Mullenweg effectively runs both the non-profit organization Wordpress.org and is the CEO of Automattic, a for profit conpany that sells support for Wordpress (and a direct competitor to WPEngine).
A large part of Wordpress functionality is kept behind an Automattic plugin that forces any Wordpress site using it to collect telemetry/data for Automattic.
The update servers for Wordpress plugins are hardcoded to use Automattic’s servers, and this is not configurable or changable unless you modify the Wordpress source code itself.
With Mullenweg’s position over both the non-profit org and Automattic, he has direct control over these choices. If he’s doing this for the sake of open source, why is he gating things that should be core functionality behind a data collection scheme? If there are problems with load on the update servers, why has no effort been made to allow the community to host update servers themselves that check update hashes against Automattic? That would significantly reduce the load on the for-profit resources (that you called APIs). At the very least, the setting needs to be something exposed to the user and configurable without modifying the source code. Otherwise he’s complaining about a problem he has created.
It’s also worth noting that at no point has Mullenweg tried to set up any sort of free vs paid tier of access to his update servers. This is a specifically targeted campaign. He has also not publically provided evidence of the increased load by WPEngine despite publically shooting off about a ton of other things that would be best saved for the courtroom.
Mullenweg has also publicly stated some very questionable things about how the resources of the non-profit and his for-profit are intermingled, which may have some legal repurcussions. But that’s more of a footnote.
Wordpress’s license makes explicit exception to copyright to allow anyone to use “WordPress” or “WP”.
The initial reasoning (and I believe the lawsuit) for Mullenweg’s attempt to claim 8% of all WPEngine profit, is explicitly based on the claim that they are breaching copyright due to their use of “WP”.
So while I agree that lack of upstream contribution and the amount of load on the upgrade servers are important and valid reasons to try and seek some contribution, that is not the angle he took to start this.
At one point during all of this, he switched off the WordPress plugin update servers for all users with no warning.
Now he’s done a direct hostile takeover of his competitor’s plugin. Of the two security issues, WPEngine disclosed both of them themselves and had already fixed one. There was no evidence that they were going to stop and not fix the other, and the issue is of questionable severity. The main change Automattic did to the plugin was to remove the code that checked for an upgraded/upsold license, effectively cracking the plugin to offer paid features for free.
With the long history of WordPress, I find it incredibly hard to believe that there are not a considerable number of other plugins containing upsells, so the implication that those somehow are in violation of terms is weak.
In my opinion, we have someone in the perfect position to make changes to ensure the upgrade server load (the only quantifiable reason for all this mess) never would have been able to be a problem in the first place. He has singled out the largest competitor to his own for-profit company and targeted them specifically instead of announcing blanket changes that would apply to anyone causing their level of load on his systems. He has taken incredibly poorly thought out and reactionary steps intended to spank his competitor that have had far larger negative effects for the rest of his users and customers. He has and continues to make very piblic statements that any sane lawyer would tell him to keep his fucking mouth shut about. Now he has once again singled out his largest competitor, taken one of their paid products, and modified it to be free rather than creating his own implementation with the problems fixed and no upsells.
Matt Mullenweg has not done anything explicitly evil, wrong, or super obviously illegal. But he’s doing a hell of a lot of very concerning and questionable things when he had every opportunity to prevent any of this from ever being a problem in the first place.
I have no love for WPEngine, but Matt isn’t a saint and is ridiculously mismanaging all of this.
Just want to point out, that apparently WordPress.org is not owned by the foundation but rather Matt himself, which many people are confused about. It should probably not be used as a stand-in way to refer to the foundation.
Matt Mullenweg Apparently Personally Owns the Website
The author of the post quoted in the previous section seems to treat it as a given the Matt Mullenweg owns the WordPress website. The closest we have found to confirmation of that is screenshots apparently from a WordPress Slack were he apparently wrote this:
W.org belongs to me, it’s not part of the foundation or any trust, I run it in an open way that allows lots of folks to participate but they don’t own it.
And this:
I have direct and root access to the account (and everything on w.org) because I started it.
This buries the lede quite a bit.
Mullenweg effectively runs both the non-profit organization Wordpress.org and is the CEO of Automattic, a for profit conpany that sells support for Wordpress (and a direct competitor to WPEngine).
A large part of Wordpress functionality is kept behind an Automattic plugin that forces any Wordpress site using it to collect telemetry/data for Automattic.
The update servers for Wordpress plugins are hardcoded to use Automattic’s servers, and this is not configurable or changable unless you modify the Wordpress source code itself.
With Mullenweg’s position over both the non-profit org and Automattic, he has direct control over these choices. If he’s doing this for the sake of open source, why is he gating things that should be core functionality behind a data collection scheme? If there are problems with load on the update servers, why has no effort been made to allow the community to host update servers themselves that check update hashes against Automattic? That would significantly reduce the load on the for-profit resources (that you called APIs). At the very least, the setting needs to be something exposed to the user and configurable without modifying the source code. Otherwise he’s complaining about a problem he has created.
It’s also worth noting that at no point has Mullenweg tried to set up any sort of free vs paid tier of access to his update servers. This is a specifically targeted campaign. He has also not publically provided evidence of the increased load by WPEngine despite publically shooting off about a ton of other things that would be best saved for the courtroom.
Mullenweg has also publicly stated some very questionable things about how the resources of the non-profit and his for-profit are intermingled, which may have some legal repurcussions. But that’s more of a footnote.
Wordpress’s license makes explicit exception to copyright to allow anyone to use “WordPress” or “WP”.
The initial reasoning (and I believe the lawsuit) for Mullenweg’s attempt to claim 8% of all WPEngine profit, is explicitly based on the claim that they are breaching copyright due to their use of “WP”.
So while I agree that lack of upstream contribution and the amount of load on the upgrade servers are important and valid reasons to try and seek some contribution, that is not the angle he took to start this.
At one point during all of this, he switched off the WordPress plugin update servers for all users with no warning.
Now he’s done a direct hostile takeover of his competitor’s plugin. Of the two security issues, WPEngine disclosed both of them themselves and had already fixed one. There was no evidence that they were going to stop and not fix the other, and the issue is of questionable severity. The main change Automattic did to the plugin was to remove the code that checked for an upgraded/upsold license, effectively cracking the plugin to offer paid features for free.
With the long history of WordPress, I find it incredibly hard to believe that there are not a considerable number of other plugins containing upsells, so the implication that those somehow are in violation of terms is weak.
In my opinion, we have someone in the perfect position to make changes to ensure the upgrade server load (the only quantifiable reason for all this mess) never would have been able to be a problem in the first place. He has singled out the largest competitor to his own for-profit company and targeted them specifically instead of announcing blanket changes that would apply to anyone causing their level of load on his systems. He has taken incredibly poorly thought out and reactionary steps intended to spank his competitor that have had far larger negative effects for the rest of his users and customers. He has and continues to make very piblic statements that any sane lawyer would tell him to keep his fucking mouth shut about. Now he has once again singled out his largest competitor, taken one of their paid products, and modified it to be free rather than creating his own implementation with the problems fixed and no upsells.
Matt Mullenweg has not done anything explicitly evil, wrong, or super obviously illegal. But he’s doing a hell of a lot of very concerning and questionable things when he had every opportunity to prevent any of this from ever being a problem in the first place.
I have no love for WPEngine, but Matt isn’t a saint and is ridiculously mismanaging all of this.
Just want to point out, that apparently WordPress.org is not owned by the foundation but rather Matt himself, which many people are confused about. It should probably not be used as a stand-in way to refer to the foundation.
https://www.pluginvulnerabilities.com/2024/09/30/who-owns-the-wordpress-website-and-wordpress-org/
That’s hell of a twist at the end. I would argue he did all of that and may be looking at jail time.