There have been several high profile plugins lately that have been found to be posting spam and deceptive links on user’s blogs lately.

One such is the “Display Widgets” plugin. You can read Wordfence’s detailed breakdown of the spam. It turns out the original developer of the plugin sold it, and the new owner started to place spammy backlinks and other bad code into the plugin. This gave this “developer” access to tens of thousands of blogs and the site owner’s never knew it was happening.

I was checking the WordPress that runs this blog today to see if there were any plugin or system updates for me to do, as is good practice. I noticed one today had an update, a no-follow plugin I’ve been using for a few years. Today, I saw that plugin had an update, and I looked at the changelog to see what was new, which is also a good thing to look at instead of blindly trusting plugins.

I saw this, which set off my Spidey sense.

No offense to this new maintainer person, but seeing a plugin go to a new person, one that has no other active plugins in the WP repository, has no mention of this plugin on his blog, and whose Twitter feed is mostly links to Twitch videos makes me nervous.

Bad Feeling

It’s not clear if this new developer volunteered to take over the plugin, or buy it outright. I suspect a purchase. The previous owner/developer had a cadre of plugins and a blog focused on monetizing content.

Let me be clear. I’m not against anyone making money by selling their theme or plugin. I am also not saying that this new developer/owner of this particular plugin is going to do anything nefarious. It’s worth keeping in mind that this particular tool has over 30,000 active installs.

The reality of the web nowadays is that we need to be nervous about what we allow into our sites. We need to be careful about what we let have access to our data. I believe one of the reasons WordPress gets a bad rap when it comes to security is that the software makes it extremely easy to install themes and plugins from anywhere on the Internet, not just the WordPress repository. Many people don’t know the difference between a compromised theme and a legit one, unfortunately.

I’m going to hold off on updating this. This new version does not add any functionality, it merely reflects the new owner. I’m going to see what things are added or removed in the next version, and move forward from there. Unfortunately, this may be our new reality going forward.

I’ve been watching a lot of videos lately about boats. I don’t own a boat, but I think they’re cool. I’ve been watching videos about the narrowboats that cruise around the canals of England and Wales. I’ve been watching videos about catamarans sailing the oceans. Big boats, small boats, it’s all good. What I’m learning in watching these videos is that sailors often have to prioritize work and tasks to keep the ship sailing towards its destination.

We face similar challenges in our marketing and web offices. We are often understaffed and overrun with projects, some mission critical and some that are not as strategic. Often, leadership at your institution or division will say that we, as web and marketing folks, need to organize, prioritize, and measure the effectiveness of our work so that we can use that data to say no to requests that we typically receive from departments, schools, colleges, and other groups across campus.

TNohere are many KPIs you can use to help prioritize your projects and leverage as your department’s reasoning for saying no. Of course, you need to find the metric that makes the most sense for your institution or group. Maybe you say that your department now has marching orders to focus on projects and work that drives tuition revenue. Maybe you say that your new focus is on undergraduate enrollment. Graduate enrollment. International students. Retention. Capital giving projects. A certain element of the strategic plan. You’re focusing on your President’s passion project. You get the general idea.

All of those things are ways that we can use to tell people no.

There are different ways you can sail the seas of no. You can give a hard no. Maybe you use a “no, but,” where you offer to do the work but give a deadline that’s far off in the future. Perhaps, you ignore the request altogether. Each of these methods is full of peril and rocky shoals.

In my experience, people on campus react one of several ways.

In a perfect world, they’d understand the importance (or not) of their project. They’d appreciate our honesty and straightforwardness and understand why we can’t do a poster for the speaker coming to campus that a handful of people will go to1. Often the one we had one week’s notice of.

More often than not, this would happen.

We would nicely, and politely, say no to a project, via phone or email. We would feel good about our decision and get back to our work. Then, sometimes as soon as ten minutes later, the phone rings and the caller ID shows that a dean or vice president is calling. I know right away what they want.

“What aren’t you doing X project? You’ve always done it. X is important!”

On some occasions, that conversation would happen at a VP to VP level. I don’t know if that’s better or worse.

Sometimes they’d back down, but often, despite our arguments, we’d still do the work. We’d shuffle projects around, work late, or farm something out in order to keep the project moving and get it completed.

I get why the departments push back. No one wants to be told no or made to feel that the work they’re doing isn’t important. They feel they, like marketing, is understaffed and overworked.

Pushback and saying no is a problem that I have yet to solve in my 20 years of working in marketing and web. I’ve been thinking lately about why that is.

Personally,  I don’t like saying no. I like making people happy and I like doing good work for my institution. I want to have good relationships with folks across campus and I want them to like me, too. I admire folks who can stick to their guns and continue to say no.

My question is how do you do it? How do you say no, back it up with data, and get offices across your campus to understand, and ultimately, accept the fact that a marketing or web team can’t take on their project, for whatever reason works for your institution.

Much like I can’t sail a boat, I want to learn how to say no and bring calm seas to my life.

1 – We found that electronic means was a much easier and time-saving method for promoting limited-interest on-campus events. Tools include social, intranet, digital signage, and other campus calendering sites.


Movie subscription service MoviePass has been in the news this week. The service has been around for several years, and this week the company announced they are reducing the price of their subscription service to $9.95 per month.

We can argue all day about how exactly MoviePass is going to make money by selling $10 plans that allow subscribers to see a movie per day in a movie theater. We can debate if the service will scale, how they’ll make money by selling data, and so on. But this isn’t that kind of blog.

Hammer Brother Going after MoviePass' websiteWhat we can dig into is what’s happened to MoviePass’ website this week.

It’s gotten hammered.

It has been several days since the announcement, and the website is still suffering sluggish performance, intermittent outages, and  lots of broken images and icons. Let’s do a quick look at their infrastructure.

Quick fixes

I believe there both large and small things that MoviePass can/should have done to keep the site online and accepting new customers. After all, without customers, they won’t have a service very long.


MoviePass HostingIn looking at their IPs, it looks as if they’re hosted by eNOM. This may not be 100% true, as during a period of downtime earlier this week, it looked like the site might be hosted at Linode. So we’re unsure on this one, but whatever plan it was, it wasn’t enough.

If it were me, I would have a site like this live at a cloud provider like Amazon Web Services or Google, where I would be able to set up a load balanced arrangement and add servers as needed to meet demand, then scale them off when demand dropped. After this initial rush, you may not need 10 web servers, but for now, you probably do.

Content Delivery Network

All the images and the all the javascripts except for one are hosted in an Amazon S3 bucket. That’s very good – a nice way relieve traffic on  your application server. The good news is that s3 traffic is relatively cheap. Again, if it were me, I’d go a step further and serve those assets from Cloudfront, which will distribute them and serve them from the closest data center to the user. S3 will only serve content from the datacenter where the bucket was created. That means users in Seattle will have to pull data from Virginia, for example.

404s and API Errors

There are several 404 errors and some API errors from Google. Those will also slow down the site as the images are asked for, and the API returns errors instead of content. Tweaking those will increase page draw speed and reducing errors is always good.

MoviePass errors

Transactional Email

These 404 errors also carry over to the welcome email you get as a new customer. Yes, I totally signed up. I love movies and figured I’d try it out. These broken images doesn’t make for a very welcoming experience. See:

MoviePass email message

Kudos to MoviePass for using a 3rd party transactional email sending service like SendGrid. I’m a SendGrid customer, and the service is great, but with a bit of setup, you can get rid of the “via” message in the header. Most users probably don’t notice that, but I do and its easy to fix. I’ve written about outsourcing your transactional email before.

I’m excited to try the service out, and I hope MoviePass makes it. Guys, if you need any help with your site, hit me up. I’ll trade you for some free movie passes.