I can no longer trust WordPress

WordPress's latest move of hijacking the ACF plugin firmly solidified that it can't be trusted, regardless of the reasoning behind it.

Two bison headbutting in a fight.
Photo by Richard Lee on Unsplash

About 6 years ago I stopped doing any work with WordPress. Previously I had a plugin that I sold, I had freelance clients, I worked for agencies that created solutions for rather larger clients based on WordPress. I knew it inside and out. The reason I preface the blog post with the above is so you know I’m not an armchair commenator who has no idea what’s WordPress and just jumps on the bandwagon because of all the ✨ DRAMA ✨ happening right now.

I also thought a lot about whether I even should write this post. Whether I care enough about this, given I’m no longer working with WordPress. Ultimately I decided yeah, I should, because the point I’m making here is applicable to any software ecosystem.

Recap

Matt Mullenweg decided that WPEngine’s amount of contribution to the core codebase is not enough and the best way to get them to please contribute more is to ask them nicely tell them if they’re not going to, then he’s going to sue them for trademark infringement unless they pay 8% of their revenue.

Matt decided to use his keynote at one of the WordCamps to deliver this news, then WPEngine sued, then he counter sued WPEngine. I do not remember which came first. Bunch of additional articles for you to read are below.

Here’s the first public article about the brewing storm.

WP Engine is not WordPress
It has to be said and repeated: WP Engine is not WordPress. My own mother was confused and thought WP Engine was an official thing. Their branding, marketing, advertising, and entire promise to cus…

WPEngine sued, so as a consequence of their actions, Matt decided to ban WPEngine from accessing WordPress.org services:

WP Engine is banned from WordPress.org
Pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources.

This meant no customer on WPEngine could update or install themes, plugins, or even WordPress core. Due to reasons, this was softened:

WP Engine Reprieve
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin directory, theme directory, and Openverse work on their sites. It sa…

Plus WordPress (Matt) decided to publish the term sheet for WPEngine.

Automattic—WP Engine Term Sheet
One of the many lies in Silver Lake and WP Engine’s C&D was their claim that Automattic demanded money from them moments before our CEO Matt Mullenweg gave his keynote at WordCamp US. Tha…

WPEngine’s complaint about Matt’s conduct is reachable via their tweet here: https://x.com/wpengine/status/1841643374090031461, but also hotlinked for your convenience: https://wpengine.com/wp-content/uploads/2024/10/Complaint-WP-Engine-v-Automattic-et-al.pdf. An important detail, this complaint was submitted IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA (sic!). A court. Of a government. Moving on.

There are a bunch more video recaps from different folks, I watched Theo’s videos about this: https://www.youtube.com/watch?v=edCrrWj6WK4 and https://www.youtube.com/watch?v=XoTToRfM3iA, but I haven’t watched the long form interviews both he, and ThePrimeagen did with Matt. Nor do I particularly want to, because they’re long, and others have recapped those as well.

If you want to have a single source of what Matt is doing, there’s now a website: https://mullenweg.wtf/.

Losing trust

The straw that broke the camel’s back for me came with the news that WordPress decided to hijack the Advanced Custom Fields plugin. They forked the plugin code, renamed it, and then removed ACF’s use of the plugin slug, and added theirs. To the customers the same plugin they have installed, which gets updated because the slug matches is now suddenly controlled by a different entity.

It doesn’t matter whether ACF is a good plugin or not; I’ve seen the hijacking being dismissed because ACF is bad and can produce a diamond dependency problem. ACF could be any other plugin that’s working as intended and is in active development. Hijacking it is just not an okay move to do.

It doesn’t matter who is actually right or correct in this battle, whether WPEngine was really at fault, or Matt is having a meltdown – the behaviour exhibited by WordPress is just not excusable.

At any one point when someone works on a client side as a freelancer or agency, there are always at least five groups that always interact:

  1. the freelancer / agency
  2. customer, whose site we’re building
  3. hosting company, whether WPEngine or not
  4. WordPress.org, because that provides the core and plugin upgrades
  5. end users of the site: the customers of my customer. If I’m building a site for a bakery (my customer), then this group would be the people buying bread from them

If I can’t be sure that the parts that I have no control of – hosting, and wordpress.org — are going to keep functioning as intended, then I can’t in good conscience ask anyone to trust me to build them anything because I don’t know whether it’s going to break or not. Regardless of what I’m doing.

If the code getting delivered to the built site by wordpress.org is going to change because someone decided that that’s a perfectly acceptable and reasonable thing to do, then I can’t trust that, as it’s an actual cybersecurity issue. If it’s a rogue employee within whoever controls the content of wordpress.org, then it’s an insider threat, here’s a writeup by CISA (Cybersecurity and Infrastructure Security Agency): https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats. From my point of view, when the code for the plugin changes hands in a way I do not anticipate it, it’s a supply chain compromise. Also a CISA page about it: https://www.cisa.gov/news-events/alerts/2021/01/07/supply-chain-compromise.

If my participation in the community as a developer is suddenly cut off because I happen to have any sort of ties to a person or company that’s not welcome by the gatekeepers of wordpress.org, such as not ticking a checkbox that says otherwise, or if I’d be kicked off the WordPress slack because I question some of the actions, then my job is not secure. It’s in the hands of someone who doesn’t know I exist, and by the looks of it, is incredibly vindictive.

If the ecosystem’s leader who has zero checks against his actions is the kind of guy that discloses the other company’s executive’s phone number in an interview (see complaint pdf above, page 34, paragraph 89), I do not want to do business with anything he touches. I do not want to have my personal details disclosed in an interview that’s going to be viewed by millions.

I also want to emphasize here that it does not matter whether Matt is right and WPEngine is in the wrong, or whether Matt is wrong, and WPEngine is correct. Matt’s actions are inexcusable in either way.

I am purely going on about observed behaviour: things I have read from the people involved, videos I have seen where Matt said the words. I am not speculating about any of these, these all have happened and you can double check them. That’s why I provided the links. Or use your own sources, but make sure they do link back to primary sources.

I do not trust Matt. I do not trust WordPress. Not that this opinion matters, or I matter in this, but as long as Matt has any semblance of power over WordPress, I will not trust that I can deliver anything of quality to a client based on it.

Past WordPress

This problem is not localised to WordPress itself. Any ecosystem where there’s a central point is prone to similar issues unless sufficient guards are put in place.

I now understand why some companies prefer to go with enterprise solutions: the companies that offer those solutions are big enough that no individual person is going to be able to inflict much harm. They have contracts in place, SLAs, something no one really has when building a site on top of WordPress. There are terms of use, but that’s a single way binding document: you acknowledge that they have all these powers to host plugin and core updates and make them available to you, and you’re not going to use it for something they don’t want you to use it for – usually illegal activities, – but there’s nothing binding them to keep being a good citizen of the ecosystem. It’s just kind of assumed.

I don’t know how to end this. This sucks, and ultimately the people ending up suffering the most are going to be the companies and people whose sites are built on top of WordPress. A lot of them are going to go out of business, a lot of agencies are going to shutter, and a lot of community members are disillusioned and angry.

Way to go!

(this was sarcastic)