According to user reports, All in One SEO plugin for WordPress unilaterally turned on automatic updates. The auto updates coincided with a major upgrade which in turn caused multiple sites to suffer outages and other unintended behavior.
Automatic Updates Without Consent
Automatic update is a feature that allows plugins to update automatically without any action from the publisher. The common expectation is that this is something that a publisher opts into it.
Some publishers backup their WordPress installations before updating. That way if something goes wrong they can easily roll it back to the previous state.
With automatic updates it’s no longer possible to save a backup before the update happens. A bad update can be a major problem that becomes harder without a proper backup.
That’s why it was surprising when a member of the Advanced WordPress Facebook group started a discussion about how All in One SEO turned on automatic updates without (according to the user) notification beyond what was in the changelog.
A changelog is a notation of what the changes in an update are.
The original post on the private Facebook group framed the situation as an ethical issue as to whether a plugin publisher has a responsibility to make it expressly known that a change in the automatic update feature is happening.
Many people felt that automatic updates should always be a user’s choice.
Response on Twitter
There was some discussion about All in One SEO automatic updates as well. Several publishers tweeted that the automatic update option should not be turned on as a default.
A publisher expressed their negative feedback on twitter:
“I do not like to automatically update WordPress plugins, and I especially don’t like plugin software authors to try to force automatic updates on the marketplace. So much so, I will look to replace such software if I can. Please stop.”
He followed up with this tweet:
“Although this message was prompted by the recent All In One SEO default setting of automatic update in the plugin, that is far from the only plugin software doing this. Offer the option, don’t set it as default, and make it plain as day as an option.”
Although this message was prompted by the recent All In One SEO default setting of automatic update in the plugin, that is far from the only plugin software doing this. Offer the option, don't set it as default, and make it plain as day as an option.
— Wayne Kessler (@KFIweb) December 27, 2020
All in One SEO Publisher Feedback
There were several negative reports about the automatic update feedback over on the WordPress plugin repository support page.
One plugin user called All in One SEO a disaster, writing:
“After nearly 10 years, I have to say goodbye.
This recent series of almost daily updates since version 4 was released really shows that the new owners of AIOSEO have no clue at all about SEO…
…I don’t have the time to invest in being a beta tester for a plugin that has 2 million users but now doesn’t work… because it is so full of bugs.”
There is an entire support thread full of angry publishers who complained that All in One SEO auto-updated despite having set the plugin to not automatically update.
Another irate publisher wrote:
“Multiple sites have updated to 4.0.11 without my permission and while all auto updates are disabled.
Your once reliable plugin has destroyed hundreds of pages of social meta data on multiple sites, broken layout (and this after I fixed the problems and told you last week, I will be disabling all updates).
How dare you update my websites without my permission
For everyone reading this, this plugin has come to the end of its life as we know/knew it.
Migrate everything you have now, while you still can.”
Multiple All in One SEO 4.X Updates
All in One SEO updated from 3.7 to a new 4.X version on November 14, 2020. This was a rocky start because a second update to 4.01 followed on the same day to fix a database issue.
From November 14th through December 2020, All in One SEO plugin published a total of twelve updates to fix a large amount of issues, seemingly dozens of bugs.
To put that into perspective, according to the Yoast SEO plugin changelog, Yoast SEO published only three updates within that same one month time period.
These are bug fixes from just one update:
- Fixed: Bug that prevented editors and authors from editing SEO titles and descriptions
- Fixed: TruSEO support in the classic editor URL not fully working on extra long URLs
- Fixed: Issue where the closing head tag did not always display
- Fixed: Issue on a few remaining sites where the title tag would strip out a $ and any numbers after it\
- Fixed: PHP error related to missing array during the migration
- Fixed: Issue where AIOSEO would not remove the trailing /amp from canonical URLs
- Fixed: Issue where notices would appear in the log when trying to access our log file
- Fixed: Conflict with WP Shop plugin
But it’s the update from December 21 that seems to have introduced the unilateral automatic update. That’s the only update listed in the changelog that mentions auto update but it’s somewhat vague.
This is what the changelog says:
“Updated: Default options for auto updates”
Screenshot of All in One SEO Changelog
Should WordPress Plugins Auto Update Without Permission?
Automatic updates can make sense for publishers with sites that aren’t particularly complex. That said, backing up a site is a prudent step to take before updating.
Many people believe that publishers should have the choice to opt-in to auto updates.
The publishers of All in One SEO have apologized and stated that they are removing the automatic updates. Should auto updates have been turned on by them to begin with?