Pamela Hazelton

Twitter icon Facebook icon Google Plus icon LinkedIn icon Periscope icon rss icon
You are here: Home / Mistakes That Kill / When You Realize that Plugin You Love is a Lying Cheat

When You Realize that Plugin You Love is a Lying Cheat

by 85 Comments

Note: Updates have been made since this post first launched on 09/24/14. The bottom of this post outlines the changes.

Let’s face it. Plugins make our lives easier. Especially on WordPress. Without them, we’d be left having to learn to code for every desired feature, or we’d have pay big bucks to have it done. So it makes sense that we install plugins to handle just about anything from Analytics to zebra striped backgrounds. When it comes to social sharing, there are scores of WordPress plugins, and at the top of the list for many is Shareaholic. This app does more than just provide sharing tools. It will also display related content, which is a great way to keep visitors within your site. What the powers-that-be behind the tool don’t tell you up front is that affiliate linking for your blog is turned on by default. This feature is, according to Shareaholic, a way for publishers to be compensated for traffic driven to other sites. They do this by “leveraging partnerships with merchants”, which really means Shareaholic has its own “publisher” affiliate accounts with various merchants.

Why is this a bad thing?

Because the plugin actually hijacks links in blog posts. Whenever the plugin recognizes a link to one of the merchants they work with, the link is re-written. But it’s not so evident that it’s happening. Last week I updated various content to educate my readers about Constant Contact. I am a Constant Contact Solution Provider, so some of the links reference my partner ID. The problem? Signups were not going under my account. Instead, they were being passed off via a Commission Junction account. I spent an afternoon working with Constant Contact, techs and tools trying to figure out the problem. Hovering over a link showed the proper URL in the browser bar, and the rewrite to Constant Contact work, just without the branding. I hunted Google for “WordPress plugin writes affiliate link”, but nothing was useful for this particular problem. Then I right-clicked on my link and copied it into NoteTab, and here’s what I got:

Viglink Coded URL
See that reference to viglink? That’s a service that changes existing links to affiliate links. It’s used, legitimately, by many bloggers, on their own accord.

So, I took to the WordPress admin and went through every plugin that may have a reference to any of the strings in the above URL. I found my Shareaholic Site ID was a match!

Shareaholic Site ID
My site ID was included in the URL, which was rewritten from my partner link.

For this reason, any existing or potential clients who signed up for the Constant Contact trial did not fall under my account. That’s a big deal when, as a partner, I offer several additional services (some free) for those who go through my partnership account.

It didn’t stop there

I ran searches for “viglink shareaholic”, and nothing referenced the Shareaholic site. But I did find this post at More from your Blog, which ultimately led me to the plugin creator’s page, “Earn Revenue in Your Sleep with Shareaholic Affiliate Links“. Introduced early this month, plenty of bloggers in-the-know are furious about it. Now, before I reached out to Shareaholic, and before I got downright angry about the entire situation, I took the time to see if I missed something in the installation or configuration of the plugin that referenced their monetization of outbound links. Nope. I didn’t. Take a look at the admin of the plugin:

Shareaholic Admin
While the admin mentions I can ‘unlock’ a monetization feature, it does not disclose that this is turned ON by default. Since I wasn’t interested in monetization, I didn’t click the unlock button.

When I clicked the link for “Understanding the new Shareaholic…” I’m taken to a post from August. I could only assume that was the latest big update, and there is zero mention of Affiliate links. Then I clicked the “Unlock” link – the one that refers to unlocking monetization – and was presented with a “sign up” page: Shareaholic Signup   Without signing up or logging in, I clicked a profile icon, and was presented with a main screen:

Shareaholic Profile Main Page
No mention of monetization or affiliate linking.

Even though I was already on the “Site Tools” section, I clicked the link again, and got this:

Shareaholic Site Tools
Notice the third setting down: Affiliate Links. This is turned ON by default, allowing your outbound links to be rebranded.

But, I found another disturbing issue. Every install of this plugin I’d done for others? I have access to configurations. I could configure features for a total of four different websites, and I never used the “Add Website” function! That means if YOU use Shareaholic, there’s a chance anyone else you’ve installed it for is under your total control.

So far, the only relationship I see between the sites I unnecessarily “manage” with Shareaholic is the email address associated with the WordPress login used for the install of the plugin.

[UPDATE] I must have created an account via the plugin itself at least for one site. But, I swear, I still didn’t click that Unlock button. Though Shareaholic admits that if you’re logged into their website, and you work on someone else’s Shareaholic plugin, that account does get associated with you. Wait, what???

[UPDATE #2] After testing by creating two other accounts, I realize I did not setup a full Shareaholic account. This means my own site, and all the profiles beneath it, were confirmed by one authorization via Twitter.

When you log into a client's Shareaholic plugin on WordPress and then visit Shareaholic.com, it auto-populates the settings to your Shareaholic.com account (if you're logged in as yourself and not your client's account). No worries! There's a solution to fix this.
Posted at WordPress Support for the Shareaholic Plugin

Shareaholic’s Lack of Transparency Puts Users at Risk

I’ve read Shareaholic’s responses to those disturbed over this recent change. Take a look:

We're not trying to be sneaky! It's the opposite: we want to offer a feature that benefits you. The affiliate revenue your links generate is for you :)
Posted in the WordPress Forums at the beginning of September.

Note the line, “The affiliate revenue your links generate is for you :)”. Does this mean Shareaholic is going to pass 100% of the revenue generated by Affiliate Linking to the users? Not at all. In fact, Shareaholic won’t even tell you how it will calculate your earnings, only that “percentages vary depending on costs, content and performance”.

There is no standard revenue share percentage as these percentages vary depending on costs, content and performance. We will continue to ensure publishers get optimal revenue from this opportunity.
From Shareaholic’s FAQ

Seeing as VigLink openly says it keeps 25%, I can only assume bloggers’ cuts will be about 65% or less. By the way, if you don’t have a PayPal account that you can register with Shareaholic, you can’t get paid. There is also the issue of the requirement to disclose affiliate linking to your readers. Shareaholic bounces around on this issue, which raises questions of integrity. From it’s own FAQ, Shareaholic makes it clear that bloggers using Affiliate Linking must disclose this information. Shareaholic Disclosure Requirement - click to read Then, in the comments of the Affiliate Linking update announcement, it says it’s not necessary to disclose this information:

I apologize for the confusion about this! Our understanding is that editorially-motivated links are not advertisements and do not require publishers to include a disclosure on their site, and that the FTC is not targeting endorsers, but rather the advertisers if/when there is a compliance infringement reported. As a result, we believe that the Affiliate Links app doesn’t put publishers into a position where they are in violation.
Posted two days later in a comments section, by the same person!

But let’s look at Shareaholic’s Terms of Service, which, surprisingly, also say disclosure is required:

Shareaholic's TOS
The last update to the TOS was July 2014. The Affiliate Links “disclosure” for publishers is there, but there is no mention of YOU giving Shareaholic permission to write links on your behalf.

Oh, and VigLink also says this disclosure is necessary.

At this point, I’m convinced they’ll say anything.

If I haven’t made myself clear yet, I’m pretty disgusted about Shareaholic’s tactics. Not so much for myself, but for every single blogger who uses this plugin and is potentially (unknowingly) breaking the law, losing their own commissions and losing credibility. Shareaholic makes several claims that are FALSE, including:

It is not creating new links on your site or redirecting your existing links to another site. It simply tracks when you drive sales on participating sites, so you get a reward. So, if decide you want to link to a product on xyz site, and one of your readers clicks on that link and purchases it, you are compensated for the referral you were making already.
It doesn’t ‘simply track’.

The Affiliate Linking feature does not “simply track”. If that were the case, my partner URL would have resulted in created accounts falling under my partner dashboard with Constant Contact. Granted, the users were still sent to the proper website, but all branding was stripped because the “rewrite” of the link gave credit to someone else. It is misleading to say it’s not a “new” link, because that’s exactly what it is. It is swapping out the link you coded with a different one.

And now I'm going to uninstall it because it's unbelievable that I have to manually create 100 accounts and disable a feature which adds links inside a website without asking for permission.
This proves that every user of this plugin, even those who did not create an account, are affected.

On the Shareaholic plugin admin, which is the first page a user lands on after installing the tool, it clearly directs you to sign up for a free account to unlock features, including monetization. How is it that every account is monetized by default, even without account creation? Even Shareaholic does not dispute that the feature was turned on for every WordPress site where the plugin is installed. Oh, there’s also the email I received on September 2nd, when I first installed the plugin on my own site.

 

Analytics, follow buttons and opportunities to earn revenue from your site (just to name a few) are waiting for you when you sign-up for a free Shareaholic account. Click here to sign-up (or login to an existing Shareaholic account) and we'll automatically sync the plugin settings with your account. It's easy and free!
Initial Email from Shareaholic

This is the only email I’ve ever received from Shareaholic.

 

Our goal was to offer a feature that doesn't require a lot of work, but still works for you. We opted for this because we thought it would delight our users :) But we're listening!
They say they’re listening…

As early as day one, Shareaholic has repeatedly assured users that it’s listening. Yet, they haven’t changed the feature to opt-in. Why? My guess is that the vast number of users have no idea they’re making Shareaholic money, and no idea that they’re potentially due money because Shareaholic has done nothing to inform them directly that this feature is active. While Shareaholic says this feature does not rewrite any existing affiliate links, there are hundreds of bloggers who say it has swapped out links, costing them money. What’s worse? It doesn’t recognize “referral” links the same way.

Shareaholic says you can opt to turn off rewriting for specific links by including rel=”nowrite” in the url, but it seems to ignore any other parameters that would also give the indication that the link is already branded. If you use Shareaholic, and the Affiliate Links feature is turned on (and it will be unless you turned it off yourself), you could be losing money. Any affiliate links that wind up being rewritten means the commission goes first to VigLink (who takes a cut), and then to Shareaholic (who takes an undisclosed amount). This will continue to occur with any lead generating links affected, as well as affiliates or partners who may pay you at higher scales for referrals who buy over a lengthy time period.

Ethics Matter…. Goodbye Shareaholic

Could I have just turned off Affiliate Linking and gone on with my day? Sure. I turned it off immediately and all links now function as expected. Then I uninstalled the plugin. The way I see it, if you hijacked content on my website, leaving me vulnerable (and costing me 6 hours of time troubleshooting), you’ve no right to make money off me any other way. That includes monetizing shares on my site by showing advertising to social users.

There’s one other question that remains, and I’m no lawyer. I’ll toss it out there for you to consider: When you sign up as a publisher for VigLink, you agree to its Terms and Conditions. They include that VigLink provides a unique user ID and some JavaScript that is to be installed on the website. It also says the VigLink software may only be used on sites “for which you have the authority to modify”. Then there’s this: “The use of VigLink in conjunction with browser toolbars, proxies or other intermediate software to modify websites or affiliate clicks you do not control is specifically prohibited.” and: “You represent and warrant that you shall comply with all rules, regulations and guidelines, as well as any applicable Merchant terms and conditions and policies, in each case to the extent applicable to your operation of the Website and use of the Service and Software, including, without limitation, those regarding the disclosure of a material relationship inherent in the links on the Website.”

I’d love to see the agreement between VigLink and Shareaholic because, according to this, the latter has told the former it has authority to control our websites. And, if you use (or did use) Shareaholic, I’d love to hear from YOU! Did you experience any of the issues I’ve outlined above?   Thanks to More from Your Blog, who boldly posted about this issue earlier this month. It was their post that got me hunting deep, all the more shocked at what I found.

[UPDATE] While Shareaholic has since made this feature opt-in, it appears all existing sites for which it was originally opt-out are still affected (it does not appear they backrolled that setting).

This issue affects ALL users of Shareaholic, even standalone sites (those not using the WordPress plugin).

Here’s how I tested:

1. I went back into the Shareaholic settings page (at their site, as I’ve deactivated the plugin), and clicked on GET CODE.

I was provided with this:

My code for Shareaholic, which I can install on any site.
This is the script for running Shareaholic on many types of websites, not just WordPress (but it would work there too, without the plugin).

 2. I took the script and plugged it into the head tags of a verified website.

3. I toggled the Affiliate Links on in Shareaholic settings.

VOILA – link rewriting. This means that if you have the above script installed on any of your sites, you could be affected. Shareaholic claims it services more than 340,000 websites – I wonder how many owners of those sites realize this issue?

[NEXT POST] How deep does this go? Here’s how I can hijack my clients’ followers by “intercepting” social sharers and account buttons.

[THIRD POST] A response to Shareaholic’s blog post because they deleted my comment. Read: An Open Letter to Shareaholic.

 

 

UPDATE!!! Shareaholic appears to be making some changes. Today they changed the plugin description to include monetization, and it appears Affiliate Links is now opt-in. I’ll be posting all updates I find in the Open Letter post! Be sure to head over there for the entire process.

UPDATE!!! Shareaholic has posted a blog on a few of the issues outlined in this post. You can read: Clarification about Shareaholic’s Recent Product Release. I did respond to the post, but they disapproved my comment. I’ve posted my comment at Reddit should you want to read it. I also posted an Open Letter.

[UPDATE] How deep does this go? Here’s how I can hijack my clients’ followers by “intercepting” social sharers and account buttons.

[UPDATE] This issue goes beyond WordPress. It affects any website utilizing Shareaholic, even if you aren’t displaying any tools. See the bottom of this post for details.