Warning: Rymera Web Plugins Might Crash Your Website

Update June 19, 2019: Some high traffic sites also reported crashed databases several months ago…

This post is a public warning about plugins released by Rymera Web, an agency from Australia.

Recently we’ve had to blacklist (ban) all Rymera Web plugins from LittleBizzy, and our underlying SlickStack server script due to poor coding that was causing database thrashing.

Specifically, Rymera Web plugins — most if not all of them that we checked — generate WP cron jobs solely for the purpose of asking website owners to review their plugins on WordPress.org. One client of ours in particular had their WooCommerce Wholesale Prices plugin suite installed, and due to conflicts with (we believe) the rather standard Redis object caching, the plugin generated over 44,000+ wwp_cron_request_review cron jobs for this simple (and non critical) task of asking users for reviews.

“You never really learn much from hearing yourself speak.”

― George Clooney

Unfortunately this resulted in the client’s database repeatedly freezing up. Thankfully they were able to manually remove all cron jobs and other cruft from the database, and we then blacklisted all Rymera Web plugins, because they all seem to include this same event generation code, which is rather abusive of WP-Cron.

Normally I wouldn’t “go public” with this type of situation — in some cases, plugin authors have contacted us via the SlickStack Github repo or otherwise to find out how they could improve their plugins, and we’re happy to offer some advice when possible.

Unfortunately in this case, Rymera founder Josh Kohlbach refused to listen to our suggestions and doubled down, telling several of our clients that our servers had caused the database thrashing instead of his code, and telling them to move to a different web host… he also tried to instruct some of our clients how to “hack” our plugin blacklist system to try and re-enable his plugins… yikes! Not very cool, amigo.

Instead of reviewing his code for potential problems, Kohlbach immediately accused us of implementing a non-standard cron schedule that was calling his event thousands of times. Turns out, SlickStack only uses the standard WP-Cron that’s included in WordPress. Even if we did have a custom crontab that called /wp-cron.php several times each day, it still wouldn’t explain why his plugins don’t realize that the cron is already scheduled, and then duplicate it thousands more times into the future.

From the official documentation:

Another important note is that WP-Cron is kind of naive when scheduling tasks. Tasks are driven by the hook provided for the task, however if you call wp_schedule_event() multiple times, even with the same hook name, the event will be scheduled multiple times. If your code adds the task on each page load this could result in the task being scheduled several thousand times. Probably not a great idea. WordPress provides a convenient function called wp_next_scheduled() to check if a particular hook is already scheduled.

Now it’s certainly possible (in a theoretical world) that some type of javascript conflict could exist between Rymera plugins and the MU Plugins that are included as part of SlickStack — and perhaps this could explain why Rymera’s nag notices were reappearing at times, or other UI-related issues like that.

But ultimately if they had followed best practices as published by WordPress.org, or maybe did not abuse WP-Cron in the first place just to nag users for reviews, it wouldn’t be an issue.

Apologies accepted via email, social media, public speeches, and check or money orders ;)