This one has taken a while to iron out. I wanted the third post in the series to focus more on the WordPress community and how it has been made to depend on Matt’s leadership at Automattic’s infrastructure.
And how that is a very bad thing.
This post is best read while listening to Know Your Enemy by Rage Against the Machine. (There’s a jazzy cover if you are so inclined.)
This post will include vague references to events and facts but as this is an opinion piece and not an academic paper, I am not here to use a search engine or find things on the Internet Archive for you.
As the community side of things has been shaken with quite serious and course-changing events since I started writing this series of posts, with things dating even further back — most of which would not have happened if it wasn’t for Matt’s lack of leadership — and his main goals being about sinking his claws into the ins-and-outs of the economy around what has become the default general-purpose CMS of the web and his name being plastered around as much as possible.
The most recent move is the current attempt at forcing a large hosting company in the WordPress space to pay Automattic a large sum of money for using the WordPress logo and wordmark despite them being owned by the WordPress Foundation.
Here are some bullet points of a fraction of what I have picked up on in the past year or so:
- Matt seems to treat what happens on WordPress.org to be within his personal domain, while those who contribute generally assume that their contributions are within the WordPress Foundation’s scope
- Speaking of domains, Matt owns the related domain names personally, despite the logo and wordmark along with some other intellectual property supposedly being the property of the Foundation
- Rules are established for working groups within the WordPress Project, but generally do not apply to Matt and that seems to include harassment towards volunteers
- The plugin review process has been in a state of disarray for a while.
- The marketing team ended up being dissolved because Matt didn’t want to take responsibilities for his actions
- Women seem to be disproportionally exposed to harassment within the scope of their volunteering for the WordPress project
The internals of the WordPress project are not designed for anything but Matt’s and Automattic’s needs and requirements. Anything else is deprioritised.
Volunteering within the project has in large parts shifted over to Automattic staff and contractors working for Audrey Capital (Matt’s own investment company), with the Block Editor and FSE project being run as if it was an internal project within the company in addition to working groups such as Marketing being largely replaced with a different group of Automattic employees for not pleasing Matt’s whims.
In essence, those who do not work for or please Matt Mullenweg have been actively pushed out, while there’s multiple businesses and individuals working on and contributing to the project, let alone those who depend on it in general.
This means that it makes little sense to contribute to WordPress by committing code or participating on other aspects at this point in time.
What Just Happened Last Week?
Matt Mullenweg closed the WordCamp US conference last Sunday by attacking a large competitor in the WordPress space for supposedly not pulling their weight within the open source WordPress project in terms of time or money spent.
There was also a lot of nonsensical rambling about his mother being confused, that hosting company not actually providing WordPress hosting because of a minor modification, false prophets and so on during that speech and the related blog post on his site, which had more religious undertones than the speech made by the late leader of Hezbollah the same week.
Also that WP Engine was not actually providing WordPress because they were limiting a single resource-heavy feature. As if WordPress.com hasn’t been going even further in providing a limited WordPress experience since the beginning.
In short, Matt demanded that WP Engine paid money to Automattic, for using the WordPress logo and wordmark, which is actually owned by the WordPress Foundation.
I guess there are more people than Matt’s mother that are confused right now.
WP Engine, the hosting company he attempted to steamroll over has been known to support the WordPress community in ways other than poking around in things that are under Matt’s control and stepping on his toes. They were in fact one of the largest sponsors of that conference and maintain some important plugins for WordPress such as Advanced Custom Fields among other things.
Matt offered to refund WP Engine their sponsorship money. He has done similar things before, assuming that he can pay himself out of trouble like that — in addition to other WordCamp sponsors angering him over clever advertising in the past.
According to an exchange of cease and desist letters that happened shortly after, Matt seemed to have gone as far as threatening them, using text messages up until his closing speech.
Anyone who has done any leadership work in volunteering spaces can tell you that you don’t use threats or throw tantrums to get things done within volunteering projects or you’ll end up being ousted or with key people walking out.
This seems to be how Matt has gone about things in the past handful of years or even longer, and that is threatening the very existence of the wider WordPress project and the actual community involved.
Setting the Record Straight
Why Not a Fork?
Some — including Matt himself, despite in his arrogant tone — have suggested forking the WordPress project and ClassicPress has existed for a while, despite having to re-fork the WordPress codebase recently as they were slightly behind on merging code from upstream.
On the other hand, previous attempts to fork WordPress have not gone well (and Matt knows that) as the maintenance of a hard WordPress fork would require much more work than most people would assume, lest we forget that the monolithic codebase reflects the organisational structure and hierarchies behind it.
There is much more behind the WordPress project than its core codebase and it would be a difficult undertaking to replicate that as well, so a small group of volunteers will never be able to cover everything that needs to be done.
I believe that those of us who want to distance themselves the politics of WordPress while also wanting some change may not want to do the same mistake twice or be left with too much to chew on.
What could be done here is a project aimed at transforming the codebase into more manageable packages and initiating groups responsible for the maintenance of each. I think the only way to do this while bypassing the current hierarchy is to initiate a consortium with an open membership and a strict, open governance structure that does not stand and fall with a single person or company insisting on being Player 1 all the time.
On the other hand, perhaps we just need to start from scratch or move towards something else.
Can’t Matt Simply do What He Wants with His Software and His Businesses?
Some assume that Matt owns WordPress or that he is the sole owner of Automattic, which he is isn’t.
Here’s the thing — as Matt is not the Founder of WordPres, but one of the co-founders of the project, lest we forget the hundreds or thousands of people who have contributed to the project for the past 2 decades — The WordPress source code, its documentation and other associated work is as a whole not the private property or within the personal domain of Matt Mullenweg according to the software license the WordPress project has used from the beginning, let alone a general understanding of intellectual property law.
I can’t see how Matt’s recent ideas on the rights to use the WordPress logo, the name or the wordmark requiring companies that he doesn’t like to pay up are in compliance with the GPL license.
This makes me wonder if this has to do with WP Engine not being a large Jetpack reseller like many large hosts in the WordPress space — as WP Engine has listed Jetpack on its list of banned plugins as being allowed but not particularly recommended.
Jetpack is one of Automattic’s most important products and the revenue associated to it is astronomical, so a large actor in the space ignoring Automattic’s products altogether may have pushed Matt’s buttons here.
The non-profit WordPress Foundation and Automattic inc. are not within his personal domain either and there are very strict rules in place about how any relationship between the two is allowed in addition to how non-profit foundations are to be operated in general — and from the surface it seems like those rules are not being followed.
The WordPress Foundation in particular is not very open about its operations and as someone who spent many years in NGO and party politics, I find it unusual not to be able to see its bylaws, a profile on each board member and at least a summary of its and general and board meetings on its website.
How is This Different from Linus Torvalds Throwing Tantrums at NVidia?
The key difference is that the likes of Linus Torvalds are smart enough to scope the work that they do so that their project doesn’t depend on them alone or business entities and non-profits that they are in control of.
The Linux Foundation, IBM or Canonical will not face serious business consequences for Linus’ tantrums as he is not the leader or general manager of either. He’s just the guy who accepts pull requests for the Linux Kernel, even if he is a figurehead of sorts.
In addition, Matt’s ludicrous demands towards WP Engine are about money being provided to a for-profit enterprise for using trademarks owned by a non-profit entity, so this is now way beyond the usual “techbro throws tantrums and causes drama” things we’ve seen in the past.
Just like the Linux kernel is not a product of IBM, WordPress itself is not a product of Automattic or the creation of a single alleged wunderkind.
One of the things that makers of free software like Linux distros and the Kernel itself do is offering updates and downloads from mirrored package repositories hosted by 3rd parties like 3rd party CDNs, universities and ISPs. This prevents large vendors or individuals from going rouge and blocking someone from running security updates.
WordPress on the other hand, has always depended on infrastructure provided by Automattic.
Contributing Code to the WordPress Core is a Chore Better Lived Without
If you are extremely curious, you can probably dig in to the WordPress.org revision management system and find where I made my first contribution way back. The feeling of gratification and pride I got as a young up-and-coming developer and designer (after someone else took it on to write tests for it and it got implemented in the WordPress core) made it so worth the time it took.
On the other hand, at this point in time, things have become unrewarding. Besides the bikeshedding involved (which is normal in a large and important project like this but could be managed better), tickets and patches can take years to get through the discussion and decision process if they aren’t kicked off the table for any reason such as not aligning with Automattic’s (or Matt’s own) plans for that quarter.
Let alone that the tools and methodologies used for the work are considered a burden in this day and age. I don’t think I could convince my own team members to start using Subversion to contribute to a codebase that seems to disregard the underlying PHP programming language and its recommendations as it has developed since 2008.
Not to mention the politics involved.
I would go as far as saying that the myth about open source contributions simply being the same as working for free for someone else’s company is true in this case.
I don’t think it’s sensible for the companies that depend on WordPress to volunteer their own or their employees’ hours on dealing with the overhead involved here given the choice, let alone to consider it something extracurricular or for the greater good.
As for myself, I have bypassed some of the shortcomings of WordPress by writing bespoke plugins when I could have sent in a patch for the WordPress core because the latter simply feels useless. (Did you know that WordPress breaks when your host doesn’t offer a PHP mail()
function?)
In that context, it should be a no-brainer for a company such as WP Engine to contribute to the economy and community around WordPress in other, more effective ways than providing patches to the WordPress Core, in addition to the imaginary measurement contest Matt seems to have set up in the name of his ideologically loaded Five for the Future scheme.
Matt’s arguments about WP Engine preventing their employees from contributing to the core and his supposed offer to help out are also extremely hypocritical to me, as during my time with Automattic, I was told that fixing a two-line bug in the WordPress Core instead of working around it was considered not to be a good use of my time.
WordPress and Automattic as Subject to EU Legislation
For the past two decades, Automattic has shielded itself behind being a medium sized, privately owned US based corporate entity and has it as a general policy not to act on any foreign legal action — only court orders from the US legal system are adhered to, in particular when it comes to copyright, privacy and expression.
This is despite the company having had worldwide operations and EU based holdings and wholly-owned subsidiaries within the EU for years.
It seems like the company has simply flown under the radar all this time. Most people who use WordPress and even Automattic’s commercial products on a daily basis don’t know the true scope of the company’s operations or who Matt Mullenweg is, so I can only imagine how things are among those outside the community or are not in on the newest Silicon Valley gossip.
Now the CMS that runs the majority of the World Wide Web, which is in turn dependent on a social media company that retains pictures of dead children, rolled backs its specific ban on deadnaming trans people and forced millions of users into sharing their data with OpenAI needs to come under public scrutiny at some point.
Jetpack is one of Automattic’s most important products. It enables self-hosted WordPress sites to use services that are facilitated from WordPress.com. What not everyone knows is that those sites are mirrored over to the WordPress.com infrastructure, including WooCommerce customer data and purchase histories — and that infrastructure is as far as I understand the GDPR — not compatible with European privacy regulations.
Automattic even kept citing the US/EU Privacy Shield for a while as the basis of its compliance, despite an ECJ judgement invalidating that framework, proving that they either have no idea about how these things work or that there is something else going on internally.
In addition, Automattic does not follow European copyright law either, as a year ago I requested the takedown of my own intellectual property from their services (my own picture that I took of myself) that was being maliciously hosted on their CDN, and was met with the Napster defence and a statement that only US law applies to their operations. (Other platforms removed the image within a short time period and one even banned a user for repeat violations.)
Furthermore, acquiring Tumblr, which is orders of magnitude larger than WordPress.com in terms of its active user base, traffic and content generation did nothing to make Automattic a smaller target to European regulators.
Heather Burns, who formerly led regulatory compliance work within the WordPress project (namely the GDPR and Cookie Compliance feature) until Matt mocked her on stage at WordCamp had this to say around the time Matt harassed and published private details on an Irish trans woman earlier this year:
For the record, I’ve had a printout of this Twitter post glued to my screen at the office for a while now, as I know Matt has access to much more than random data from Tumblr. Meanwhile, the market share of WordPress seems to have crossed the 60% mark.
Matt behaves like a teenage mid-2000’s forum admin when it comes to his responsibilities.
Last week, after having conflated the non-profit WordPress Foundation and his for-profit Automattic inc, indicating that what happens on WordPress.org is within his personal domain (in both senses of the word), Matt Mullenweg has called a legal and regulatory airstrike on himself, which may expose more underlying and prevalent issues than the current exchange of letters between Automattic and WP Engine.
In addition to this, the company conducts false self employment contracts within the EU/EEA, despite owning and operating EU based subsidiaries for asset holding and payroll purposes. This means that many of the people who work for Automattic are technically external contractors despite acting on behalf of the company, holding business cards with the company logo or conducting WordCamp talks on behalf of the company. (Which rendered legal action about what I endured as good as impossible, as I did not have any rights as an actual employee and my contract was with Automattic in California, under US law.)
To summarise things from the perspective of someone who lives and works in the EU/EEA:
- Automattic inc owns and operates web hosting infrastructure and edge nodes within the EU/EEA and around the European continent
- Automattic inc. owns and operates wholly-owned subsidiaries within the EU/EEA and the UK (Ireland, Spain, the UK and probably others) which are used for asset holding and payroll
- It is a fact Automattic inc. has generally ignored comments and concerns about compliance with EU privacy and copyright legislation, namely the GDPR, and did not acknowledge the basis of its assumed compliance being invalidated by the European Court of Justice
- Data hosted on self-hosted WordPress sites that use Jetpack is copied over to the WordPress.com infrastructure, which probably has never been GDPR compliant as I understand it
- Automattic does not adhere to European copyright legislation, claiming that only US law applies to their operations, in contrast to other social media companies that comply within the EU legal framework
- Matt did harass a Tumblr user earlier this year, chasing her across platforms, using her private information against her
- Automattic inc. may be actively miscategorising its EU workers; as they need to reside within the same country as one of the EU subsidiaries in order not to be classified as full-time contractors without the rights and protection of actual employees (this is called false self employment and is not very orthodox on the legal side of things)
- By abusing the non-profit WordPress Foundation for selectively cutting competitors from access to the WordPress Plugin Directory and other important update and security services, Matt Mullenweg is illustrating the importance of the EU Digital Markets Act, potentially making his enterprise a subject to being classified as a Designated Gatekeeper by the EU Commission
I am not a lawyer myself and I would like to believe that Automattic’s legal department is acting in good faith and is simply unaware of there being a world outside of the United States and the State of California in particular. On the other hand I would like to think that my ex coworkers (and in particular my Secret Santa from 2018) are some of the smartest and most talented people in the business. (But we can only have one without the other, so which is it?)
In any case, I would be happy to hop on the next train to Brussels to discuss what is happening within the WordPress community to regulators and the same goes with any lawmakers and regulators within individual EU and EEA countries.
What Now?
Matt Mullenweg’s unquestioned access to infrastructure and resources across the WordPress project, the WordPress Foundation and Automattic inc, which owns and operates the infrastructure the project depends on — in addition to the actions he has taken in the past week and earlier this year — is something that I would consider to be a grave security concern and the largest existential threat to the WordPress project itself.
The current situation does not warrant everyone jumping in and immediately making the switch to something else. Good support contracts and removal of any dependence on Automattic’s products and services should be the first order.
Ideologically speaking, this may be be hard to consider, especially for those who came across WordPress early on as they were attracted by the open source spirit of the project.
If WordPress is to stay the default choice for new website projects, then Matt Mullenweg and his cronies need to be removed from any sort of leadership role.
A couple of years ago, I could have imagined Matt acting as a figurehead or influencer. We are well past that point however.
What I find more realistic, is the other large players in the industry initiating and supporting a hard fork, with a solid and open governance structure and a roadmap towards modularity and actual openness.
In addition, Matt may take it upon himself to replace the GPL license the WordPress project has used from the beginning. This may range from the Mozilla Public License that the Gutenberg project is already licensed under to pulling the rug entirely from the community by doing something similar to HashiCorp, which moved its licence over to the Business Source License, causing the likes of Vagrant to be published as “source available” products, fully controlled by a single vendor.
Similar things are already being done with the trademark policy. (As enforceable as it may be.)
Things will not go well if this persists and I think Matt’s aggressive statements and behaviour have already pushed what we know as WordPress today beyond its tipping point.
My advice to anyone depending on WordPress related work as their main source of income or their livelihood is to diversify and update their skills. This especially applies to those who believe that WordPress came as a godsend to their lives at some point as we are now beyond Peak WordPress.
The same goes to those running hosting companies.
Diversify away from WordPress.