Google Analytics 5.4 release notes

No Comments »

This release is mostly a security release. After last months security update we decided to have Sucuri do another in-depth review of the plugin, we found another issue ourselves that was common in many plugins and we were informed of another issue by Jouko. For that reason, you should update immediately. The release contains a few more improvements, which I’ll highlight below.

Use the WP Settings API

When we re-built the Google Analytics plugin end of last year we left one bit of the old code intact: the way it stored settings. We’ve now fully migrated the plugin to use the WordPress Settings API. This makes sure we won’t suffer security issues in our own code as we’re relying on the core code to handle options saving.

More accessible forms

A pull request by Steve Repsher added for attributes to our labels, making them correspond with their form fields. A good accessibility change for which we’re thankful!

Universal is the default

Now that Google Analytics’ Universal rollout has completed, we’ve made Universal the default for all new installs.

Fixed an annoying bug: scripts everywhere

We also fixed an annoying bug in this release. Our plugin was loading its scripts on every page, instead of on just its own pages. This lead to slow loads and annoying interaction problems, those should now all be solved.

This post first appeared as Google Analytics 5.4 release notes on Yoast. Whoopity Doo!

April 21st 2015 Analytics, wordpress

WordPress SEO 2.1: release notes

No Comments »

As we don’t want to drown these release notes in the bigger security news, we’ve made it into a separate post. WordPress SEO 2.1 (both free and premium have the same version number now) contains a series of bugfixes but also some enhancements I’d like to highlight in this post.

These changes come on top of the (arguably bigger) changes I mentioned in my post last Friday, be sure to read that if you haven’t yet.

WordPress 4.2 ready

This release makes sure that WordPress SEO behaves well with WordPress 4.2, of which the release is imminent. Most importantly it makes sure the taxonomy metadata is carried over well.

Twitter cards enabled by default

Recently, Twitter removed the need to validate your site before Twitter cards worked. This made it possible for us to enable Twitter cards by default, which we’ve done in this release. Now, if you’re installing WordPress SEO on a new site, you’ll get Twitter Cards as soon as you’ve activated the plugin.

We’ve also removed the use of the twitter:url meta tag, as Twitter no longer uses it and uses the canonical instead.

Update the Facebook API to its latest version

Changes like these are the kind of under the hood changes that nobody notices but are important nonetheless: Facebook has updated its API to a new version and is deprecating the old one. This leads to us being required to update the code in our plugin. You’ll notice some minor interface changes, but most of the stuff is under the hood.

Plugin conflict notices

Some plugins don’t really work together. For instance if two plugins add Facebook OpenGraph code to a page, Facebooks output becomes uncontrollable. For this reason we’re showing conflict notices when you install a plugin that does something our plugin does too. You can ignore them if you want to, but it should help prevent the “huh why isn’t this working” type issues.

Validation messages everywhere!

If you’re using a featured image for your social meta data, and that image is too small to work with Facebook, we’ll now show you an error. Also, if you’re editing title and description templates on the SEO → Titles & Metas page and you use a variable that isn’t available for that template, we’ll give you a helpful warning.


This post first appeared as WordPress SEO 2.1: release notes on Yoast. Whoopity Doo!

April 21st 2015 wordpress

Security updates for our GA and SEO plugins & many others

No Comments »

In this post, we’re announcing a security update to both our SEO plugin and our Google Analytics plugin. Chances are, a few of the other plugins you use are affected too. Read on below if you’re interested in the how and why, but make sure you go into your WordPress admin and update. Don’t just update our plugins, update all of them!!

The backstory

There are several issues fixed in these releases, so we’ve got individual release posts for WP SEO and for our GA plugin. The main issue we’re fixing with this release is the wrong usage of add_query_arg and remove_query_arg we had in both our WordPress SEO plugin and our Google Analytics by Yoast plugin.

This issue was responsibly disclosed to us by Johannes Schmitt of Scrutinizer CI (thank you!!), who found it in our SEO plugin. We discussed it with our partners at Sucuri. At first we thought it wasn’t exploitable, later on we found it allowed for XSS. In our case, you needed to be logged in as an admin to be XSS’ed, but still this was an issue to fix.

I, Joost, created the particular problem myself and was wondering how that had gotten by me, when I figured out that both the Codex and the developer documentation on for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away. I spoke to Samuel, mostly known in the WordPress community as Otto42, and he fixed the codex. A day later, the developer docs were amended as well.

We were ready to do a security release last Wednesday. I was hesitant as I was guessing that more people had made the same mistake, because of the documentation. I talked to Dion Hulse, one of the people on the plugins team, and started doing a search, together with the team at Sucuri. We quickly found we were far from the only one.

A coordinated security release

As we researched, we quickly identified a few dozen affected plugins, lots of them major; the affected plugins include Gravity Forms, Easy Digital Downloads, Jetpack, WP e-Commerce, All In One SEO pack and that’s just some of the big ones. Based on this info Daniel Cid at Sucuri and myself started reaching out to those plugin developers and coordinating a big security update between all of us. WordPress Slack proved to be very helpful for this kind of coordination.

Some of these plugins had XSS issues on the frontend. We did not, so when the core team offered to do an automatic update, we opted out. The last time we did an automatic update (this is an update your WordPress installs automatically without your intervention), our WordPress SEO plugin got disabled on hundreds of sites and we didn’t want that to happen. Choices like these are tough to make: some sites might have a minor security issue now, but for many sites not having our SEO plugin enabled might actually be worse.

I must say I’m quite proud of the community getting together like this and coordinating a release in such a fluent way. There are in total 44 people in the Slack group coordinating this release, and everyone is being very professional in dealing with it. After all, we’re updating dozens of plugins, and most of them had only 3 to 4 days notice, including a weekend. All these  WordPress plugin developer working together with the WordPress core security team, makes me proud to be a part of this community!

For users: I don’t see the update yet!

If you don’t see the update yet, go to your wp-admin/update-core.php page, under Dashboard → Updates, this will clear the cache for all updates and should then show you the updates for our plugins.

Going to this page will also make sure any automatic updates are done a few seconds later too. Be sure to check your plugins page a minute or so later to see if all the needed plugins are still active.

For developers: how to fix the issue

The short version for developers of how to fix this issue: if you’re using either add_query_arg or remove_query_arg without passing in the URL, it bases the URL it creates off of $_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in esc_url and you’re done. Not a hard fix, but it has to be done.

If you think your plugin or theme is vulnerable and want to find out, feel free to reach out to me on WordPress Slack (I’m @joostdevalk there) and I’ll show you how to exploit it. As there are still bound to be vulnerable plugins and themes out there, I’m not going to explain that here.

This post first appeared as Security updates for our GA and SEO plugins & many others on Yoast. Whoopity Doo!

April 21st 2015 wordpress

RT @WordCampDenver: Buy your ticket…

No Comments »

RT @WordCampDenver: Buy your ticket now to WordCamp Denver, June 13-14 2015. Only $40 #wordpress #wcdenver15

April 15th 2015 personal, wordpress

WordPress SEO 2.0: focus on what matters

Comments Off

We’re proud to announce the availability of WordPress SEO 2.0. This release adds new features for Google’s Knowledge Graph and improves the design, layout & usability of the WordPress SEO plugins admin screens in many ways.

Google Knowledge Graph

Google recently introduced new features for their knowledge graph, allowing you to highlight yourself in the search results as either a company or a person. This includes you or your company’s name, if your site is for a company, the logo:

google knowledge graph info

And it includes your social profiles (this is the list of social networks Google supports in their social markup):

Social Profiles tab in WordPress SEO 2.0

If Google has picked this all up and shows a Knowledge Graph block for you or your company (note that we can’t force it to do that), it would look like this:

Google Knowledge Graph example

Simplified the admin menus

We’ve decided to move several admin pages under one “Advanced” page, and several tools to a new “Tools” page. This makes our entire admin structure a lot cleaner (note the screenshots are for WordPress SEO premium), compare the old (left) versus the new (right):

wordpress seo admin menu changes

While this might seem mostly a superficial change, it’s very important in how we think you should perceive our plugin. The most important thing you can do in SEO is write good content; the most important section of the plugin is thus the metabox on the edit post / pages. While the features hidden under the Advanced menu are very useful, they’re not going to make your ranking go from poor to awesome. By moving them all to one advanced page, we hope to make that emphasis more obvious.

WordPress SEO Premium changes

Speed improvement

Not a feature, but a very welcome change: we’ve made WordPress SEO Premium much, much faster in this release. You’ll notice this in the admin of your site almost immediately.

Updated videos

Because we’ve changed all the admin screens, all the videos had to be redone, so in WordPress SEO Premium 2.0 you’ll find a completely new set of 13 videos made by Shawn Hesketh of WP101. This is the first of these 13 videos you’ll get with WordPress SEO Premium:

Version number changes

With this release we’ve also made the version number of WordPress SEO and WordPress SEO premium the same. They’re both called 2.0. We will keep them the same throughout future releases, so we only have to communicate one version number.

Go update!

Go update your WordPress SEO and let us know what you think!

This post first appeared as WordPress SEO 2.0: focus on what matters on Yoast. Whoopity Doo!

March 27th 2015 wordpress

GA plugin security update & more

Comments Off

It’s been quite the week here at Yoast. Our release of a security update to WordPress SEO was followed by several other major plugins uncovering similar issues and a renewed interest among security researchers into big WordPress plugins. Turns out we had another issue to patch, so today we released an update to our Google Analytics plugin (both free and premium) too.

How serious are these issues?

One of the things we should have probably communicated better is the severity of the issues at hand. Some of the news outlets made it seem as though someone could walk straight into your site because of these issues, which is not even close to true. Our partners at Sucuri did a post this week on how to understand WordPress plugin vulnerabilities that’s a good read.

If you’ve read that post you’ll learn about the DREAD score, both the WordPress SEO issue and todays Google Analytics by Yoast issue were assigned a DREAD score of 5. That’s “Low”, but unfortunately, it’s still an issue, so you’re advised to updated immediately.

What was the issue in GA by Yoast?

The issue we fixed was another compound issue where an unauthenticated user could change the list of profiles in Google Analytics (he couldn’t change the active UA code, so he couldn’t impact your tracking directly). This list of profiles could be made malicious because Google Analytics allows property names that have JavaScript code in them. At that point an admin visiting the settings page could suffer from a stored XSS attack because we didn’t properly escape the property names on output. This is not something a hacker could easily automate, hence the low DREAD score, but if someone wanted to seriously target your site, he could.

We are thankful to Jouko Pynnönen for responsibly disclosing this issue to us.

Note that the fact that it’s responsibly disclosed to us means that we have not seen this issue being actively used by hackers yet. We’re fixing the hole before anyone is using it. Because we do that publicly, someone might start looking for this issue though, so please, please: update.

Are you done with those security issues yet?

I can thoroughly imagine that you’re done with these security issues. Trust me, so are we. But bugs happen, all we can do is fix them as soon as possible when we figure them out and inform you when they do. We’ve just started another review cycle with our partners at Sucuri, who will once again review all our major plugins for security issues. We work hard to prevent issues like this but sometimes we too make mistakes. For that, we apologize.

For now: update!

If you use the free version of our Google Analytics plugin, update to version 5.3.3. If you use Google Analytics by Yoast Premium, you should update to version 1.2.2, if you don’t know how, read our knowledge base article on updating premium plugins.

This post first appeared as GA plugin security update & more on Yoast. Whoopity Doo!

March 19th 2015 wordpress

WordPress SEO Security release

Comments Off

This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.

What did we fix?

We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.

Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.

Responsible disclosure

We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.

Forced automatic update

Because of the severity of the issue, the team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.

This post first appeared as WordPress SEO Security release on Yoast. Whoopity Doo!

March 12th 2015 wordpress

Public betas for our plugins

Comments Off

public betas for our pluginsOver the last few months we’ve been working hard on improving how we build and test our plugins. We’re writing more and more unit tests and are trying to prevent issues from popping up. There’s one recurring issue though: we can’t test everything. Hosting environments vary so much that we have decided to do more public betas for our plugins. As a direct result of that decision, this post announces two public betas as well as reminds you of our beta mailing list.

For both plugins we’re aiming for a beta period of about a week but if too many bugs come out of a beta we’ll of course postpone release.

WordPress SEO by Yoast 1.8-beta

We’ve refactored large parts of the frontend code of our WordPress SEO plugin and heavily optimized how the plugin loads its modules in both front- and backend. The execution of code of our plugins code on the frontend is now approximately 30 – 40% faster, which of course is awesome. But… This almost has to lead to bugs and while we’ve fixed a fair few and our unit tests all succeed, we’d like you to test.

Most important here is testing whether there are any major differences in meta data between your pages with the current WordPress SEO plugin and this beta. This beta introduces a few new features around Twitter cards (Twitter cards on every page, support for the Twitter Gallery card) but all the other meta data should be the same.

Another thing that should work better in this release is everything to do with characters with accents, umlauts etc in the focus keyword and all the tests around that.

Download WordPress SEO by Yoast 1.8 beta here »

(or check it out from GitHub but in that case make sure to update Git sub-modules too)

Note: this is beta software. Do not use on production environments.

Google Analytics by Yoast 5.3-beta

The release of the dashboards for our Google Analytics plugin has been a bit of a bumpy ride. We’ve made some mistakes and have had to scramble to fix those. Brian Krogsgard actually wrote a nice post over on Post Status about it, if you’re interested in the background. We think this beta release fixes some of the last remaining issues but we’re having a hard time confirming those, so we decided to ask a wider audience to test.

This beta has the option to completely disable the dashboards functionality, should you want to. It should also no longer show any notices about re-authentication or at least show them way less frequently than it did for some people.

Download Google Analytics by Yoast 5.3-beta here » 

(or check it out from GitHub but in that case make sure to update Git sub-modules too)

Note: this is beta software. Do not use on production environments.

How to give feedback

So you want to test and give feedback? Awesome, thank you! We’d prefer your feedback in the form of new issues on GitHub (make sure to mention the beta) or as emails to beta at

The beta mailing list

We have a mailing list for beta testers that we’ll be using more often, you can sign up for that here. We’ll send new versions of the betas out to that mailing list too so make sure to subscribe if you’re testing.

This post first appeared on Yoast. Whoopity Doo!

January 16th 2015 wordpress

Writing a blog: the text objective of your blogpost

Comments Off

Writing a blog- the text objective of your blogpostI previously wrote posts about the structure and about the style of your post. In this post, we will focus on the purpose of your text. A lot of people forget to properly formulate the purpose of their blog post or article. This is unfortunate, because if you do not properly define the aim of your text, it will be impossible to check whether or not you have succeeded. You do not write just for the sake of writing but because you have an idea of what you want your audience to know or do (or to stop doing).

Three main text objectives

I distinguish three main text objectives. First, your objective could be merely to inform people. A second objective could be to persuade people. You want people to buy your products or to return to your website. The final objective of your text could be entertaining or amusing. You could write a text in order to entertain your audience, for instance by making them laugh or by moving them. These three text objectives are not at all mutually exclusive. A piece could be informative and amusing at the same time!

Long term business aims and text objectives

Apart from the objective of your text, your company or your website will have long term business objectives. You should think about those long term business aims while determining the objectives of the text on your website.

For instance, at, we write blogposts largely to inform people about SEO. So the objective is to inform people. However, we also want people to become return visitors and to gain trust in our brand. Eventually, the long term purpose of our informing blogs is to gain enough trust for people to buy one of our products.

Be aware that if the objective of your post is to generate links from others, you should think about the character of your post as well. If you want your post to attract links from other sites in order to improve your rankings in Google you should focus on writing informative or amusing posts. Persuasive posts, in which the sales arguments are salient, will not receive as many links as purely informative posts will. People are more likely to share an informative or an amusing post than a purely persuasive post, because these posts are more free of ulterior motives.

Tips to use when focussing on one of the three main text objectives

In the following paragraphs we will give some tips you can use when writing either an informative, a persuasive or an amusing post or article.

Informative texts

In an informative text you explain something to your audience. You want them to understand more about a topic or you want them to use your information (put theory to practice). That’s it. You should take some time to clearly formulate the issue you want to address in your post. And an informative text will usually need quite some investigating in order to decide on the exact content of a piece.

The style of an informative text should be clear and professional. You should focus on the message itself. Focussing on content will give your text a professional and reliable character. Your style should not be too amicable. It could even be a bit distant.

The structure of an informative text should be clear. A logical structure could be to address a different topic in each paragraph. In the conclusion you could summarize the information of your entire text.

Persuasive texts

A persuasive text is a text a reader doesn’t necessarily want to read. The purpose of your text is to persuade your audience to do something (such as buying your product) it wasn’t necessarily planning to do. For that very reason, you will understand that writing persuasive texts is very hard.

The style of a persuasive text should be very bold. Your sentences and paragraphs should be short. You can either focus on convincing your audience with emotions or with logic.

If you choose to persuade with emotions, try to use a lot of positive words (like fun, easy, quality). Make your post personal and write from the perspective of the reader. You could for instance address the reader directly using words as ‘you’ and ‘your’. Anecdotes or stories illustrating the awesomeness of your product are very nice to use if you are trying to convince people by using emotions.

If you want to persuade using logic, you should take some time to write down all of your logical arguments. Make sure you deduce your arguments correctly and make use of examples to illustrate your arguments. Focussing on persuasion using logic calls for a relatively distant and formal style. Of course, you can also choose a strategy in which you combine persuading with emotions and logic.

The structure of a persuasive text should reflect your arguments. Make sure to use separate paragraphs for your arguments (regardless whether you have emotional or logical arguments). Use lots of headings and make sure you use the most important arguments in the titles of your headings.

Amusing texts

An amusing text’s main objective is to entertain people. Usually these texts tend to be funny. Amusing texts could also be moving or touching. A column is a very nice example of an amusing text.

Writing solely amusing texts will not be an activity many of you will undertake. Most texts will have both an amusing as well as an informative or a persuasive objective. Blogs on a mom blog often tend to be amusing (at least for women), but usually serve an informative or persuasive objective as well.

Writing in an amusing style is definitely very hard. Some people just have much more talent to be funny, to come up with funny anecdotes or with nice word plays. Perhaps you should not instantly aim for an amusing text, but try to master the informative and persuasive texts first. Using exaggerations and metaphors could be a first attempt to make your text (more) amusing. Amusing texts usually ask for an informal style. These texts are often very personal, containing the words ‘I’ and ‘my’.


Thinking about the objective of your post is something you definitely should take some time for. Take into account the long term aims of your business or your website as well. And make sure the objective of your post and the aims of your business are similar. Finally, use our tips to make sure the style and structure of your post fits your text objective.

This post first appeared on Yoast. Whoopity Doo!

January 7th 2015 wordpress

The 2014 Yoast year in review

Comments Off

The 2014 Yoast year in reviewIn 2014 Yoast once again grew exponentially. I thought it’d be fun to highlight some of the things that happened and show what we’ve been working on that might have been somewhat hidden.

User base

Our WordPress SEO plugin is now used by approximately 4 million users worldwide, with our Google Analytics plugin following with a still respectable 1.25 million users. This means especially our SEO plugin has doubled its usage in a year, something we’re incredibly proud of and thankful for.


In February of this year, we released version 1 of our WordPress SEO Premium plugin, one of our “flagship” products. In the beginning of December, we added a Premium offering to our Google Analytics plugin, offering the tracking of and dashboards for Custom Dimensions and a few other things. Both of these releases have been very successful and received very good feedback.

While we’ve released premium versions of our plugins, our free plugins have been consistently updated and getting new functionality as well. Our Google Analytics plugin got support for Google’s new Universal tracking and a brand new dashboards feature.

Our WordPress SEO plugin has had several major updates, thanks in part to Juliette, who deserves nothing but praise for all the work she put into all of the releases but most noteworthy our 1.5 release, which made the plugin much more stable and 20 – 30% faster. We also added new features like the bulk editor and several social features. We also added a search in site links feature, removed author highlighting when Google stopped doing that and much, much more.

During the year, we on-boarded a complete team of engineers, now headed by Omar, our development manager. Under his lead, we did a lot of work to make our code more future proof and maintainable, using a lot of unit tests, Code Climate, continuous integration tests through Travis etc. We’ve also got a Grunt setup in all our major plugins now that should be easy for many other plugin developers to copy. This trend will certainly continue in the new year.


The growth of our customer and user base also meant we had to handle more questions. To that end we’ve grown our support team to now be 6 people, 2 in our office in Wijchen and 4 around the world (to be precise: Rumejan in the Phillipines, Nile and Angelia in the US and Ramon in Spain) so we can offer support in all timezones.


Yoast TranslateAlong with all the changes to code, Taco and myself put a lot of time and effort in getting more and better translations for our plugins. Our translate site is now being used by more and more people and we’re shipping more and more different translations for our plugins, a trend we will definitely want to continue over the next year. So if you’ve got some time during the holidays to translate one of our plugins, do sign up!

Site Reviews

While our plugins are probably the reason most people know us, an ever growing group of customers is using our site review service. This service, in which our team reviews your site and gives you lots of actionable feedback, has seen several overhauls this year, including new names, new offerings and more, leading to our current Silver, Gold, Platinum and Diamond site reviews that make me proud.

My goal has always been to make our knowledge available to as many people as we can. This inevitably leads to problems with scale. Our site reviews make it possible for our customers to get a lot of solid feedback on their site for less than 10% of what the agencies I once worked for myself would charge for similar reports. We’ve done 400+ reviews in 2014 and I expect we’ll do 600+ in 2015. We have an interesting Holiday sale going on with them right now if you want to get your site reviewed early in 2015.


We released our first two eBooks this year, books we honestly hadn’t even planned on at the beginning of the year, to tremendous success. We’ve sold over 6,000 copies now and had some very good feedback. Our next eBook, written by Marieke and myself entirely, focuses entirely on Content SEO. It’s in the final production stages now and will be available for purchase in the first quarter of 2015. If you want to be among the first to hear when it’s released, subscribe to our newsletter!


Outside of the posts I’ve already linked to in the sections above, we’ve had some other posts that received a lot of positive feedback that I’d like to highlight:

The team

Last but not least, our team has grown, a lot. As said we added 4 people in support internationally and we now have 15 people in our office in Wijchen and are currently looking for 3 more, so if you want to start the new year with new job, live close by and fit the profile, do apply!

Conclusion: 2014 was great!

I can honestly say 2014 exceeded all my expectations. We’re far from done here at Yoast so we’ll be doing lots of cool things in 2015, but first, we’re going to take a short break and relax.

I wish you all very happy holidays and hope to “see” you in 2015!

This post first appeared on Yoast. Whoopity Doo!

December 24th 2014 wordpress