The Mullenweg/WPE Thing

mullenweg-wpe.md

The Players

• The WordPress Foundation is the nonprofit which manages the WordPress code and ecosystem. Until this blowup started, it was widely believed to maintain the wordpress.org website (the domain, however, is owned by Matt Mullenweg rather than by the Foundation), which acts as the central repository for all updates, themes, and plugins, as well as managing the WordPress documentation and maintaining a large discussion forum for WordPress devs and users. The Foundation is administered by a board of three people, one of whom is Matt Mullenweg.
• WordPress.org is the above-mentioned plugin/theme/update repository, which turns out to be owned by Mullenweg directly rather than by the Foundation, and he is in full control of it.
• Automattic is the for-profit arm of WordPress, which maintains the wordpress.com web host as well as offering a number of other free and paid addons to WordPress. Matt Mullenweg is the CEO and a member of the Board of Directors, and controls a majority of voting shares in the organization.
• WP Engine is a company which offers managed hosting for WordPress sites. They are a major player in the WP hosting space. It is important to note that the phrase "managed hosting" specifically implies a high level of control by the hosting company over the software and infrastructure; managed hosting services are geared toward less-technical clients and clients who want to offload server administration stuff. People who are purchasing managed hosting, as opposed to unmanaged hosting, are specifically buying the higher level of control by the hosting provider, because it means fewer hassles for them.

The Story So Far

• TechCrunch has solid reporting on the initial events: Mullenweg's initial blog post, his WordCamp keynote, his second blog post, and WP Engine's C&D letter. The blog posts are posted to the wordpress.org blog, not to Automattic's blog.
• WP Engine's letter alleges, among other things, that Mullenweg demanded money from WP Engine ostensibly as a licensing fee for the WordPress trademark, but in actuality to refrain from disparaging and defaming them on stage and in blog posts.
• Not alleged in the letter, but reported by attendees to WordCamp, is that Mullenweg engaged in a verbal altercation with WP Engine employees working the WP Engine booth at the show, which included Mullenweg threatening to physically dismantle their booth in the middle of the show. (I can't find my link to this right now, i'll look for it later.)
• Automattic sends a C&D letter of its own to WP Engine, demanding that they stop misusing the WordPress trademark. (Note that the WordPress Foundation is the trademark owner, and Automattic is the sole commercial licensee.) The exhibits are a separate document here.
• Prompted by Mullenweg's multiple blog posts, which get automatically propagated to every WordPress user with the "News Feed" widget on their admin dashboard (which is most WordPress users, as very few actually modify their dashboard), WP Engine disables the "News Feed" dashboard widget for all its customers. (Note that just as with disabling revisions, this is a simple config change, supported by WordPress; it does not involve modifying any code or otherwise "chopping up" WordPress installs.)
• A day after Automattic sends the C&D, the wordpress.org domain (again, maintained by the WordPress Foundation), blocks WP Engine (and thence all of their customers) from accessing the plugin/theme/update repository. This means that none of WP Engine's customers can automatically install plugins or themes, update plugins or themes, or update WordPress itself, including vital security patches. Additionally, all WP Engine user accounts are reportedly banned from the wordpress.org site, meaning they cannot post to the forum or update the plugins which they maintain as an organization. (Need to find the link on this one too.)
• Mullenweg posts about this decision, again to the wordpress.org blog, and includes the following statement: "What I will tell you is that, pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources."
• Note, here, that WP Engine's C&D was sent to Automattic, which runs wordpress.com, and at no point has WP Engine made any legal claims whatsoever against wordpress.org or the WordPress Foundation.
• Meanwhile, Pressable (another web hosting company also wholly owned by Automattic), posts a special offer for WP Engine users, offering to buy out their contracts and migrate them for free. (The above is an archival link; at the time of writing, the offer is live and linked here.)
• Mullenweg has also spent the last several days Posting Through It on Reddit (link goes to his user page, which should make all comments visible). (Note that many of these comments were posted significantly after his receipt of the C&D letter from WP Engine.)
• Mullenweg is reportedly also privately exhorting Automattic employees to make supportive posts on their own blogs and social media. There may or may not be an implication that they will be retaliated against if they choose not to do so; reports vary.

Resources

• Link to full docket for anyone who wants to follow developments on the lawsuit
• Michael Tsai is maintaining a roundup that focuses on quotes and reactions from involved players and community members

Updates

27 September 2024

• Mullenweg uses the .org blog to post WP Engine Reprieve, stating that they are re-enabling WP Engine's access to the central repository, but only through 30 September (specifically "until October 1, UTC 00:00"), giving WP Engine all of two and a half business days to spin up working mirrors.
• At least two WordPress Core contributors report that their access to the Make Wordpress team was disabled after they criticized Mullenweg on the team's private Slack
• The Verge posts an explainer article
• Josh Collinsworth posts a call to fire Mullenweg which also contains an excellent and comprehensive roundup of events so far
• On Hacker News, Mullenweg confirms that he plans to continue serving as CEO of Automattic as well as Director of the Foundation and owner/operator of wordpress.org and states that he does not plan to undo the hard-coded dependency on the wordpress.org repositories within the WordPress software

28 September 2024

• Mullenweg gives a live interview
• Mullenweg, on his personal blog, challenges Lee Wittlinger, president of the WP Engine Board of Directors, to a public debate

30 September 2024

• WP Engine updates several of their pages to modify their use of 'WordPress' and 'WooCommerce'. The changes are in most cases fairly minor and clearly intended to reinforce their claim that their use is nominative and fair. ( before | after )
• Mullenweg confirms on Twitter that he, not the WordPress Foundation, is the sole owner of the wordpress.org domain and in sole control of all of the repositories and critical infrastructure which rely on it.
• LWN has another nice recap

1 October 2024

• Mullenweg says in an interview that the 8% deal is "no longer on the table" and threatens a hostile takeover of WP Engine
• The CEO of CloudFlare offers (via Twitter) to donate all resources required to continue hosting the wordpress.org repositories
• Richard Best (who is a lawyer, but not a trademark/IP lawyer) weighs in on some of the legal considerations
• Automattic publishes what they purport to be the term sheet they offered WP Engine on 20 September 2024 for use of the trademarks, alongside a blog post purported to be the timeline of events (Editor's note: I say "purported to be" because at least one of the terms in the term sheet, related to affiliate codes, doesn't seem to be related to anything that actually happened in the real world and was, as far as i can tell, "discovered" by Matt as an issue several days after 20 September)
• On Twitter, Mullenweg is directly asking WP Engine's big clients to switch hosts
• Several people including former Automattic employee Kellie Peterson (note her name, it'll come up again) post on X that Automattic is offering buyout packages to employees who are not "aligned with the CEO's vision" (link is to a Reddit roundup with comments)

2 October 2024

• Kellie Peterson (see above) posts on Medium that Mullenweg has threatened her with legal action for her Twitter posts
• The Executive Director of WordPress, Josepha Haden Chomphosy, has left Automattic. (The Tweet she is quoting has since been deleted and I can't find an archive.)
• WP Engine formally files suit against Automattic, Inc. and Matt Mullenweg
• Mullenweg continues his devotion to Posting Through It on the Hacker News item about the lawsuit, to the point where actual lawyers in the thread are begging him to shut up
• Automattic puts up a blog post about the trademark situation
• The Register has an article about the conflict, in which Bruce Perens (one of the big names in defining Open Source) is quoted

3 October 2024

• Automattic releases a blog post in response to the lawsuit and announces that they have hired famous scumbag Neal Katyal
• Mullenweg confirms, on his own blog, that 159 Automattic employees took his buyout offer

4 October 2024

• In an interview with The Verge, Mullenweg makes clear that he is in control of WordPress, and has no plans for that to change
• Mullenweg comments on Reddit (on a now-deleted post, but the comment is still visible) that he believes WP Engine has hired a "dark PR firm"
• Lawyer Mike Dunford has a weekly Twitch stream called the Litigation Disaster Tour Hour; his last two shows have focused on this conflict. The VODs are now archivally available on YouTube.
• Jeffrey Zeldman, one of the grandfathers of the Web as we know it today, wrote a post about staying at Automattic

5 October 2024

• Automattic's Twitter account discloses that there is an unpatched vulnerability (link is to an archived version) in the version of ACF on the wordpress.org repository (which, again, WP Engine staff cannot currently update because Mullenweg has unilaterally blocked WP Engine staff from accessing .org). Automattic asserts that they have informed WP Engine about the issue.
  Note: This sort of announcement is not standard practice in infosec; there is no reason for this class of disclosure ("there is an issue but we are not saying what it is") except to create a climate of uncertainty about safety.
  • A few hours prior to Automattic's irresponsible disclosure, Mullenweg asked on his personal Twitter, "What are the best alternatives to Advanced Custom Fields…?" He asserted that "millions of sites" will be switching to other options in the coming weeks.
  • PatchStack, a WordPress infosec agency, reports on Twitter that they are aware of the vulnerability and it is low-severity, which fuels further speculation by WordPress community members (on Reddit, Twitter, and probably elsewhere) that it was announced this way merely to harm WP Engine's business.
  • One of Mullenweg's employees states on Reddit that a security patch will be pushed to the .org repository "even if I have to apply the patch myself"; John Blackbourn, a member of the WordPress Core Security Team, also says "I am going to work my damned hardest to ensure that the fix gets shipped to dotorg"
  • A few hours later, Automattic removed their Twitter post
• The story hits the mainstream press as CNBC publishes an article about it. The article is pretty lopsided towards Mullenweg's perspective (one of their primary sources has undisclosed connections to Mullenweg's businesses), but contains a decent overview of events so far.
• Mullenweg reportedly joins a Slack for ex-Automattic employees and immediately attempts to assert control in the guise of "helping".