All in One SEO Plugin Turns on Automatic Updates without Notifying Users, Removes Functionality in Latest Release

Buried in the changelog of a series of minor releases that dropped before the Christmas holiday, All in One SEO plugin users were given the surprise gift of automatic updates. After a seemingly endless run of releases (12 updates during a span of six weeks at the end of 2020), the plugin’s developers decided to change its auto update policy so that it defaults to “on.” The plugin is installed on more than 2 million WordPress sites.

Version 4.0.8, released December 21, 2020, flipped on automatic updates without notifying users of the change. Despite having auto updates turned off for the plugin, many users discovered the change when they were notified by email that their sites had been updated without permission.

Frustrated users took to the plugin’s support forums to report the issue and find out how it was possible.

“Multiple sites have updated to 4.0.11 without my permission and while all auto updates are disabled,” one user said. “I/we do not want to hear that ‘it shouldn’t happen’ and we are looking into.

“Your once reliable plugin has destroyed hundreds of pages of social meta data on multiple sites, broken layout (and this after I fixed the problems and told you last week, I will be disabling all updates).”

Others commented on the issue, citing problems with a previous major release as the source of many bugs that followed.

“The rollout of version 4, and auto-updating without any chance to backup first was a blunder by AIOSEO,” plugin user Derek Haines said. “It has cost me hours, days, and now weeks to fix the problems caused.”

The All in One SEO plugin team apologized for the inconvenience users experienced but said they could not reproduce it on their end. The plugin’s settings page has a toggle for auto updates but it is just a wrapper for WordPress’ auto updater.

“I just wanted to give you an update and let you know that we’ve decided to remove our own auto-update functionality all together since this issue seems to be happening on a limited amount of websites and we aren’t able to reproduce it on our end,” Arnaud Broes said.

The problem was also discussed in the Advanced WordPress Facebook group.

“All In One SEO Pack apparently turned auto updates on, and in a few cases I found sites where those updates failed,” Eric Karkovack reported. “I had no idea they were turned on and in one case a site was inaccessible.”

Karkovack noted that there was only a small mention in the changelog, despite the plugin liberally using the dashboard notification UI for sales.

William Earnhardt, WordPress core contributor and developer at Bluehost, offered some insight as someone who has worked on core as well as plugins installed on a massive scale.

“In my experience if you are weighing the two options, auto-updates prevent significantly more issues and support requests than they create,” Earnhardt said. “So I’m strongly in the camp of enabling them by default, with a mechanism for preventing or disabling for those who prefer (core makes this possible with filters and now with per-plugin UI).

“I think when making these decisions, we as developers have to consider what is best for the broadest number of users and be realistic about the type of users we have. If a user is already not updating plugins regularly, it is unlikely they are going to have the awareness to flip a toggle to turn auto-updates on. So opt-in makes them mostly useless.”

Earnhardt agreed that notifying users of the change would have been a good idea, but admin notices are already “frequently abused and quite noisy.”

“It would likely be missed if not persistent, but really should only show after the update and then go away,” he said. “Is that enough when combined with a note in the changelog? Probably for most, but I’m sure some would disagree.”

As promised nine days ago, All in One SEO’s developers have now removed the functionality from the plugin in its first update of 2021, version 4.0.12 released today. It is noted in the changelog: “Fixed: Completely remove auto updates wrapper to let WordPress handle updates.”

16 responses to “All in One SEO Plugin Turns on Automatic Updates without Notifying Users, Removes Functionality in Latest Release”

  1. “I think when making these decisions, we as developers have to consider what is best for the broadest number of users and be realistic about the type of users we have. If a user is already not updating plugins regularly, it is unlikely they are going to have the awareness to flip a toggle to turn auto-updates on. So opt-in makes them mostly useless.”

    It seems that, once again, where automatic updates are involved, developers forget Freedom 0:

    “The freedom to run the program as you wish

    The freedom to run the program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job and purpose, without being required to communicate about it with the developer or any other specific entity. In this freedom, it is the user’s purpose that matters, not the developer’s purpose; you as a user are free to run the program for your purposes, and if you distribute it to someone else, she is then free to run it for her purposes, but you are not entitled to impose your purposes on her.”

  2. I’d also note that, looking at the changelog, this plugin had several updates in a very short period of time. Perhaps more security but also more chances for things to break.

    My hope is that plugin/theme authors really take users into account. Inform them of what’s going on and what’s best practice. Don’t just force these things without communication. It’s almost always going to backfire.

    • Another reason why plugins update often is because both users and plugin search on w.org take into account when was the plugin last updated. It is marketing.

      Developers know it is better to release less updates, less often. We try to ship mature and tested code. This way it is easier to spot problems and we do not constantly spam admin dashboard with updates.

      The thing is, good coding practices are not always good for marketing. I am reasonably sure AIO SEO prefer marketing and sales to stability and reason.

      Come to think of it, I should put on our site that one of the advantages of our SEO plugin is we do spam updates, especially garbage like readme updates.

      • Pierre, I’d never considered that part of it – thanks for sharing!

        Perhaps the answer would be to not provide incentives in the .org repository searches. How that could be accomplished, I’m not sure. Maybe the results are weighted differently.

        There’s probably only so much you can do to discourage the behavior. But ultimately this kind of backlash may be the best way to do it.

    • AIOSEO seems to update weekly. I wonder exactly what they are changing or if they just publish updates so that their plugin appears up to date.

  3. Maaaybe wanna tweak this headline. It sounds like the enabled auto update and then removed useful other features. Which sounds way more nefarious that enabling then disabling auto update. Still wrong, but I was expecting more pitchforks, haha.

  4. For hosts auto updates looks like switch that says “enable to make more money and ruin someone else’s day” and like… but what’s the downside!?

    As a user why should I tolerate my things being broken by someone for the sake of improving nebulous average case out there?

    And that’s already happening, my last WP host’s automated updates system broke updates for me, because my case wasn’t perfectly average.

    Auto updates aren’t about average, they are about the worst thing that they can and will do to someone. In WordPress people are being awful casual about that and hiding behind average isn’t advocating for users’ benefit here.

  5. This seems like very strange functionality to include in a plugin like this. If someone wanted automatic updates to be turned on, then presumably they’d turn them on. There’s no need for their SEO plugin to be handling this sort of thing for them.

  6. WordPress desperately needs:

    1) A common one place where plugins install itself and not bloating the other interfaces. Or have the ability of the users to arrange its place if they want – if they don’t want the plugin to stuff things on the top bar or on the main root menu sidebar, they should be able to move that in a folder where it belongs. I am sorry but this anarchy should stop once and for all.

    2) A system wide notification place for all notifications only there the same way Notification Center works for Mac or whatever it is called for Windows. Even Windows did the right thing.

    I am tired of bloatware, clients refuse to install ANY plugins thanks to this. I know that it is playing good in the basket of Gutenberg [the idea that plugins should not be installed], but in the same way it stiffs the development of plugins.

  7. I was a big proponent of this plugin. But, when I discovered that the plugin was acquired by that guy from Awesome Motive I knew it was time to start looking for another SEO plugin, as he already ruined a pretty popular Google Analytics plugin in the past. My suspicions have been confirmed. The moral of the story is that acquisitions are usually a bad sign for a product because for the new owner the tool is simply a new additional way to make money and expand his portfolio. Now I use The SEO Framework in all the sites I manage.

    • Glad to have you on board. As I mentioned in other comment here, we do not plan to turn automatic updates, especially because we do not even think any plugin should have option to toggle this by itself.

      We also do not “spam updates” just to look busy. Silly.

      Again, thank you from picking us from the bunch!

    • I came here to make a similar comment as @Bastian. I read the post, then remembered that AI1SEO recently was sold but I couldn’t recall by whom. When I looked it up, it all clicked. That guy and his company are some of the biggest abusers of WP dashboard alerts, and frequent “updates” that don’t really add/change anything or that could certainly be combined into a single, less-frequent update. I steer clear of anything from this company.

  8. I have commented this in the past, here and other places…….automatic updates are bad.

    1) You, as the admin of your site, should be there in front of your computer/laptop/etc…and do the updates, to fix things in case the update(s) screw up your site.
    2) If you offer site maintenance for clients and all you do is rely on automatic updates then you are not really maintaining your site.

    Imagine if Amazon were to rely on automatic updates for whatever runs their site and things go down.

    No plugin or theme should ever turn ON automatic updates.

  9. I think this story also needs to look at wider context. WordPress core, for example, pushes automatic updates – and has used this in the past not just to push limited-scope security patches, but whole new features (e.g. the privacy features in 4.9.6 – https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-release/). Some core team members are in favour of promoting automatic updates as much as possible. So whilst I disagree in principle with forcing automatic updates on users, I think it might be a bit harsh of WPTavern to single out one plugin vendor when the same practice is part of every core WP install and more of such things is part of the core roadmap. If there’s an issue here, then it’s not a new initiative from this plugin (which personally I have no relationship to and don’t recall if I’ve ever used).

    • You make good points, David. When I brought up this plugin, I didn’t necessarily intend to single it out as the sole offender. It just happened to be the one that caused me problems personally with a site breaking.

      To me, the broader question is how do we as users want plugin/theme authors to handle automatic updates? Is it acceptable to turn them on without notice? Should WordPress encourage or even allow this practice?

      And honestly I’m fine with WordPress core doing this in most cases. I’d trust them to do no harm – even though there is always a risk.

      With plugins or themes, anyone can push one out and there are varying degrees of quality. So now we are having to trust not just the core team, but other developers as well. I think a line needs to be drawn here between what core and plugins/themes can do.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: