Without Notifying Customers, GoDaddy and MediaTemple Auto Activate SIDEKICK

Communication Featured Image
photo credit: elycefelizcc

Those who use a Managed WordPress hosting plan from either GoDaddy or MediaTemple might have noticed a new addition to the WordPress Dashboard. If you saw a bright orange button with the text Help Me, it wasn’t a hack, but is part of the SIDEKICK plugin. However, at least one customer thought it was a hack and published a concerning post in the Advanced WordPress Facebook group.

I’ve just logged into WordPress and I see a bright orange “HELP ME” icon with a strange face icon next to it in the bottom left of my dashboard – and a message saying “Need help with WordPress? Click HELP ME…” at the top of the screen! What is that?! Have I just been hacked? There’s no way I’m clicking on that without checking what it is!?!

The orange icon noticed is related to the SIDEKICK plugin. After clicking the button, it gives customers an opportunity to watch WordPress training videos from within the dashboard.

The post generated a healthy discussion with several people weighing in including representatives from GoDaddy, MediaTemple, and SIDEKICK. The project manager in charge of the blunder also participated in the discussion and promptly apologized for his actions.

GoDaddy Evangelist, Mendel Kurland, responded to the Facebook post explaining what happened from GoDaddy’s perspective.

Hey everyone, I’m currently in the middle of sending rabid pythons to the Project Manager for GoDaddy Managed WordPress (and we’re chatting with our brothers and sisters at MediaTemple too). On a managed platform, we take care of updates, but until now haven’t really installed a plugin to all existing sites en mass. Fact is, we were excited to get the plugin out there to help people (and tested and re-tested), but should have been more thoughtful, and consulted you all when it came to installing to existing sites.

SIDEKICK Co-Founder, Ben Fox, explains in an official blog post that the premium SIDEKICK license was being auto-installed without letting users know.

If you were surprised or at all concerned about the appearance of SIDEKICK on your Dashboard, I apologize. The bright orange Help Me button isn’t a promotion or spam. It’s not malicious and it’s not bloatware, although I can empathize that it’s sudden appearance can cause one to jump to one or all of those conclusions. It’s an approved repository plugin meant to provide exactly what the button indicates, help (and learning, training, onboarding) with WordPress.

Needless to say, auto installs of SIDEKICK are suspended for the time being until the team comes up with a better strategy.

Valuable Lessons Learned

As the number of products in the WordPress ecosystem increases, it’s becoming more difficult to differentiate from the competition. Establishing relationships with webhosting companies that host millions of sites is a great way to get a product in front of a lot of people. However, there are risks involved and if not executed properly, can seriously damage a company’s reputation.

There are a few lessons to take away from this story.

  1. Communication is critical.
  2. If you have a product and establish a relationship with a webhosting company to push it to their customers, make sure everyone is on the same page.
  3. Let customers decide if they want what’s being pushed to them.

What Does it Mean to be Managed?

I’m not a fan of webhosts taking it upon themselves to automatically install and activate plugins on existing customer sites. However, I’m fine with bundling plugins for fresh installs of WordPress. With that said, If you’re using a managed host, should actions like these be expected if they’re done in the act of managing an account? Isn’t that what you’re paying for, to be managed?

Based on the circumstance, it might make sense for a host to do one thing or another to manage the account. But on my list of things a webhost shouldn’t do is installing and activating a plugin on a customer’s site without their consent.

This leads to the question, should managed WordPress hosts offer various levels of account management? If so, what would you like to see offered in each tier of service?

If you’re a MediaTemple or GoDaddy customer and are concerned, you can contact ben@sidekick.pro or mendel@godaddy.com.

60 Comments


  1. Was a completely tragic episode IMHO.
    Like a bunch of guys got together late night around beers and remakes of “The Walking Dead” and said “hey, wouldn’t it be a cool idea if we just installed and activated stuff in our client’s WordPress dashboard without telling them…”

    And they next day they woke up from their hangovers and found out “one of the guys” actually did it…

    Report


    1. You’ve got some crazy analogies, but they work. Yeah, just an unfortunate combination of circumstances. Easily preventable? Sure. But I hope other product companies and webhosts read what happened and realize it’s definitely not the way to introduce customers to a new product, especially for existing sites.

      Report


    2. If you think that is bad, wait until you wake up and realize wordpress is all part of google now.

      Report


  2. They should install a “Godaddy plugin” in each new install. Then if they want to provide new features across their network, they can just stick it all in there rather than having to install new plugins.

    Report


  3. Hi Jeff
    “saw a bright orange button with the text Help Me”
    That would have frightened me to death, even on managed hosting.

    Won’t happen again I’m guessing.

    Report


    1. Won’t happen again, that’s for sure and yes, your description is pretty much what the customer experience and is what prompted the discussion on Facebook.

      Report


  4. Ryan, that’s not a bad suggestion and almost all managed hosts do install a default set of MU plugins. Some are wrapped in one convenient plugin. Others are separate.

    Thanks for the suggestion.

    Report


    1. Hah, was just thinking, what if hosts create a MU plugin but go the Jetpack route where new features or services are like modules inside the plugin? Maybe that’s one way to go?

      Report


      1. Don’t mind me, I’m just taking notes.

        My (personal) issue with an MU plugin comes from having moved people from WP Engine to anyone else, and the WP Engine mu plugin remains in the mu-plugin folder. There’s no obvious way to uninstall it.

        I know how to, of course, but for many people on managed hosting, the idea of FTPing in and deleting a file/folder is insane. And that’s fair. We all bill managed WP hosting as “You don’t need to know how to server.”

        So in my thoughts, any MU plugin should come with a notice “This was installed by your webhost (name). Don’t need it? Click here to delete!”

        Also being ‘approved in the WP repo’ doesn’t mean your code isn’t garbage or bloatware ;) Not that Sidekick is, but they shouldn’t use that as a marker for awesomeness. I hear there’s a RickRoll plugin in the repo.

        Report


      2. With regular plugins, you can delete the files from the plugin management page, can you not also do that with MU plugins?

        Report


      3. Jeff, it might help to clarify that MU stands for “Must Use” and are plugins in a special directory that’s not there by default. It allows you to put a plugin on a site that can’t be disabled or removed without server access. It is often confused with WPMU, referring to Multisite plugins. Unrelated, but similar acronyms.

        Report


      4. @Nick Adams “Must Use” is a backronym. The /mu-pIugins/ directory originally were plugins for WPMU but in the WP3.0 merge of functionality they retconned the name to mean “Must Use Plugins.” FWIW.

        Report


      5. I suspect it’s not only some plugins that won’t be automatically deleted should one move away from a managed hosting — it may also be all the other ‘extra’ bits and bobs (like additional ‘config’ files) they sometimes put in various folders (like the site’s root folder) without mentioning mention. Sadly…

        Report


      6. @Mika – In case some people read your comments and get the takeaway that “MU Plugins = Always Bad” I want to mention that for sites that literally depend on the plugin to operate correctly then MU Plugins are the best solution and should not have a “delete me” option.

        Of course the use-case for mu-plugins I mention would never(?) occur in an auto-install for a hosting environment but instead when an agency builds a custom website and custom MU-plugin for a client. But I feel compelled to mention it here because of the surprising percent of cargo cultists in the world, e.g. people who will read about an issue that applies to an implied context and then believe it applies in all contexts *and* assert that same in comments, in forums and at WordCamps, whenever they get the chance. :)

        Report


      7. Oh gosh! I hope people know I love MU Plugins and I use them regularly to code things in a site that I don’t want the site Admins deleting.

        But that doesn’t make me ignorant of their issues, which primarily are users have NO idea how to turn them off (or remove them), and they DO NOT get auto-update alerts like normal plugins.

        They’re great. MU Plugins rock. Just … like Multisite, use them when you KNOW what you’re getting into, eh?

        Report


      8. @Mika – Of course, there are definitely concerns around MU-plugins for non-technical users who do not have a support team. But in the right context, you are right; they rock!

        Report


  5. This is why you should never do business with godaddy or media temple. My personal experience with both companies is simply tragic and awful.

    Migrate immediately.

    Report


  6. Jeff, good recap of the situation. What a learning experience this has been. The great part about being a part of the WordPress community is that there’s never a lack of feedback, and for that, our development teams, communications teams, and everyone else at GoDaddy are thankful.

    While we were attempting to provide an additional value by including Sidekick, we made a mistake, shouldn’t have installed and activated the plugin on existing sites, communicated poorly, and caused some panic and distrust.

    We’ve taken every bit of info from the AWP thread back to the Managed WordPress team, and they’re making changes to our procedures to keep this from happening in the future. If you have more feedback, please inundate my inbox with your opinions, comments, and concerns (mendel@godaddy.com).

    We’ve done a ton this year to contribute to and serve the WordPress community, and I’m sure we’ll all learn new lessons about ourselves, our businesses, and our customers in 2015. While mistakes like these are never easy, I’m happy to be a part of a company that serves such an awesome community.

    Report


    1. You obviously haven’t been there for long. Godaddy is ruthless. Individual customers are absolutely meaningless to them. The only thing they are “sorry” about is that they got caught. The underestimate the community. Don’t worry, though. I’m sure anyone that noticed will get something from Godaddy threatening to take down their site for some reason or another… too much bandwidth… to much space… too many files in a directory… too many visitors… the wrong types of files… files named something they don’t like. They are the most intrusive and disrespectful company (besides Microsoft) that I’ve ever worked with. Slimy? That doesn’t even begin to describe Godaddy business practices.

      Report


      1. Hey Michael, thanks for your feedback. I understand your frustration because I used to develop sites professionally before I began working at GoDaddy. The customer service used to mis-match my expectations as a web professional, and it doesn’t sound like GoDaddy’s helpfulness in the past met your expectations either.

        In the 5+ years I’ve been working at GoDaddy, we’ve seen a bunch of positive changes, most markedly during the past few years. Intrusive up-sells and emails have decreased, we’ve stopped using offensive advertising (see what we’re doing this year http://www.adweek.com/news/technology/godaddy-cmo-says-super-bowl-spot-puts-new-twist-puppy-advertising-161852), and have been working to create more transparency in and improve the features of our hosting products (https://www.godaddy.com/pro).

        I’m assuming from your post that you don’t do business with us anymore, however if there’s a current issue I can help with, send me an email: mendel@godaddy.com. We’re not interested in repeating mistakes of the past. If we were, we’d probably be looking more at and responding to the response rate of the Sidekick change, instead of the community reaction. Community focus = progress.

        Report


      2. @ifyouwillit Wait. Are you saying godaddy isn’t up selling during the domain registration process anymore? That is the main reason I do not recommend them.

        Report


      3. Currently (I just went through the path) we’re suggesting three things when checking out with a domain (privacy, hosting, email). Those are services that we believe most people creating a website for the first time need (or might want) to be successful. In-fact, you’d be surprised how many people think a domain name can have a website without hosting.

        By default (again, going through the process myself just now), all those options are turned off. We used to up-sell like crazy, but I think you’ll find our new checkout process is much cleaner, and increasingly customized to the type of customer you are. That said, I’d love your specific feedback related to your past experiences (mendel@godaddy.com).

        If you find yourself asking clients to purchase domain names for you to then work on, you might want to take a quick look at the new GoDaddy Pro program (http://godaddy.com/pro). It’s free, in beta, and allows for a shared shopping and delegation experience that’s super slick for both you and your client.

        We’re doing some pretty exciting things these days, and fixing all sorts of past issues. :)

        Report


  7. The entire WordPress ecosystem needs a serious study of ITSM and specifically Change Management.

    Report


  8. Is it just for new users or everyone? Because I don’t see any such plugin here on my GoDaddy hosted WordPress.

    Report


    1. This was just for Managed WordPress hosting customers and the installs have stopped for the time being.

      Report


  9. “…at least one customer thought it was a hack”. I think a more accurate account would be that said customer Lol, “thought it COULD be a hack”. ;) But I guess that’s just splitting hairs since, in all honesty, I actually did pretty much poop my pants thinking chances are I’d been hacked! I really had no idea what was going on (or how or why) to begin with! Lol ;)

    Report


  10. I would have freaked out if something like that happened to me!

    Report


  11. I think referring to Media Temple as a managed host is giving them too much credit and incorrect. I used them for about three months and they were never any help regarding WordPress-specific issues. I asked them why they even called themselves a WordPress “managed host” and two separate techs asked what I meant by that.

    Anyway, I recall having to do quite a bit of cleanup when I moved away from them (MU plugins, database options, etc.) so this really doesn’t surprise me.

    Report


    1. That sucks for the plugin developer. It’s not their fault that Godaddy decided to do that.

      Report


      1. Actually, from reading the comments it appears that they were in cahoots with the hosting companies anyway, so they’re getting the reviews it deserves.

        Report


      2. The thing I have against people leaving these reviews is that plugin reviews are meant to be about the plugin itself. Not the developers or partners of the plugin. Additionally, most of those reviews seem to be left by people that don’t understand the situation. One of them was speculating that another plugin they trusted was the cause. If everyone here had sat down and went through the plugin before this happened, I’m pretty everyone would say the plugin was awesome! But due to some oversights, it’s suddenly a bad plugin.

        (btw, I have yet to hear someone report that it actually broke or otherwise did any real harm to their site. I’m also not arguing that auto-installation/activation is appropriate, I just think everyone is freaking out a little too much.)

        Report


      3. IMO, the reviews are about the plugin and the eco-system around it. Lots of people down rate plugins for lack of support for example.

        Report


      4. Thanks Garth for the kind words and understanding.

        Ryan, you also make a fair point and we’re taking our lumps as deserved.

        It’s the unhelpful reviews that we’re seeing that I never agree with. For example “SIDEKICK deleted 8 hours of my work!” but when I asked what happened or how that happened, I was met with silence. That sort of thing leads me to believe that a person was just angry and is trying to hurt us. That’s unhelpful to the community and unfair to us as the plugin developer.

        That said, when you’re part of the WP eco-system, you accept certain things like the people have the power to control your fate in a way and you’d better act right. Hence Mendel (from Go Daddy) and I being very attentive here and elsewhere.

        Report


      5. They’re probably not bothering to answer because the answer is obvious. They spent eight hours trying to figure out why the hell some plugin ended up on their site.

        Report


      6. When you are part of the WP eco-system, you accept certain things like the people have the power to control your fate in a way and you’d better act right.

        Truer words have not been written.

        Report


  12. “tested and retested”? How did they do that on the existing sites?

    Report


    1. You’re right, we can’t test every environment or existing site. Here’s what we do.

      I won’t speak for Go Daddy and Media Temple but our testing includes installing the top 20 WordPress plugins onto our QA environments to ensure compatibility off the bat.

      We employ one person whose sole job it is to perform random testing and address compatibility issues. We also have over 1,000 members of our beta testing program sharing data from their sites including automatically reporting errors and lists of their installed plugins & themes.

      99.5% of all errors we receive are due to a Walkthrough compatibility issue (for example, a Walkthrough won’t run or breaks at a certain point) and we have the ability to fix that without pushing a plugin update. A Walkthrough error does not affect site function because it simply stops the Walkthrough from running.

      The other 0.05% of all errors are addressed quickly through plugin updates. You’ll notice we push quite often (which is a whole other debate).

      I’ll also mention that SIDEKICK is only compatible with the current version of WordPress plus one major release previous (currently 4.1 and 4.0). If you are running anything older, SIDEKICK simply doesn’t appear on your Dashboard, even when enabled.

      We are an open book when it comes to this stuff and we’re always learning so if you have any further questions about our process, please ask here or email me directly at ben@sidekick.pro.

      Report


      1. So your through testing methodology includes a selected 20 WordPress plugins out of the 35,201 currently available? I have more than 20 plugins on one site.

        Report


  13. So that’s what that was all about! I thought it was WP that added that confusing plugin. I’m doing everything I can to secure my site, so I’m also antsy about the possibility of being hacked. They should have given their clients a heads up.

    Report


    1. Sorry for the scare Patricia. Communication is key, and we definitely missed the mark. You can believe we’re reviewing and adjusting to avoid the situation in the future.

      Report


    2. Right?!! I have security plugins installed on pretty much every site I work on that automatically disable any plugin that is updated by remote (such as with the WPRemote WP management plugin). That includes the security plugins themselves, so while I love the added security and the convenience of monitoring all my sites at once for updates from one hub, I’ve also learned that I can’t just update things through the WPRemote control panel, but must do update from WP admin in each site. Having something installed by remote into any of my clients’ sites? I have no idea what could happen, but the possibilities make me tired just thinking of all the time it could take to activate everything that could get turned off…it takes 2 hours just to updated and create backups for all my sites as it is!

      Report


  14. I’m ok with them doing so if it is something like this where it was just a “help” or tutorial. BUT to be sure I would appreciate the heads up. I use GoDaddy and I never had this come onto my dashboard. The problem I have here is if this just popped up on my dashboard my first response would likely not be GoDaddy, but likely wordpress and that makes finding the culprit a very unpleasant process that leads to hard feelings and frustration on behalf of more than 1 or 2 parties..

    I would say that this is nothing new and if you follow what the wordpress generation of users tend to believe in politically, it’s kind of hypocritical to complain a whole lot. I mean GoDaddy or any other host deciding what is best for your server needs, isn’t much different than, say, the government telling you what insurance plans are best for you, or EPA regulations, etc, etc, are best for you and the rest of the world because they think you are to stupid to make any choices on your own.

    I am not a fan of implementing this stuff without telling people. Why not just ask people to be part of a test group, may be give them a special discount coupon (especially when GoDaddy specifically, has pulled a lot of coupons for renewals), or only put it on new installations. On the part of hosts that did this I will say something in their defense. A lot of people putting together sites are not people that have 2-4 years of college/technical school experience in web design (especially us older folks). What a lot of younger people today consider easy and straight forward with wordpress, may not be the case for the rest of us, and to some may be down right perplexing. So when the digitally challenged run into issues it is often hard to find answers because a lot of tutorials etc have steps that experienced users consider common knowledge so they omit them. When that happens a lot of people end up contacting not only wordpress forums but also hosting companies. So if they installed a “walk through/tutorial,” It is likely they are just trying to free up customer service inquiry wait periods by eliminating some questions that should be directed at other 3rd parties. In this case it was a mistake and likely did just the opposite. Hopefully lesson learned.

    Report


  15. I don’t like approach of the Sidekick tutorials in general, but it is worth noting that this was a mistake of noble ambition: GD wanted to help more people be able to publish with WordPress, which is very near and dear to our core mission to democratize publishing. It’s a big, tough problem and anyone trying to tackle it is going to make mistakes along the way, I know I certainly have! I’m sure this has been a learning experience, and overall I’m looking forward to see what strides GD will be able to make in 2015.

    Report


    1. Total BS. Secretly installing a plugin on existing sites would, in no way, increase the adoption of WordPress by end users. Sidekick was barely known before this. Certainly not well enough to have any impact whatsoever on WordPress installs.

      Report


  16. OK.. Hang on sec. I would totally agree that the installation of a plugin on a client’s site (without permission) is out of bounds. But I gotta ask… how is it OK to update WP itself in much the same way?

    Report


    1. Because you agreed to that. These users didn’t agree to install a random plugin.

      Report


      1. So by updating WordPress I agreed to automatic updates that could be done when I am not near my laptop to fix things if that screws my site up?

        It is completely unethical for anyone to add a plugin, theme, spammy link or even core updates without asking the owner of the site. I don’t remember EVER being asked if I wanted automatic updates.

        I added a plugin to ALL my sites (and clients sites) that disables the automatic updates. What if a conflict happened and I am not there? I manually update EVERYTHING on my sites (and clients sites).

        Report


      2. You were aware that the core updates were coming and given ways to disable it. By choosing not to disable it, you implicitly gave permission to WordPress to update your site. The Godaddy customers who had this plugin installed on their site had no way of knowing this was going to occur.

        Even WordPress users who missed all of the notices about it (which you weren’t one of) would still have been given a notice on upgrading letting them know that their site would be auto-upgrading from then on. FWIW, I personally think that notice should have been more prominent, and with a small link to ways to disable it.

        Any ways, my point here is that you are comparing things which are not equivalent IMO.

        Report


      3. @Ryan,

        Let’s be honest here, the majority of WordPress users don’t pay enough attention to know that WordPress core was going to start doing auto-updates. Sure, they get away with it because they are core but the argument that everyone implicitly opted-in doesn’t hold any water. Just sayin…

        Report


      4. Ok, but I was reading his comments as applicable to everyone, guess that’s where we read it differently.

        Report


      5. I’m not actually disagreeing with there being issues in the way auto-updates were handled in core, but I just don’t think it’s a valid comparison here that’s all.

        Report


  17. With an install base of what appears to be a handful of users, having almost NO users until August 28, 2014, when the number of daily downloads mysteriously shot up to 10x what they were. Only 12 reviews out of 80k downloads? There’s a whole lot more to this story than GoDaddy has admitted. Why this plugin, which is obviously neither widely tested nor wanted? The download counts are clearly artificially inflated. They were up to something… there’s some deal that was made… I’d love to know what the ultimate goal was. It wasn’t the installation of a “help” plugin. Definitely something else.

    Report


    1. Interesting theory but ‘m not even sure how you would “Game” the plugin repo numbers.

      The current downloads number is representative of our total installs from the repo plus updates (the repo counts updates as downloads). The numbers are actually more than double what you see if you include our active installs that were not done through the repo. So as far as testing goes, the plugin has been through the ringer and back.

      *Side note: Matt mentioned during the State of the Word ’14 that more detailed stats were coming soon. Until we see these more detailed stats, we consider them more vanity metrics and we don’t really concern ourselves with them.*

      How did we get so many installs so quickly?

      We were very lucky to have the opportunity to have SIDEKICK pre-installed with some very large hosting providers off the bat and now Go Daddy. Some of these providers pull the plugin directly from the repo at install so our stats shot up quite fast.

      As far as a deal that was made; you’re right, there was. The deal was and is that all Go Daddy and Media Temple customers would receive a free SIDEKICK Premium subscription for as long as they host with GD or MT. That’s it.

      Ultimate goal = Adding additional value and helping users get things done faster and easier.

      I empathize with how it might be easier and more interesting to believe there’s more to the story but that’s it.

      Happy New Year

      Report


  18. Hi @mhannigan- (Disclosure: I work at GoDaddy.) Per Ben Fox’s message over on the Sidekick blog, yes, there is an agreement in place between GD and Sidekick. No backroom conspiracy, simply a business agreement to make Sidekick available free of charge to customers who are working with us. As Ma.tt notes above, we are committed to supporting the community and investing significantly in the WordPress ecosystem in 2015. Oftentimes this means partnering with other organizations as we get away from the old “not-invented-here” mentality. As has been stated upthread, we learned a lot from this incident and we will approach these kinds of rollouts more thoughtfully going forward.

    Report


  19. Sidekick is actually a nice feature, it means I don’t have to listen to myself talk so much when we teach clients how to use their new site. That being said, they absolutely do not need to be automatically installing non-critical plugins without notifying the customer. I remain happy with Media Temple however, they have been the best WP hosting for us as a small creative agency both in cost and performance.

    Report

Comments are closed.