Those who use a Managed WordPress hosting plan from either GoDaddy or MediaTemple might have noticed a new addition to the WordPress Dashboard. If you saw a bright orange button with the text Help Me, it wasn’t a hack, but is part of the SIDEKICK plugin. However, at least one customer thought it was a hack and published a concerning post in the Advanced WordPress Facebook group.
I’ve just logged into WordPress and I see a bright orange “HELP ME” icon with a strange face icon next to it in the bottom left of my dashboard – and a message saying “Need help with WordPress? Click HELP ME…” at the top of the screen! What is that?! Have I just been hacked? There’s no way I’m clicking on that without checking what it is!?!
The orange icon noticed is related to the SIDEKICK plugin. After clicking the button, it gives customers an opportunity to watch WordPress training videos from within the dashboard.
The post generated a healthy discussion with several people weighing in including representatives from GoDaddy, MediaTemple, and SIDEKICK. The project manager in charge of the blunder also participated in the discussion and promptly apologized for his actions.
GoDaddy Evangelist, Mendel Kurland, responded to the Facebook post explaining what happened from GoDaddy’s perspective.
Hey everyone, I’m currently in the middle of sending rabid pythons to the Project Manager for GoDaddy Managed WordPress (and we’re chatting with our brothers and sisters at MediaTemple too). On a managed platform, we take care of updates, but until now haven’t really installed a plugin to all existing sites en mass. Fact is, we were excited to get the plugin out there to help people (and tested and re-tested), but should have been more thoughtful, and consulted you all when it came to installing to existing sites.
SIDEKICK Co-Founder, Ben Fox, explains in an official blog post that the premium SIDEKICK license was being auto-installed without letting users know.
If you were surprised or at all concerned about the appearance of SIDEKICK on your Dashboard, I apologize. The bright orange Help Me button isn’t a promotion or spam. It’s not malicious and it’s not bloatware, although I can empathize that it’s sudden appearance can cause one to jump to one or all of those conclusions. It’s an approved repository plugin meant to provide exactly what the button indicates, help (and learning, training, onboarding) with WordPress.
Needless to say, auto installs of SIDEKICK are suspended for the time being until the team comes up with a better strategy.
Valuable Lessons Learned
As the number of products in the WordPress ecosystem increases, it’s becoming more difficult to differentiate from the competition. Establishing relationships with webhosting companies that host millions of sites is a great way to get a product in front of a lot of people. However, there are risks involved and if not executed properly, can seriously damage a company’s reputation.
There are a few lessons to take away from this story.
- Communication is critical.
- If you have a product and establish a relationship with a webhosting company to push it to their customers, make sure everyone is on the same page.
- Let customers decide if they want what’s being pushed to them.
What Does it Mean to be Managed?
I’m not a fan of webhosts taking it upon themselves to automatically install and activate plugins on existing customer sites. However, I’m fine with bundling plugins for fresh installs of WordPress. With that said, If you’re using a managed host, should actions like these be expected if they’re done in the act of managing an account? Isn’t that what you’re paying for, to be managed?
Based on the circumstance, it might make sense for a host to do one thing or another to manage the account. But on my list of things a webhost shouldn’t do is installing and activating a plugin on a customer’s site without their consent.
This leads to the question, should managed WordPress hosts offer various levels of account management? If so, what would you like to see offered in each tier of service?
If you’re a MediaTemple or GoDaddy customer and are concerned, you can contact firstname.lastname@example.org or email@example.com.
Was a completely tragic episode IMHO.
Like a bunch of guys got together late night around beers and remakes of “The Walking Dead” and said “hey, wouldn’t it be a cool idea if we just installed and activated stuff in our client’s WordPress dashboard without telling them…”
And they next day they woke up from their hangovers and found out “one of the guys” actually did it…