Skip to content

Instantly share code, notes, and snippets.

@adrienne
Last active November 6, 2024 07:14
Show Gist options
  • Save adrienne/aea9dd7ca19c8985157d9c42f7fc225d to your computer and use it in GitHub Desktop.
Save adrienne/aea9dd7ca19c8985157d9c42f7fc225d to your computer and use it in GitHub Desktop.
The Mullenweg/WPE Thing

Note

Hi, everyone. I've been putting in a lot of work on this over the last few weeks and i'm currently underemployed! If you'd like to hire me to do CMS-based work (i focus on Craft and ExpressionEngine but i do some WordPress work as well), please reach out! Alternatively, if you'd like to chip in toward bills & groceries, that's a big help right now!

The Players

  • The WordPress Foundation is the nonprofit which manages the WordPress code and ecosystem. Until this blowup started, it was widely believed to maintain the wordpress.org website (the domain, however, is owned by Matt Mullenweg rather than by the Foundation), which acts as the central repository for all updates, themes, and plugins, as well as managing the WordPress documentation and maintaining a large discussion forum for WordPress devs and users. The Foundation is administered by a board of three people, one of whom is Matt Mullenweg.
  • WordPress.org is the above-mentioned plugin/theme/update repository, which turns out to be owned by Mullenweg directly rather than by the Foundation, and he is in full control of it. Until all of this started, most people in the WordPress community (including longtime developers and agency partners) were under the mistaken impression that the .org site was administered by the Foundation.
  • Automattic is the for-profit arm of WordPress, which maintains the wordpress.com web host as well as offering a number of other free and paid addons to WordPress. Matt Mullenweg is the CEO and a member of the Board of Directors, and controls a majority of voting shares in the organization.
  • WP Engine is a company which offers managed hosting for WordPress sites. They are a major player in the WP hosting space. It is important to note that the phrase "managed hosting" specifically implies a high level of control by the hosting company over the software and infrastructure; managed hosting services are geared toward less-technical clients and clients who want to offload server administration stuff. People who are purchasing managed hosting, as opposed to unmanaged hosting, are specifically buying the higher level of control by the hosting provider, because it means fewer hassles for them.

The Story So Far

  • TechCrunch has solid reporting on the initial events: Mullenweg's initial blog post, his WordCamp keynote, his second blog post, and WP Engine's C&D letter. The blog posts are posted to the wordpress.org blog, not to Automattic's blog.
  • WP Engine's letter alleges, among other things, that Mullenweg demanded money from WP Engine ostensibly as a licensing fee for the WordPress trademark, but in actuality to refrain from disparaging and defaming them on stage and in blog posts.
  • Not alleged in the letter, but reported by attendees to WordCamp, is that Mullenweg engaged in a verbal altercation with WP Engine employees working the WP Engine booth at the show, which included Mullenweg threatening to physically dismantle their booth in the middle of the show. (I can't find my link to this right now, i'll look for it later.)
  • Automattic sends a C&D letter of its own to WP Engine, demanding that they stop misusing the WordPress trademark. (Note that the WordPress Foundation is the trademark owner, and Automattic is the sole commercial licensee.) The exhibits are a separate document here.
  • Prompted by Mullenweg's multiple blog posts, which get automatically propagated to every WordPress user with the "News Feed" widget on their admin dashboard (which is most WordPress users, as very few actually modify their dashboard), WP Engine disables the "News Feed" dashboard widget for all its customers. (Note that just as with disabling revisions, this is a simple config change, supported by WordPress; it does not involve modifying any code or otherwise "chopping up" WordPress installs.)
  • A day after Automattic sends the C&D, the wordpress.org domain (again, maintained by the WordPress Foundation), blocks WP Engine (and thence all of their customers) from accessing the plugin/theme/update repository. This means that none of WP Engine's customers can automatically install plugins or themes, update plugins or themes, or update WordPress itself, including vital security patches. Additionally, all WP Engine user accounts are reportedly banned from the wordpress.org site, meaning they cannot post to the forum or update the plugins which they maintain as an organization. (Need to find the link on this one too.)
  • Mullenweg posts about this decision, again to the wordpress.org blog, and includes the following statement: "What I will tell you is that, pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources."
  • Note, here, that WP Engine's C&D was sent to Automattic, which runs wordpress.com, and at no point has WP Engine made any legal claims whatsoever against wordpress.org or the WordPress Foundation.
  • Meanwhile, Pressable (another web hosting company also wholly owned by Automattic), posts a special offer for WP Engine users, offering to buy out their contracts and migrate them for free. (The above is an archival link; at the time of writing, the offer is live and linked here.)
  • Mullenweg has also spent the last several days Posting Through It on Reddit (link goes to his user page, which should make all comments visible). (Note that many of these comments were posted significantly after his receipt of the C&D letter from WP Engine.)
  • Mullenweg is reportedly also privately exhorting Automattic employees to make supportive posts on their own blogs and social media. There may or may not be an implication that they will be retaliated against if they choose not to do so; reports vary.

Resources

Updates

27 September 2024

28 September 2024

30 September 2024

  • WP Engine updates several of their pages to modify their use of 'WordPress' and 'WooCommerce'. The changes are in most cases fairly minor and clearly intended to reinforce their claim that their use is nominative and fair. ( before | after )
  • Mullenweg confirms on Twitter that he, not the WordPress Foundation, is the sole owner of the wordpress.org domain and in sole control of all of the repositories and critical infrastructure which rely on it.
  • LWN has another nice recap

1 October 2024

2 October 2024

3 October 2024

4 October 2024

5 October 2024

  • Automattic's Twitter account discloses that there is an unpatched vulnerability (link is to an archived version) in the version of ACF on the wordpress.org repository (which, again, WP Engine staff cannot currently update because Mullenweg has unilaterally blocked WP Engine staff from accessing .org). Automattic asserts that they have informed WP Engine about the issue.
    Note: This sort of announcement is not standard practice in infosec; there is no reason for this class of disclosure ("there is an issue but we are not saying what it is") except to create a climate of uncertainty about safety.
  • The story hits the mainstream press as CNBC publishes an article about it. The article is pretty lopsided towards Mullenweg's perspective (one of their primary sources has undisclosed connections to Mullenweg's businesses), but contains a decent overview of events so far.
  • Mullenweg reportedly joins a Slack for ex-Automattic employees and immediately attempts to assert control in the guise of "helping".

7 October 2024

9 October 2024

  • A checkbox has been added to the wordpress.org login screen requiring users to affirm that they are "not affiliated with WP Engine in any way, financially or otherwise". 404 Media and WP Tavern have details.

11 October 2024

12 October 2024

13 October 2024

14 October 2024

15 October 2024

16 October 2024

17 October 2024

18 October 2024

19 October 2024

  • Very late last night, WP Engine filed an administrative motion seeking to shorten the timeline for emergency relief, citing the "capricious and unhinged actions of Defendants" as necessitating a seriously expedited timeline.
  • Very Good Plugins posts that Automattic responded to their C&D from 12 October. They took down the plugin from wordpress.com, but they expressly state in their reply that this was a courtesy, and that "Automattic disagrees with your assertions that it has infringed the intellectual property rights of Very Good Plugins, LLC. The listing uses the WPFUSION trademark solely and only to the extent necessary to identify the genuine WPFUSION plugin, which constitutes nominative fair use under applicable law." (Alert readers may note the irony here.)
  • The precise date is unknown, but sometime in the last two weeks the WordPress official development/community Slack was upgraded from Pro to Business+, as spotted by Kellie Peterson. This is notable for a few reasons:
    • It represents a significant price increase (which is, per the WordPress.org blog, being completely donated by Salesforce
    • Unlike the Pro plan, the Business+ plan allows administrators to export private messages as well as public messages
    • The Business+ plan allows the use of SSO
  • Lawyer Richard Best argues on his blog that the infamous checkbox may violate the GDPR

20 October 2024

21 October 2024

  • The parties to the lawsuit stipulate jointly that the court should allow the defendants (Automattic & Mullenweg) until 30 October to file their opposition to the motion for preliminary injunction.

22 October 2024

  • Wordpress' lawyers filed their opposition to the administrative motion. Notably, their opposition asserts quite firmly that .org is Mullenweg's personal website and that he has incurred no obligations to allow anyone to do anything with it whatsoever.
    "WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility."
  • The official WordPress Twitter account takes some late-night digs at WP Engine; it seems likely that Mullenweg himself is the one using the account.

23 October 2024

  • The Court grants WPE's administrative motion and orders the following:
    • Defendants have until Wednesday, 30 October to file their response/opposition
    • Plaintiff has until Monday, 4 November to file their reply
    • The hearing on the motion for preliminary injunction is set for Tuesday, 26 November

24 October 2024

25 October 2024

26 October 2024

27 October 2024

28 October 2024

29 October 2024

30 October 2024

31 October 2024

1 November 2024

2 November 2024

4 November 2024

5 November 2024

@toderash
Copy link

Hi, just dropped in to point out the interview you just linked above. It can be tedious to go through, but start around the 15:00 mark where they discuss the term sheet that Automattic sent to WPE - this is important. Item number 4 has is a "prohibition on forking" anything WooCommerce-related. Apparently WPE had changed the affiliate code in the WooCommerce Stripe plugin, so WPE was credited as the affiliate instead of Automattic. I was not aware that WooCommerce got a kickback for every Stripe transaction done this way (must be in the terms somewhere?) but more to the point, I believe that attempting to legally restrict WPE's rights under the GPL here may in fact be a GPL violation -- software distributed to WPE would have more restrictive terms, which the GPL forbids. Would love to hear Mike's take on that one. The redirected revenue and the fact that Matt has been talking about bringing Advanced Custom Fields - which is owned by WPE - into core would seem to muddy the waters surrounding Matt's motivations here.

@adrienne
Copy link
Author

As far as i know, the affiliate link thing has been debunked (WP Engine encourages use of a separate Stripe plugin but does not modify the Stripe plugin which ships with WooCommerce). And also, there's no such thing as GPL code with a "prohibition on forking". If you're prohibited from forking it, it's not GPL!

@toderash
Copy link

toderash commented Oct 1, 2024

Hadn't seen the debunking, though Matt confirms that's why the clause is there. Even if it's not something WPE did, it's not a violation of anything. I did a double-take on the no-forking clause, and played it back again. Yep. Everyone gets GPL'd code except WPE in that scenario, so that's a violation the FSF would take note of.

@adrienne
Copy link
Author

adrienne commented Oct 2, 2024

And an excellent review of the information and links shared in this gist, by a lawyer who is seemingly competent in these topics https://www.twitch.tv/videos/2261286307. Its long, but insightful

Yeah, I sent this to Mike and he covered it on his show! I'm currently encouraging him to pull the VOD and host it somewhere more durable, and will link it here if/when that happens.

@bullenweg
Copy link

we are keeping track of Matt's lies at bullenweg/bullenweg.github.io with some information from before September 27 which you may find helpful context.

@mattrixderailed
Copy link

mattrixderailed commented Oct 13, 2024

There's now also a timeline site at The Mattrix Derailed which also collects responses on X, blogs, and elsewhere to this saga. (The site footer has links to here and to Bullenweg), among others.

@gdude2002
Copy link

Looks like https://bullenweg.com was updated with a copy-paste of the text of some ongoing lawsuit allegedly involving Kathleen Mullenweg? Not sure if it's worth adding to the gist though, unless it's somehow new

@Anti-matt-ic
Copy link

Anti-matt-ic commented Nov 6, 2024

On a tangential note, in 2016 Automattic was part of an amicus brief to the US Court of Appeals in which they argue that - among other things - copyright holders have too much flexibility in filing DMCA requests, resulting in instances of copyright holders abusing threat of litigation and doxxing in order to suppress protected speech and criticism through legal overhead and intimidation. And that the more irrational and uninformed a copyright holder may be, the more leniency the law gave them in filing DMCA requests.

It's all in the context of copyright rather than trademark, and not really newsworthy by any stretch, but I feel there are some parallels with what they/Matt have done presently that are at least mildly entertaining in their hypocrisy. Worth a read, for fellow sleuths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment