Hacker News new | past | comments | ask | show | jobs | submit login
Yoast SEO plugin for WordPress injects Black Friday adverts without permission (wordpress.org)
189 points by jonny383 on Dec 2, 2019 | hide | past | favorite | 70 comments

Let's get a few things right since the link is misleading.

- It was an upsell to the Pro version of free plugin. Not some random ad spam.

- The ad was an admin notice - which appear in WordPress on top of every page in the backend Admin Area in what's generally the notification area.

- It's free, GPL, and open source - you know, "No Warranties" and all that.

Grayhat, and not something you should ever do. But not as nefarious as everyone is making it sound like.

WP.org is about freedom, so they're unlikely to restrict it either unless malicious: https://github.com/WordPress/wporg-plugin-guidelines/pull/69...

Being very involved in the WordPress industry, what I find funny is the majority of angry reviews masquerading as victims are from entitled pseudo devs who sell WordPress sites to clients and now they were made to look bad because they had automatic updates enabled while charging their customers for a retainer package with "plugin & themes updates".

How about buying premium version in the first place just as you charged your client for it.

1. It goes directly against the WordPress Detailed Plugin Guidelines to both upsell, and to hijack the admin dashboard [0].

2. If the ad was an admin notice, it didn't look like one. It's a banner image with an outbound tracking link [1].

[0] https://developer.wordpress.org/plugins/wordpress-org/detail... [1] https://imgur.com/a/oN7ZFRU

Neither could you click the [X], or it was intentional overlapped for people to missclick. Crooks.

It was hard to click, but I managed to click it, and it worked.

I believe they played with the semantics here to perhaps get a pass on it not counting as an exact violation of wp.org repository guidelines. There's a proposal to have strict policies and disallow any sort of global ads now but it seems dismissed [1].

It was a dismissable admin notice that looked like an ad and wasn't exactly a tracking link (in the wp.org classifications at least), but a generic marketing campaign link [2].

[1] https://github.com/WordPress/wporg-plugin-guidelines/pull/69... [2] https://github.com/Yoast/wordpress-seo/blob/12.6.1/admin/cla...

Dismissable? Didnt the x button lead to a sales page?

Not when I clicked it.

It goes directly against the WordPress Detailed Plugin Guidelines to both upsell, and to hijack the admin dashboard [0].

Wow. When I was playing with WP I saw this a ton. It was so annoying that I would have to make a point of disabling the phone line home.

I used to work in this WP field and I can confirm your story about this industry clients devs. I have one more story:

Back then (maybe still possible now?), if you have a custom plugin named "abc" but which is not uploaded to wp.org repository, I can upload a plugin with the same id "abc" to wp.org, bump the version and WordPress will suggest to update the plugin. This will replace the real plugin with yours. I voiced the problem to the WP guys but they seemed cool with it.

As someone who has contracted with a bunch of agencies and contractors for Wordpress sites, I have paid for such retainers even though automatic updates are on.

I want automatic updates on; its better for security.

And I want the folks who built the sites available on short notice, so if automatic updates break something, I can get it fixed quickly without trying to do a contract with some random WP dev on short notice.

Updates are different from upgrades, though. But if you are saying that we should pay for premium (in order to get the updates, which you are saying we should stay on top of), then I get what you're saying.

> It's free, GPL, and open source - you know, "No Warranties" and all that.

Making something available for free doesn’t absolve you from blame when you make stupid decisions. Well, it does legally, but from a social standpoint it’s still not nice.

What makes you think those "entitled pseudo devs" as you call them charged the client for a premium version? You're making an assumption too many.

I'm a big fan of vanilla WordPress, especially the new block editor, but the plugin ecosystem is a total mess. Almost all popular plugins come with a free version that spams you to upgrade to "pro". They add menu items to the admin panel with different colours so you find it harder to ignore them. They add messages to the dashboard. The look and feel of their settings pages don't match WordPress core. And, even if you pay for an upgrade, that usually means removing the plugin provided and automatically updated by WordPress.org and replacing it with a manually uploaded zip. Crazy.

The garbage user experience with most plugins led me to collect together a bunch of ideas from plugins I used and rewrite almost all of them entirely into one spam-free plugin. I did it for my own sanity as a user of my own plugin but I'd like to see more " old fashioned" plugins that are providing high quality code for everyone's free benefit.

> I'm a big fan of vanilla WordPress, especially the new block editor, but the plugin ecosystem is a total mess.

Well, the root cause why the plugin ecosystem is a mess is the way plugins management and monetization is implemented in the vanilla wp.

As oposed to, e.g. Atlassian Jira plugins, WP doesn't really help plugin developers to seamlessly integrate with the core product.

"seamlessly integrate with the core product."

Plugin devs can generally NOT be trusted with seamlessly integrating their plugins because it usually leads to all kinds of dark patterns and poor UI for WP as a whole. WP.org's strict plugin guidelines is one of the main reasons why plugins behave relatively well considering how huge the WP.org repository is.

Have you released this plugin?

Making a functional plugin for one’s own purposes is one thing, releasing it to the public requires quite a lot more work.

Kind of. It's on GitHub, but not yet in the WordPress plugin archive (I want to test it more with my organisation and some friends first).


The Yoast CEO Marieke van de Rakt responded on Twitter:

> That BlackFridayBanner was not the best idea. We’re truly sorry for the annoyance and difficulties it may have caused. We did not think this through properly. If you want, you can update to a new version of our plugin without that banner. #blackfriday #neveragain #apologies"[1]

> I OK'd this. I am the CEO. And I made a big mistake. I am sorry. [2]

[1] https://twitter.com/MariekeRakt/status/1200077958700044290

[2] https://twitter.com/MariekeRakt/status/1200077958700044290

Hardly the first time Yoast have been forced into an embarrassing climb-down.

In the early days of mass Wordpress adoption they got a lot of traction by offering a plug-in that made few basic seo improvements and that early success went to their heads. Every iteration since has been a bloated mess of features, most of which are entirely unnecessary.

You know it's a bloated mess when there actually exist another plugin to hide all the bloat that Yoast adds. I kid you not. https://wordpress.org/plugins/so-clean-up-wp-seo/

> "Truly sorry"

I'd prefer it if CEOs would rather say "we got too greedy and clearly the market didn't like it" rather than disingenuous apologies.

I have a lot more respect for a response that contains the words "sorry" and a statement that the entity admits that they made a mistake, vs. the usual corporate statement that contains neither.

The apology is basically the modern version of that corporate statement.

An "I'm sorry" and "it was my call" are much more honest than the usual legal-approved CEO-speak that doesn't admit any fault, or justifies it with an un-provable statement like "many users have asked for this feature"

It is easier to ask for forgiveness than permission. I doubt the company or the CEO actually cares at all.

"There but for the grace of god go I"

In other words, we all make mistakes in our businesses.

Some of them are more obvious to the outside world than others. This one was a pretty serious cock up.

I admire her for owning it and saying sorry. Plus they fixed it pretty quickly.

For those not deep into the WP community reading this headline: Yoast injected an ad into the WP admin pages (every admin page), not into public WP sites. The headline sounds much worse than it is - this is just an annoyance for editors, not Yoast abusing its reach to target billions of worldwide website readers.

Naturally that doesn't excuse the spam.

When people rip on WordPress development this is the sorta crap they're talking about.

In many ecosystems this would warrant the plugin getting pulled from the ecosystem but WP just lets it fly.

I for one am glad that Wordpress doesn't behave like the App Store, yanking apps willy-nilly with no warning, and little recourse.

Wordpress development is for developers, not consumers. They don't require the same level of hand-holding. When things like this occur, devs can make the choice to remove the plugin on sites they maintain.

For prospective users, every plugin page has a "reviews" section that tells them exactly if the plugin does anything shady. Yoast isn't a monopoly and thanks to how the plugin ecosystem has evolved over time, WP devs usually have a second or third option to go with, should their #1 pick no longer meet their needs.

I think a lot of the rip is from Wordpress generally being insecure. You can have it locally and treat it like Jekyll and have your json sent to git and published to something like Netify.

> I think a lot of the rip is from WordPress generally being insecure.

That too - I put adware on my wp-admin pages in the same boat.

I've seen the JSON publishing route and I'm not 100% impressed with how it operates. In most WP situations you want to give people who are non-devs the capability to manage content which local setups like this don't accommodate well.

A lot of people complain how apple app store removes apps that Apple doesn't like. Or how Firefox no longer allows users to provide add-ons that are not through the Firefox store. That and other walled gardens make the the new tech world much less free and much more dependent on tech giants. I personally would prefer WordPress to allow whoever wants to make an app and give the users the responsibility to choose what to add and what not

I agree and disagree all at the same time ha...

> I personally would prefer WordPress to allow whoever wants to make an app and give the users the responsibility to choose what to add and what not

I'm totally with you but that assumes that WP devs have the responsibility to make responsible decisions. The range of skill for a typical WP dev is outstanding, where on one end you have people who can't write a for loop adopting the "dev" title, and on the other end you have skilled engineers.

I've seen WAY too many people call themselves "devs" when all they do is try to install plugins to piece together a website. In relation to Apple and FF - average users are not savvy at all and have been shielded from the nuts-and-bolts decisions that we make on a daily basis. Trusting them with the responsibility to make good decisions is precarious.

this was the worst spam of all my wordpress experience. a yoast banner on every admin page - yoast must have gone crazy. I took screenshots of this shameful moment.

wordpress plugin as well as mobile app stores are reminiscent of the ugly pc shareware and freewares of past 30 decades.

I don't use wordpress/yoast so am probably wrong. But I don't think splashscreens on shareware is 'ugly', I think it's fair enough. In some instances - such as Sublime Text - I am amazed at how discreet it is.

I suspect Sublime realizes that they have three classes of customers:

1. Companies

2. Private individuals who are happy to pay for software

3. Private individuals who aren't going to pay for software

The discreet notification is enough to get 1+2 to pay. Group 3 isn't going to pay anyways, and making the notification more annoying will just make it more likely that they crack it and never see it again. Most importantly, when people from group 3 start working at a company, they may get the company to buy a license (which is now a subscription, i.e. makes them a lot more money than a personal license).

A more annoying notification would likely win them very little, and lose them a lot (from people who use a different editor instead).

Well, people need to learn not to depend on redundant Wordpress plugins.

The plugin-landscape in Wordpress is plagued by bugs and ads, some spamming you to update or pay for a premium version. That is not something you would accept for professional CMS solutions.

If you consider yourself knowledgeable in SEO, then learn to walk the talk and stop relying on phony third-party plugins!

SEO is such a small part of owning a website, and ideally, any technical SEO that is needed should be integrated in the core CMS by developers and not fiddled with at random by clueless bloggers or SEO gurus.

Since Wordpress is such "crapware" out-of-the-box, you can easily create a Yoast replacement plugin to handle what is really needed. The rest is just useless bloat and clutter.

I would not touch Yoast in my wildest dream. It is totally redundant for people who can code themselves.

> It is totally redundant for people who can code themselves.

Not really, it saves time. I have my own website and I am a profesionnal developper, but I don't want to spend time learning wordpress programming. The few things I had to code for WP was very off putting.

'Since Wordpress is such "crapware" out-of-the-box, you can easily create a Yoast replacement plugin ...'

The cynic in me wonders why such basics are not already included by now?

Because of Matt Mullenweg's strange philosophy of keeping only barebones features in "core" Wordpress and having all other functionality be delivered by plugins. This means that even to have a basic site, you just have to install various plugins to deliver key features, which leads to the bloat, instability and security problems that Wordpress is infamous for.

> strange philosophy

He likes to avoid bloat and keep things modular. That's not a 'strange' philosophy

Modularity isn't free. Wordpress' obsession with it – and bad implementation of it – leads to bizarre, 80000+ recursion level deep callback hells even on simple pages once you have 3-4 plugins running.

> This means that even to have a basic site, you just have to install various plugins to deliver key features,

You can run a perfectly fine blog using core.

It is because a lot of functionality is now bundled as part of the Automattic Jet Pack plugin. I guess the plugin is technically open source (due to the GPL) , but a lot of functionality depends on Automattic's server and requires a subscription.

Do you do actual WP development? How many clients do you have? How much Yoast functionality does your plugin cover?

There are certain plugins that deliver so much value that developing and maintaining them yourself is nonsense for most devs out there. Unless your agency manages thousands of plugins and you have some very specific needs, you don't need to re-implement everything from scratch. Even then, it's probably far cheaper and easier to re-use their GPL code as the basis for a less bloated plugin rather.

That's an incredible number of people they've managed to piss off with that ad! This sounds like a plausible theory:

> Honestly, I wouldn’t be surprised if this was an advertising stunt to create a viral situation for additional exposure.[0]

[0]: https://wordpress.org/support/topic/spammy-black-friday-on-e...

I can't see how Yoast needs any more exposure. They're the equivalent of Coca-Cola in the WordPress world - everyone's heard of them, most use them already.

Seems like a pretty risky move, but the owner has historically been controversial so wouldn't be too surprised.


Actually the comments indicate that the "controversy" seems to be imagined by many people. By the way, I don't know anything about Joost, so he may not be innocent. But the article is an excellent example of an inability to distinguish between consensual but obnoxious stuff and clearly non-consensual behavior.

Also read the comment by Jenny Halasz, it seems very telling: "I had the audacity to start a thread on twitter where I suggested that perhaps we should ask the women involved if they were being harassed before we leveled accusations at the supposed harasser.

For my trouble, I got called a woman hater, an enabler, and plenty of other terrible things (now conveniently deleted by the people who said those awful things: Cohen, Rayner, a handle by the name of callis1987, and Forden)"


>>Did you create this account just to do that?

Yes I did, because I don't have any other account to use on HN. I am not sure what you are implying here.

if only people here held their FANG bosses to the same standard they hold wordpress plugin developers ... there would be less complaining

Perhaps Yoast thought they were cleaver. I hope someone reads this who works there. Because of "this", and as a precaution for further abuse one of my agencies removed Yoast SEO from over 2000 Wordpress-sites last week.

Update: Just found out that Yoast CEO is a woman and apologize with GIF:s on Twitter. Awaiting my ban and #forevershame.

Which SEO plugin did your agency go with?

glad I'm not the only one who was annoyed by this. it's not a huge deal, but it made me "WTF?"

I disagree - to me, it _is_ a huge deal. It's an overstep of a boundary that definitely should not have been crossed.

Yoast has always been borderline spammy with their upgrade nags, but at least historically they followed the WordPress guidelines and kept them inside of the Yoast pages. But flat-out injecting ads into every admin page with not much context is a step too far in my opinion.

As far as I'm concerned, automattic should revoke their wordpress.org plugin hosting until this has been addressed (as this clearly violates their hosting guidelines) and a public apology is issued.

It has been addressed and their CEO offered hundreds of apologies on Twitter. It is definitely not okay and I would still not use them as there are better plugins out there, but they (now) say they made a mistake and owned it.

which SEO plugins would you recommend?

The SEO framework (slug: autodescription) is great and performs about 30x as good as Yoast SEO in terms of processing time. They’re also pretty strict about sticking to WordPress’ native styles.

>As far as I'm concerned, automattic should revoke their wordpress.org plugin hosting until this has been addressed

Unfortunately Automattic only contributes to WordPress.org [0]. Automattic actually owns WordPress.com [1] which is a separate-ish entity, and does not have any authority over plugins hosted on WordPress.org.

[0] https://automattic.com/

[1] https://en.support.wordpress.com/com-vs-org/

article thread is a dupe of: https://news.ycombinator.com/item?id=21661075 (?)

could / should (?) be merged.

as for all the doom and gloom, I think the main thing that makes this so bad is that the ad was hard to close - the X was not very visible / easy to click, some said clicking it still brought you to ad site...

to me the bad thing was that the ad was moving / not static. Might be time for a checkbox, 'allow plugins to show disounts / partners / third party ads' - some of them are helpful / wanted.

when a plugin hijacks your next screen, like wp-statistics does after an update sometimes (others too, eg all-in-one-seo sometimes )- I hate that even more than what this yoast ad did.

Did this happen on their GPL version, or their "premium" version, or both?

The premium version is GPL also. This happened in the free version.

I noticed that! Actually pushed me to remove it from my site...

You have come the very thing you swore to destroy.

i haven't used wp in a long time. does it come with permission settings for plugins now?

The plugin exists to inject seo-relevant tags into your page, so I don't see how a permission system would help to prevent them from injecting other tags into your page.

And no, there's no real capability system for plugins in Wordpress. Plugins can define their own user permissions that hooks into WP's system to determine what user can use what feature, but that's entirely opt in on the plugins' part.

Innocence once lost can never be regained.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact