Skip to content

Instantly share code, notes, and snippets.

@adrienne
Last active December 3, 2024 02:52
Show Gist options
  • Save adrienne/aea9dd7ca19c8985157d9c42f7fc225d to your computer and use it in GitHub Desktop.
Save adrienne/aea9dd7ca19c8985157d9c42f7fc225d to your computer and use it in GitHub Desktop.
The Mullenweg/WPE Thing

Note

Hi, everyone. I've been putting in a lot of work on this over the last few weeks and i'm currently underemployed! If you'd like to hire me to do CMS-based work (i focus on Craft and ExpressionEngine but i do some WordPress work as well), please reach out! Alternatively, if you'd like to chip in toward bills & groceries, that's a big help right now!

Updates (Most Recent First)

The Players

  • The WordPress Foundation is the nonprofit which manages the WordPress code and ecosystem. Until this blowup started, it was widely believed to maintain the wordpress.org website (the domain, however, is owned by Matt Mullenweg rather than by the Foundation), which acts as the central repository for all updates, themes, and plugins, as well as managing the WordPress documentation and maintaining a large discussion forum for WordPress devs and users. The Foundation is administered by a board of three people, one of whom is Matt Mullenweg.
  • WordPress.org is the above-mentioned plugin/theme/update repository, which turns out to be owned by Mullenweg directly rather than by the Foundation, and he is in full control of it. Until all of this started, most people in the WordPress community (including longtime developers and agency partners) were under the mistaken impression that the .org site was administered by the Foundation.
  • Automattic is the for-profit arm of WordPress, which maintains the wordpress.com web host as well as offering a number of other free and paid addons to WordPress. Matt Mullenweg is the CEO and a member of the Board of Directors, and controls a majority of voting shares in the organization.
  • WP Engine is a company which offers managed hosting for WordPress sites. They are a major player in the WP hosting space. It is important to note that the phrase "managed hosting" specifically implies a high level of control by the hosting company over the software and infrastructure; managed hosting services are geared toward less-technical clients and clients who want to offload server administration stuff. People who are purchasing managed hosting, as opposed to unmanaged hosting, are specifically buying the higher level of control by the hosting provider, because it means fewer hassles for them.

Resources

The Original Story (up to and including 26 September)

  • TechCrunch has solid reporting on the initial events: Mullenweg's initial blog post, his WordCamp keynote, his second blog post, and WP Engine's C&D letter. The blog posts are posted to the wordpress.org blog, not to Automattic's blog.
  • WP Engine's letter alleges, among other things, that Mullenweg demanded money from WP Engine ostensibly as a licensing fee for the WordPress trademark, but in actuality to refrain from disparaging and defaming them on stage and in blog posts.
  • Not alleged in the letter, but reported by attendees to WordCamp, is that Mullenweg engaged in a verbal altercation with WP Engine employees working the WP Engine booth at the show, which included Mullenweg threatening to physically dismantle their booth in the middle of the show. (I can't find my link to this right now, i'll look for it later.)
  • Automattic sends a C&D letter of its own to WP Engine, demanding that they stop misusing the WordPress trademark. (Note that the WordPress Foundation is the trademark owner, and Automattic is the sole commercial licensee.) The exhibits are a separate document here.
  • Prompted by Mullenweg's multiple blog posts, which get automatically propagated to every WordPress user with the "News Feed" widget on their admin dashboard (which is most WordPress users, as very few actually modify their dashboard), WP Engine disables the "News Feed" dashboard widget for all its customers. (Note that just as with disabling revisions, this is a simple config change, supported by WordPress; it does not involve modifying any code or otherwise "chopping up" WordPress installs.)
  • A day after Automattic sends the C&D, the wordpress.org domain (again, maintained by the WordPress Foundation), blocks WP Engine (and thence all of their customers) from accessing the plugin/theme/update repository. This means that none of WP Engine's customers can automatically install plugins or themes, update plugins or themes, or update WordPress itself, including vital security patches. Additionally, all WP Engine user accounts are reportedly banned from the wordpress.org site, meaning they cannot post to the forum or update the plugins which they maintain as an organization. (Need to find the link on this one too.)
  • Mullenweg posts about this decision, again to the wordpress.org blog, and includes the following statement: "What I will tell you is that, pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources."
  • Note, here, that WP Engine's C&D was sent to Automattic, which runs wordpress.com, and at no point has WP Engine made any legal claims whatsoever against wordpress.org or the WordPress Foundation.
  • Meanwhile, Pressable (another web hosting company also wholly owned by Automattic), posts a special offer for WP Engine users, offering to buy out their contracts and migrate them for free. (The above is an archival link; at the time of writing, the offer is live and linked here.)
  • Mullenweg has also spent the last several days Posting Through It on Reddit (link goes to his user page, which should make all comments visible). (Note that many of these comments were posted significantly after his receipt of the C&D letter from WP Engine.)
  • Mullenweg is reportedly also privately exhorting Automattic employees to make supportive posts on their own blogs and social media. There may or may not be an implication that they will be retaliated against if they choose not to do so; reports vary.

Updates

27 September 2024

28 September 2024

30 September 2024

  • WP Engine updates several of their pages to modify their use of 'WordPress' and 'WooCommerce'. The changes are in most cases fairly minor and clearly intended to reinforce their claim that their use is nominative and fair. ( before | after )
  • Mullenweg confirms on Twitter that he, not the WordPress Foundation, is the sole owner of the wordpress.org domain and in sole control of all of the repositories and critical infrastructure which rely on it.
  • LWN has another nice recap

1 October 2024

2 October 2024

3 October 2024

4 October 2024

5 October 2024

  • Automattic's Twitter account discloses that there is an unpatched vulnerability (link is to an archived version) in the version of ACF on the wordpress.org repository (which, again, WP Engine staff cannot currently update because Mullenweg has unilaterally blocked WP Engine staff from accessing .org). Automattic asserts that they have informed WP Engine about the issue.
    Note: This sort of announcement is not standard practice in infosec; there is no reason for this class of disclosure ("there is an issue but we are not saying what it is") except to create a climate of uncertainty about safety.
  • The story hits the mainstream press as CNBC publishes an article about it. The article is pretty lopsided towards Mullenweg's perspective (one of their primary sources has undisclosed connections to Mullenweg's businesses), but contains a decent overview of events so far.
  • Mullenweg reportedly joins a Slack for ex-Automattic employees and immediately attempts to assert control in the guise of "helping".

7 October 2024

9 October 2024

  • A checkbox has been added to the wordpress.org login screen requiring users to affirm that they are "not affiliated with WP Engine in any way, financially or otherwise". 404 Media and WP Tavern have details.

11 October 2024

12 October 2024

13 October 2024

14 October 2024

15 October 2024

16 October 2024

17 October 2024

18 October 2024

19 October 2024

  • Very late last night, WP Engine filed an administrative motion seeking to shorten the timeline for emergency relief, citing the "capricious and unhinged actions of Defendants" as necessitating a seriously expedited timeline.
  • Very Good Plugins posts that Automattic responded to their C&D from 12 October. They took down the plugin from wordpress.com, but they expressly state in their reply that this was a courtesy, and that "Automattic disagrees with your assertions that it has infringed the intellectual property rights of Very Good Plugins, LLC. The listing uses the WPFUSION trademark solely and only to the extent necessary to identify the genuine WPFUSION plugin, which constitutes nominative fair use under applicable law." (Alert readers may note the irony here.)
  • The precise date is unknown, but sometime in the last two weeks the WordPress official development/community Slack was upgraded from Pro to Business+, as spotted by Kellie Peterson. This is notable for a few reasons:
    • It represents a significant price increase (which is, per the WordPress.org blog, being completely donated by Salesforce
    • Unlike the Pro plan, the Business+ plan allows administrators to export private messages as well as public messages
    • The Business+ plan allows the use of SSO
  • Lawyer Richard Best argues on his blog that the infamous checkbox may violate the GDPR

20 October 2024

21 October 2024

  • The parties to the lawsuit stipulate jointly that the court should allow the defendants (Automattic & Mullenweg) until 30 October to file their opposition to the motion for preliminary injunction.

22 October 2024

  • Wordpress' lawyers filed their opposition to the administrative motion. Notably, their opposition asserts quite firmly that .org is Mullenweg's personal website and that he has incurred no obligations to allow anyone to do anything with it whatsoever.
    "WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility."
  • The official WordPress Twitter account takes some late-night digs at WP Engine; it seems likely that Mullenweg himself is the one using the account.

23 October 2024

  • The Court grants WPE's administrative motion and orders the following:
    • Defendants have until Wednesday, 30 October to file their response/opposition
    • Plaintiff has until Monday, 4 November to file their reply
    • The hearing on the motion for preliminary injunction is set for Tuesday, 26 November

24 October 2024

25 October 2024

26 October 2024

27 October 2024

28 October 2024

29 October 2024

30 October 2024

31 October 2024

1 November 2024

2 November 2024

4 November 2024

5 November 2024

6 November 2024

7 November 2024

8 November 2024

9 November 2024

11 November 2024

12 November 2024

14 November 2024

  • WPE has filed their Amended Complaint. There are 9 new claims for a total of 20, including 3 Sherman Act claims, two Lanham Act claims, and a second CFAA claim. The document runs to 144 pages.
  • An anonymous person has released the kindness.is website, showcasing "examples of Mr. Mullenweg’s actions and interactions so that people can look at them and form their own opinion". (Their Further Reading page also includes a link to this document and kind words about yr humble chronicler).

15 November 2024

18 November 2024

19 November 2024

21 November 2024

22 November 2024

23 November 2024

25 November 2024

26 November 2024

27 November 2024

29 November 2024

  • WPE and Automattic/Mullenweg agree to an amended briefing schedule for the Motion to Dismiss and Motion to Strike, and file a Joint Stipulation & Proposed Order. Michael Maddigan also files a Declaration in Support.
    Note: This does not affect the Preliminary Injunction proceedings; a Proposed Order (or possibly dueling Proposed Orders) and a ruling by the judge are expected much sooner on that.

1 December 2024

  • Mathieu Viet, lead developer of BuddyPress, announces that he quietly stepped away from WordPress development after Mullenweg's initial attacks against WPE, but that the takeover of ACF Pro has convinced him to openly condemn Mullenweg and WordPress.

    While Mr. Mullenweg's first attacks made me quit this community and stop contributing to WordPress® open source projects (including BuddyPress®), the latest one (making the premium code of a plugin marketed by the attacked competitor available for free) convinced me that disapproving and condemning them as a former contributor was not enough. Indeed, I have also decided to stop using WordPress® to power this website.

2 December 2024

@adrienne
Copy link
Author

adrienne commented Nov 8, 2024

Thank you for putting this post together!

Thank you for the kind words!

@DanielRuf
Copy link

DanielRuf commented Nov 24, 2024

It seems Automattic now has a new SCF plugin page:

https://wordpress.org/plugins/advanced-custom-fields/

https://wordpress.org/plugins/secure-custom-fields/

The development log of the second link starts with "Adding Secure Custom Fields (Remix) by wordpressdotorg." Also I remember that there was a redirect, which seems to be removed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment