scrolling to them rather than just loading everything at once, which is called deferring off-screen images. And also, we need to set up a system to automatically do these for all future images that you may add.

3. Slowdown by scripts (Jargon: Render-blocking CSS and JavaScript, Minify CSS/JavaScript): In a nutshell, render-blocking scripts are scripts that prevent or block the page from starting rendering. I see a lot of render-blocking scripts on the site that is slowing down the render start time for viewport HTML. These scripts need proper optimization and reprioritization.

4. Bloated scripts (Jargon: Unused CSS and JavaScript): The website is using only a small portion of the script files that are loaded. A large chunk of code from these scripts remain unused, and that is impacting the website performance. If we get rid of these unused scripts, the website will load much faster.

5. Compression (Jargon: deflate, gzip, and brotli compression): Compression is pretty much what it sounds like. Compressing a file makes it smaller. A large percentage of the files on the website are served without any compression technique. Ideally, the files need to be served with gzip, deflate, or brotli compression. Brotli is the most reliable but needs server-level support.

6. Caching (Jargon: Full Page, Browser, Object, and Database caching): You will notice that a lot of pages on your website serve the same content to all visitors. Despite this, WordPress generally discards any similarity and regenerates the same thing from scratch for each new visitor.
Proper caching implementation is crucial for the good performance of any WordPress website. Currently, I see although there are some traces of caching on some of the files on your site, there is no effective caching system in place.

7. CDN (Content Delivery Network): Your website does not seem to be using a Content Delivery Network (CDN). A free CDN like Cloudflare can drastically improve your website’s user experience and performance. A CDN works by offloading the static files on your site (e.g. images, JavaScript/CSS files) to a globally distributed network of servers. It provides tremendous performance benefits to end-users because now the network packet travel path is much shorter since the static files load from the nearest CDN server.

8. HTTP/2: Most files on your website still use the aging HTTP/1.1 protocol to transfer requests. HTTP/2 is the latest version of the web protocol and allows many improvements, including parallel requests, prioritization, pipelining, etc.

Current Performance Test:
PageSpeed Insights:
Mobile: 15
Desktop: 50

Guaranteed results:
– Load time under 2.5 seconds
– 95+ PageSpeed Insights score on both Mobile and Desktop.
– Blazing fast website. Unhappy for any reason? Get a full refund.

Quote:
Complete WordPress-side optimization: $300
Delivery time: 72 hours or less.

My optimization will survive all updates and will last a very long time. You can see my FAQs page for more clarification: https://******

Access needed:
To get started with this project, I will need those access:

1. WordPress administrator access.
2. Hosting account access (cPanel/Plesk/SSH, or whatever you have. Or atleast FTP).
3. Cloudflare access. (More below on how to initially setup a free Cloudflare account)

If you need my email: mail@***.**

Cloudflare setup:
Here is the instruction for creating a Cloudflare account and changing the website’s nameservers to complete the initial setup:

1. Create a Cloudflare account here: https://dash.cloudflare…….
2. When you are signed up, add your website there.
3. Choose the free plan.
4. You need to change your nameservers from your domain control panel.
5. Make sure the Cloudflare account email is verified.

When you are done, just send me the logins or grant me access to your Cloudflare account (mail@***.**)

If you are unsure about any step, please let me know. We can screen-share, or I can change the nameservers for you if you provide me access to your domain control panel.

Please, let me know if I can help you with any more information.

Looking forward to working with you on this project.

Best,

Long story short, I hired him. We worked together on the pagespeed, I assisted with the typical access and logins, cloudflare setup and such.

After one week he did not get the results and our pagespeed was fluctuating between 60 and 99 – all the time. I was not satisfied with his work and he got upset. However, he promised to fix it – since he had to honor his guarantee. After 2 more weeks, he was able to fix it and send me the following message:

Good morning.

Finally, I have been able to make the server-side cache completely disabled over-the-fly using Cloudflare Workers. And this is done without NO effect on the website’s performance. 😀

I had to consult with **** engineers from my former workplace (******) to diagnose why the host was not respecting the no-cache headers set by Cloudflare Workers. Together we analyzed the .htaccess file generated by the server and also the Error files.

Turns out, this is a rather simple thing. The hosting is configured to use NGINX proxy-pass variable, while 99.99% servers use NGINX fastcgi-pass variable for static caching. I completely overlooked that possibility. I just had to change one line of code, and it all worked!!

I am feeling very good now because this is finally resolved for good. We were nearly opening a dispute and I had been very rude to you as well. I was just burned out from all the trying. Please accept my sincere apologies for all my behavior. The thing is, I had never faced such an issue before where the host does not want to disable cache even for certain cookies. I had been working on this solution for many nights, I don’t even know how many, lol. I have learned a lot from this project and this will definitely help me in the long-term should I face any such issue.

For all your trouble, I would like to provide you 6 months of FREE follow-up optimization should the PageSpeed of the site drop for any reason. PageSpeed Insights is due to go through an update in August, if that slows down or website, I will do a follow-up optimization free of charge. I would be very grateful if you accept my token of appreciation. 🙂

I have been constantly testing the site for the last 12 hours, and this seems 100% stable now.

Please, feel free to take your time and review this.

This is where the story should end, but well….

Our Google Pagespeed was consistently at 99/ 100 – for both mobile and desktop. Wonderful, perfect!

I always had a feeling that something was not working well, but since we discussed so much, and we had the paid Cloudflare service and pretty much any caching in the world, I forgot about it and moved on. Basically, I ignored my bad feeling – which was not a good idea.

6 Months later, we needed to optimize another website

6 months after the optimization with Antonio, I needed once again optimize a website. The site was slow, it was frustrating. I reached out to Antonio with no luck.

Only due to the reason he did not respond, my CTO and I looked into the settings and code from Antonio. Our goal was actually to understand what he did, so we could redo it on our other sites. We noticed that the results from GTMetrix were different from Google Lighthouse.

We began to consider Antonio was faking these results. With this more open mind, we began going deeper.

Our Research Process

We were going to remove his outer layer of optimization to reach to the core – peeling like an onion.

First, we paused cloudflare to see the result. It did not slow down the site! Meaning, Cloudflare did not have an impact on our Pagespeed – according to Google Speed testing.

In one of his reports he sent to us, he said, he is using the plugin “w3 total cache”. It is a famous caching plugin. Therefore, the next step was to disable it and check the result. Verdict: It did not slow down; surprisingly.

Then we took a look at our htaccess file. As you can see, Antonio mentioned chrome-lighthouse|dareboost|pingdom. This is already a red flag.

Our next steps were disabling the following WordPress plugins:

  • a3 Lazy Load
  • EWWW Image Optimizer
  • Plugin Organizer
  • Plugin Organizer CriticalCSS Helper

That worked!! Our page slowed down from 90 to only 25.

Now we had to see which plugins of the 4 had the impact. The following two did not play any role in his faking scores:

  • a3 Lazy Load
  • EWWW Image Optimizer

But, this one had:

  • Without “Plugin Organizer CriticalCSS Helper”, the result was 75 / 97
  • With “Plugin Organizer CriticalCSS Helper” the result had an impressive 97/ 100

Oddly enough, this Plugin organizer settings page does not exist on our backend. When you install a plugin, there should be a settings page like the one in the screenshot below.

This plugin helps to disable plugins on certain pages. That is all it does; usually. It seems he removed the page, so no one can access the plugin from the backend.

This add-on is actually not related to “Plugin Organizer” at all. He created a plugin with that name “Plugin Organizer CriticalCSS Helper”. Research on Google showed, this plugin does not exist. We couldn’t find any trace of it. It also doesn’t have an update button. The version is 12.8.9. It is impossible that a plugin in version 12 does not exist on the whole internet.

Within this plugin, he added critical CSS code.

But he didn’t do it right (and didn’t intention to do it right at all). His intention was to put a layer on page while Google analyzes to fix all CSS warnings on Google.

As you can see, Google is not seeing the site correctly. See the screenshot below. It clearly shows a page without any CSS. When I asked Antonio about this, he said this was normal. Once again, I ignored my own experience and bad feeling.

Not a normal Preview by Google Lighthouse – No CSS? A red flag

Back to the .htacess file: It is interesting to notice that once we deactivated “w3 total cache” Plugin, the code within .htaccess was removed.

That means, the code in the htaccess is being added by w3 total cache.

We installed w3 total cache on another site, but that piece of script didn’t appear. Then we noticed the version of the installed plugin is different. The W3 Total Cache on WordPress is 2.1.6, whilst the one Antonio installed is 7.1.0.

We assume, he downloaded w3total cache and modified it, so he can inject his code in htaccess. And then add another plugin in the name of plugin organizer CSS helper to fool google in CSS sections.

In conclusion, Antonio modified two plugins:

  1. Plugin Organizer CriticalCSS Helper
  2. W3 Total Cache

There are two more things we found out:

1- In the file below, line #67, he commented it out, so settings page of this plugin was not visible and couldn’t access – as mentioned before:

/wp-content/plugins/plugin-organizer/lib/PluginOrganizer.class.php

When removing his out commenting, the page settings are visible and accessible here:

https://*******.com/wp-admin/admin.php?page=Plugin_Organizer

2 – He set versions manually in plugins files to big numbers, so plugins don’t ask for update.

This explains why his W3 Cache version was so “advanced” at 7.1.0.

Moving on, he changed the default list of mobile agents in plugin organizer and added a few of his own, including Chrome-Lighthouse and Chrome/86.04240.193, lighth and even pingdom.

How to manipulate Google Lighthouse?

The main code of fooling google is in htaccess, while the created plugin is only to fool the preview and CSS error messages on Google Pagespeed.

Default list of mobile agents in plugin organizer:

He changed the list to:
(These are the user agents of different speed analyzers)

He used the plugin organizer for detecting user agents, and direct them to the CSS in critical CSS add on which he made himself.

He created the criticalcss plugin and put the very simple html version of the site in this folder.

When lighthouse analyzes the site, it gets that broken version of the site without any CSS. This way, he could get the perfect 100 score for mobile and desktop.

What google sees:

Because even if you disable w3 total cache, there isn’t any major impact on lighthouse scores.

The Cherry on the Cake: He tried to install his Ads on our website

During the end of our work, I received an email by Google Search Console about new ads on our website. Well, say what? I had to confirm this new email address associated with the ads.

It was not mine, not the one from my partners nor CTO.

I immediately checked the code. Antonio was the only one having access besides us. I contacted right after Antonio. Once again, he said he was testing something with the ads and speed. This was a massive red flag, but since I have good training in it, I ignored it once again. I removed the code and that was it.

Have a look at the screenshot below:

Ad Scam

One more cherry on the same cake

After I contacted Antonio and confronted him, he obviously denied everything. I insisted on a refund, and although he denied, he agreed to the refund. I did not hear anything back anymore.

1 day later, my servers received heavy DDoS attacks for 48 hours.

Now, I cannot see it was Antonio doing the DDoS attack, but knowing his work, I know he has these skills, no doubt about it. It could be a coincidence, right?

Well, we managed the DDoS attack and recovered. No lasting harm was done.

2 days later, the infamous Antonio got kicked out of Upwork.

Conclusion for me: Trust your Gut and Act Faster

In hindsight, I should have followed my gut and demanded an explanation of the tech behind these 99 out of 100 Google Page speed results. I did not. I was blinded by that golden number, maybe even impressed. Maybe some part of me did not even want to know the actual code behind it?

It was a mistake not questioning it. The final scam of trying to add advertising to our website should have been the last red flag. I did not do anything, except warning him. In hindsight, I should have stopped the collaboration immediately, report him to Upwork and move on with a better Freelancer.

To those saying “when you pay peanuts, you get monkeys“, well, in this case I could have hired someone much cheaper.

Avoid the freelancers that guarantee you +95 score in lighthouse test. They use “Fake Lighthouse Scores” method. This does not work – I heard this several times, and in this case it is certainly true.

Obviously, this does not mean it is impossible.

My takeaway is, I have to check this type of work myself – it really helps to understand the technical part behind it. But, as you can see, it is not a guarantee.

Matt
I enjoy Coffee, SEO and building things from scratch. I run several online sites, experienced in ad optimization and affiliate marketing.