60 Comments

  1. Jim Walker

    Was a completely tragic episode IMHO.
    Like a bunch of guys got together late night around beers and remakes of “The Walking Dead” and said “hey, wouldn’t it be a cool idea if we just installed and activated stuff in our client’s WordPress dashboard without telling them…”

    And they next day they woke up from their hangovers and found out “one of the guys” actually did it…

    Report

    • Jeff Chandler

      You’ve got some crazy analogies, but they work. Yeah, just an unfortunate combination of circumstances. Easily preventable? Sure. But I hope other product companies and webhosts read what happened and realize it’s definitely not the way to introduce customers to a new product, especially for existing sites.

      Report

    • stratocentric

      If you think that is bad, wait until you wake up and realize wordpress is all part of google now.

      Report

  2. Ryan Hellyer

    They should install a “Godaddy plugin” in each new install. Then if they want to provide new features across their network, they can just stick it all in there rather than having to install new plugins.

    Report

  3. Keith Davis

    Hi Jeff
    “saw a bright orange button with the text Help Me”
    That would have frightened me to death, even on managed hosting.

    Won’t happen again I’m guessing.

    Report

  4. Ben Fox

    Ryan, that’s not a bad suggestion and almost all managed hosts do install a default set of MU plugins. Some are wrapped in one convenient plugin. Others are separate.

    Thanks for the suggestion.

    Report

    • Jeff Chandler

      Hah, was just thinking, what if hosts create a MU plugin but go the Jetpack route where new features or services are like modules inside the plugin? Maybe that’s one way to go?

      Report

      • Ipstenu (Mika Epstein)

        Don’t mind me, I’m just taking notes.

        My (personal) issue with an MU plugin comes from having moved people from WP Engine to anyone else, and the WP Engine mu plugin remains in the mu-plugin folder. There’s no obvious way to uninstall it.

        I know how to, of course, but for many people on managed hosting, the idea of FTPing in and deleting a file/folder is insane. And that’s fair. We all bill managed WP hosting as “You don’t need to know how to server.”

        So in my thoughts, any MU plugin should come with a notice “This was installed by your webhost (name). Don’t need it? Click here to delete!”

        Also being ‘approved in the WP repo’ doesn’t mean your code isn’t garbage or bloatware ;) Not that Sidekick is, but they shouldn’t use that as a marker for awesomeness. I hear there’s a RickRoll plugin in the repo.

        Report

      • Jeff Chandler

        With regular plugins, you can delete the files from the plugin management page, can you not also do that with MU plugins?

        Report

      • Ipstenu (Mika Epstein)

        Nope. It’s FTP/SSH or nothing.

        Report

      • Nick Adams

        Jeff, it might help to clarify that MU stands for “Must Use” and are plugins in a special directory that’s not there by default. It allows you to put a plugin on a site that can’t be disabled or removed without server access. It is often confused with WPMU, referring to Multisite plugins. Unrelated, but similar acronyms.

        Report

      • mikeschinkel

        @Nick Adams “Must Use” is a backronym. The /mu-pIugins/ directory originally were plugins for WPMU but in the WP3.0 merge of functionality they retconned the name to mean “Must Use Plugins.” FWIW.

        Report

      • Brin Wilson

        I suspect it’s not only some plugins that won’t be automatically deleted should one move away from a managed hosting — it may also be all the other ‘extra’ bits and bobs (like additional ‘config’ files) they sometimes put in various folders (like the site’s root folder) without mentioning mention. Sadly…

        Report

      • mikeschinkel

        @Mika – In case some people read your comments and get the takeaway that “MU Plugins = Always Bad” I want to mention that for sites that literally depend on the plugin to operate correctly then MU Plugins are the best solution and should not have a “delete me” option.

        Of course the use-case for mu-plugins I mention would never(?) occur in an auto-install for a hosting environment but instead when an agency builds a custom website and custom MU-plugin for a client. But I feel compelled to mention it here because of the surprising percent of cargo cultists in the world, e.g. people who will read about an issue that applies to an implied context and then believe it applies in all contexts *and* assert that same in comments, in forums and at WordCamps, whenever they get the chance. :)

        Report

      • Ipstenu (Mika Epstein)

        Oh gosh! I hope people know I love MU Plugins and I use them regularly to code things in a site that I don’t want the site Admins deleting.

        But that doesn’t make me ignorant of their issues, which primarily are users have NO idea how to turn them off (or remove them), and they DO NOT get auto-update alerts like normal plugins.

        They’re great. MU Plugins rock. Just … like Multisite, use them when you KNOW what you’re getting into, eh?

        Report

      • mikeschinkel

        @Mika – Of course, there are definitely concerns around MU-plugins for non-technical users who do not have a support team. But in the right context, you are right; they rock!

        Report

  5. EtherealMind

    This is why you should never do business with godaddy or media temple. My personal experience with both companies is simply tragic and awful.

    Migrate immediately.

    Report

  6. ifyouwillit

    Jeff, good recap of the situation. What a learning experience this has been. The great part about being a part of the WordPress community is that there’s never a lack of feedback, and for that, our development teams, communications teams, and everyone else at GoDaddy are thankful.

    While we were attempting to provide an additional value by including Sidekick, we made a mistake, shouldn’t have installed and activated the plugin on existing sites, communicated poorly, and caused some panic and distrust.

    We’ve taken every bit of info from the AWP thread back to the Managed WordPress team, and they’re making changes to our procedures to keep this from happening in the future. If you have more feedback, please inundate my inbox with your opinions, comments, and concerns (mendel@godaddy.com).

    We’ve done a ton this year to contribute to and serve the WordPress community, and I’m sure we’ll all learn new lessons about ourselves, our businesses, and our customers in 2015. While mistakes like these are never easy, I’m happy to be a part of a company that serves such an awesome community.

    Report

    • mhannigan

      You obviously haven’t been there for long. Godaddy is ruthless. Individual customers are absolutely meaningless to them. The only thing they are “sorry” about is that they got caught. The underestimate the community. Don’t worry, though. I’m sure anyone that noticed will get something from Godaddy threatening to take down their site for some reason or another… too much bandwidth… to much space… too many files in a directory… too many visitors… the wrong types of files… files named something they don’t like. They are the most intrusive and disrespectful company (besides Microsoft) that I’ve ever worked with. Slimy? That doesn’t even begin to describe Godaddy business practices.

      Report

      • ifyouwillit

        Hey Michael, thanks for your feedback. I understand your frustration because I used to develop sites professionally before I began working at GoDaddy. The customer service used to mis-match my expectations as a web professional, and it doesn’t sound like GoDaddy’s helpfulness in the past met your expectations either.

        In the 5+ years I’ve been working at GoDaddy, we’ve seen a bunch of positive changes, most markedly during the past few years. Intrusive up-sells and emails have decreased, we’ve stopped using offensive advertising (see what we’re doing this year http://www.adweek.com/news/technology/godaddy-cmo-says-super-bowl-spot-puts-new-twist-puppy-advertising-161852), and have been working to create more transparency in and improve the features of our hosting products (https://www.godaddy.com/pro).

        I’m assuming from your post that you don’t do business with us anymore, however if there’s a current issue I can help with, send me an email: mendel@godaddy.com. We’re not interested in repeating mistakes of the past. If we were, we’d probably be looking more at and responding to the response rate of the Sidekick change, instead of the community reaction. Community focus = progress.

        Report

      • Toby Cryns

        @ifyouwillit Wait. Are you saying godaddy isn’t up selling during the domain registration process anymore? That is the main reason I do not recommend them.

        Report

      • ifyouwillit

        Currently (I just went through the path) we’re suggesting three things when checking out with a domain (privacy, hosting, email). Those are services that we believe most people creating a website for the first time need (or might want) to be successful. In-fact, you’d be surprised how many people think a domain name can have a website without hosting.

        By default (again, going through the process myself just now), all those options are turned off. We used to up-sell like crazy, but I think you’ll find our new checkout process is much cleaner, and increasingly customized to the type of customer you are. That said, I’d love your specific feedback related to your past experiences (mendel@godaddy.com).

        If you find yourself asking clients to purchase domain names for you to then work on, you might want to take a quick look at the new GoDaddy Pro program (http://godaddy.com/pro). It’s free, in beta, and allows for a shared shopping and delegation experience that’s super slick for both you and your client.

        We’re doing some pretty exciting things these days, and fixing all sorts of past issues. :)

        Report

  7. Mark Cockfield

    The entire WordPress ecosystem needs a serious study of ITSM and specifically Change Management.

    Report

  8. Gaurav Tiwari

    Is it just for new users or everyone? Because I don’t see any such plugin here on my GoDaddy hosted WordPress.

    Report

  9. Brin Wilson

    “…at least one customer thought it was a hack”. I think a more accurate account would be that said customer Lol, “thought it COULD be a hack”. ;) But I guess that’s just splitting hairs since, in all honesty, I actually did pretty much poop my pants thinking chances are I’d been hacked! I really had no idea what was going on (or how or why) to begin with! Lol ;)

    Report

  10. ARM

    I would have freaked out if something like that happened to me!

    Report

  11. Ren

    I think referring to Media Temple as a managed host is giving them too much credit and incorrect. I used them for about three months and they were never any help regarding WordPress-specific issues. I asked them why they even called themselves a WordPress “managed host” and two separate techs asked what I meant by that.

    Anyway, I recall having to do quite a bit of cleanup when I moved away from them (MU plugins, database options, etc.) so this really doesn’t surprise me.

    Report

  12. mikeschinkel
    • Ryan Hellyer

      That sucks for the plugin developer. It’s not their fault that Godaddy decided to do that.

      Report

      • Ryan Hellyer

        Actually, from reading the comments it appears that they were in cahoots with the hosting companies anyway, so they’re getting the reviews it deserves.

        Report

      • garthmortensen

        The thing I have against people leaving these reviews is that plugin reviews are meant to be about the plugin itself. Not the developers or partners of the plugin. Additionally, most of those reviews seem to be left by people that don’t understand the situation. One of them was speculating that another plugin they trusted was the cause. If everyone here had sat down and went through the plugin before this happened, I’m pretty everyone would say the plugin was awesome! But due to some oversights, it’s suddenly a bad plugin.

        (btw, I have yet to hear someone report that it actually broke or otherwise did any real harm to their site. I’m also not arguing that auto-installation/activation is appropriate, I just think everyone is freaking out a little too much.)

        Report

      • Ryan Hellyer

        IMO, the reviews are about the plugin and the eco-system around it. Lots of people down rate plugins for lack of support for example.

        Report

      • Ben Fox

        Thanks Garth for the kind words and understanding.

        Ryan, you also make a fair point and we’re taking our lumps as deserved.

        It’s the unhelpful reviews that we’re seeing that I never agree with. For example “SIDEKICK deleted 8 hours of my work!” but when I asked what happened or how that happened, I was met with silence. That sort of thing leads me to believe that a person was just angry and is trying to hurt us. That’s unhelpful to the community and unfair to us as the plugin developer.

        That said, when you’re part of the WP eco-system, you accept certain things like the people have the power to control your fate in a way and you’d better act right. Hence Mendel (from Go Daddy) and I being very attentive here and elsewhere.

        Report

      • Ryan Hellyer

        They’re probably not bothering to answer because the answer is obvious. They spent eight hours trying to figure out why the hell some plugin ended up on their site.

        Report

      • mikeschinkel

        When you are part of the WP eco-system, you accept certain things like the people have the power to control your fate in a way and you’d better act right.

        Truer words have not been written.

        Report

  13. Jeffrey

    “tested and retested”? How did they do that on the existing sites?

    Report

    • Ben Fox

      You’re right, we can’t test every environment or existing site. Here’s what we do.

      I won’t speak for Go Daddy and Media Temple but our testing includes installing the top 20 WordPress plugins onto our QA environments to ensure compatibility off the bat.

      We employ one person whose sole job it is to perform random testing and address compatibility issues. We also have over 1,000 members of our beta testing program sharing data from their sites including automatically reporting errors and lists of their installed plugins & themes.

      99.5% of all errors we receive are due to a Walkthrough compatibility issue (for example, a Walkthrough won’t run or breaks at a certain point) and we have the ability to fix that without pushing a plugin update. A Walkthrough error does not affect site function because it simply stops the Walkthrough from running.

      The other 0.05% of all errors are addressed quickly through plugin updates. You’ll notice we push quite often (which is a whole other debate).

      I’ll also mention that SIDEKICK is only compatible with the current version of WordPress plus one major release previous (currently 4.1 and 4.0). If you are running anything older, SIDEKICK simply doesn’t appear on your Dashboard, even when enabled.

      We are an open book when it comes to this stuff and we’re always learning so if you have any further questions about our process, please ask here or email me directly at ben@sidekick.pro.

      Report

  14. Patricia

    So that’s what that was all about! I thought it was WP that added that confusing plugin. I’m doing everything I can to secure my site, so I’m also antsy about the possibility of being hacked. They should have given their clients a heads up.

    Report

    • ifyouwillit

      Sorry for the scare Patricia. Communication is key, and we definitely missed the mark. You can believe we’re reviewing and adjusting to avoid the situation in the future.

      Report

    • Hannah

      Right?!! I have security plugins installed on pretty much every site I work on that automatically disable any plugin that is updated by remote (such as with the WPRemote WP management plugin). That includes the security plugins themselves, so while I love the added security and the convenience of monitoring all my sites at once for updates from one hub, I’ve also learned that I can’t just update things through the WPRemote control panel, but must do update from WP admin in each site. Having something installed by remote into any of my clients’ sites? I have no idea what could happen, but the possibilities make me tired just thinking of all the time it could take to activate everything that could get turned off…it takes 2 hours just to updated and create backups for all my sites as it is!

      Report

  15. sublithium

    I’m ok with them doing so if it is something like this where it was just a “help” or tutorial. BUT to be sure I would appreciate the heads up. I use GoDaddy and I never had this come onto my dashboard. The problem I have here is if this just popped up on my dashboard my first response would likely not be GoDaddy, but likely wordpress and that makes finding the culprit a very unpleasant process that leads to hard feelings and frustration on behalf of more than 1 or 2 parties..

    I would say that this is nothing new and if you follow what the wordpress generation of users tend to believe in politically, it’s kind of hypocritical to complain a whole lot. I mean GoDaddy or any other host deciding what is best for your server needs, isn’t much different than, say, the government telling you what insurance plans are best for you, or EPA regulations, etc, etc, are best for you and the rest of the world because they think you are to stupid to make any choices on your own.

    I am not a fan of implementing this stuff without telling people. Why not just ask people to be part of a test group, may be give them a special discount coupon (especially when GoDaddy specifically, has pulled a lot of coupons for renewals), or only put it on new installations. On the part of hosts that did this I will say something in their defense. A lot of people putting together sites are not people that have 2-4 years of college/technical school experience in web design (especially us older folks). What a lot of younger people today consider easy and straight forward with wordpress, may not be the case for the rest of us, and to some may be down right perplexing. So when the digitally challenged run into issues it is often hard to find answers because a lot of tutorials etc have steps that experienced users consider common knowledge so they omit them. When that happens a lot of people end up contacting not only wordpress forums but also hosting companies. So if they installed a “walk through/tutorial,” It is likely they are just trying to free up customer service inquiry wait periods by eliminating some questions that should be directed at other 3rd parties. In this case it was a mistake and likely did just the opposite. Hopefully lesson learned.

    Report

  16. Matt

    I don’t like approach of the Sidekick tutorials in general, but it is worth noting that this was a mistake of noble ambition: GD wanted to help more people be able to publish with WordPress, which is very near and dear to our core mission to democratize publishing. It’s a big, tough problem and anyone trying to tackle it is going to make mistakes along the way, I know I certainly have! I’m sure this has been a learning experience, and overall I’m looking forward to see what strides GD will be able to make in 2015.

    Report

    • mhannigan

      Total BS. Secretly installing a plugin on existing sites would, in no way, increase the adoption of WordPress by end users. Sidekick was barely known before this. Certainly not well enough to have any impact whatsoever on WordPress installs.

      Report

  17. JJ

    OK.. Hang on sec. I would totally agree that the installation of a plugin on a client’s site (without permission) is out of bounds. But I gotta ask… how is it OK to update WP itself in much the same way?

    Report

  18. mhannigan

    With an install base of what appears to be a handful of users, having almost NO users until August 28, 2014, when the number of daily downloads mysteriously shot up to 10x what they were. Only 12 reviews out of 80k downloads? There’s a whole lot more to this story than GoDaddy has admitted. Why this plugin, which is obviously neither widely tested nor wanted? The download counts are clearly artificially inflated. They were up to something… there’s some deal that was made… I’d love to know what the ultimate goal was. It wasn’t the installation of a “help” plugin. Definitely something else.

    Report

    • Ryan Hellyer

      “Never attribute to malice that which can be attributed to stupidity”

      Report

    • Ben Fox

      Interesting theory but ‘m not even sure how you would “Game” the plugin repo numbers.

      The current downloads number is representative of our total installs from the repo plus updates (the repo counts updates as downloads). The numbers are actually more than double what you see if you include our active installs that were not done through the repo. So as far as testing goes, the plugin has been through the ringer and back.

      *Side note: Matt mentioned during the State of the Word ’14 that more detailed stats were coming soon. Until we see these more detailed stats, we consider them more vanity metrics and we don’t really concern ourselves with them.*

      How did we get so many installs so quickly?

      We were very lucky to have the opportunity to have SIDEKICK pre-installed with some very large hosting providers off the bat and now Go Daddy. Some of these providers pull the plugin directly from the repo at install so our stats shot up quite fast.

      As far as a deal that was made; you’re right, there was. The deal was and is that all Go Daddy and Media Temple customers would receive a free SIDEKICK Premium subscription for as long as they host with GD or MT. That’s it.

      Ultimate goal = Adding additional value and helping users get things done faster and easier.

      I empathize with how it might be easier and more interesting to believe there’s more to the story but that’s it.

      Happy New Year

      Report

  19. Christopher Carfi

    Hi @mhannigan- (Disclosure: I work at GoDaddy.) Per Ben Fox’s message over on the Sidekick blog, yes, there is an agreement in place between GD and Sidekick. No backroom conspiracy, simply a business agreement to make Sidekick available free of charge to customers who are working with us. As Ma.tt notes above, we are committed to supporting the community and investing significantly in the WordPress ecosystem in 2015. Oftentimes this means partnering with other organizations as we get away from the old “not-invented-here” mentality. As has been stated upthread, we learned a lot from this incident and we will approach these kinds of rollouts more thoughtfully going forward.

    Report

  20. starlo24

    Sidekick is actually a nice feature, it means I don’t have to listen to myself talk so much when we teach clients how to use their new site. That being said, they absolutely do not need to be automatically installing non-critical plugins without notifying the customer. I remain happy with Media Temple however, they have been the best WP hosting for us as a small creative agency both in cost and performance.

    Report

Comments are closed.

%d bloggers like this: