What’s going on at WordPress?

There’s a lot of falling out going on at the moment with WordPress CMS. More than 478 million websites use WordPress, so any changes will have a huge impact.

WordPress isn’t a single entity as such. It’s a free and open source content management system.

TLDR;

Matt Mullenweg, the founder of WordPress is unhappy that WP Engine is making so much money on his open-source software.

Matt wants WP Engine to pay his company Automattic 8% of its revenue. He’s making the argument publicly because he has no legal route and wants to pressure WP Engine into doing it.

Because he’s also the founder of WordPress and runs the WordPress Foundation, he’s restricting WP Engine’s access and nobody can stop him. Some of his actions are leading to issues with sites who use any of WP Engine’s products or plugins, which is a lot of sites, who may or may not even realise it.

The fight will end with a court battle, or one side giving in. But it’s opened a can of worms of questions and issues, like how did we get into a position where one man has so much control over 40% of the internet.

Who’s involved?

First of all, let’s clarify the different names and players involved:

WordPress

WordPress, or WordPress.org: the web content management system. It’s free and open source. It was originally released in 2003 by Matt Mullenweg (remember this name) and Mike Little.

WordPress technology is open source and free, and it powers a huge chunk of the internet — around 40% of websites. Websites can host their own WordPress instance or use a solution provider like Automattic or WP Engine for a plug-and-play solution.

WordPress Foundation

The WordPress Foundation is a non-profit organisation that supports and develops the code. The original purpose of the foundation was to ensure free access, in perpetuity, to the software projects they support. The foundation was set up in 2010 by Matt Mullenweg, and he has complete control.

WordPress have a scheme called Five for the Future. It essentially wants companies and individuals who use the core software to dedicate 5% of their resources to WordPress so that it can develop sustainably.

Automattic

Automattic is an organisation that runs several WordPress products for profit. This includes WordPress.com (the commercial hosted version of WordPress), JetPack, Gravatar and WooCommerce. It was set up by Matt Mullenweg in 2006 and owned WordPress trademarks until the WordPress foundation got set up in 2010.

Annual revenue: $750m (estimated)

Valuation: $7.5bn (as of February 2021)

Matt Mullenweg himself has a net worth of $400m.

WP Engine

WPEngine is a WordPress management and hosting service, in a similar way to Automattic. It uses WordPress as a base and has built their product on top of that. It was also set up in 2010 by Jason Cohen, basically as a competitor to Automattic.

It’s owned by an investment firm Silver Lake, which is one of the things Matt Mullenweg has an issue with.

Annual revenue: $400m

Valuation: Over £1bn

It’s important to note that their revenue was $110m in 2020, so they’re doing very well, which is probably why someone wants to stop them.

How it started (publicly): Conference speech

September 20: WordCamp is a conference that focuses on everything WordPress. Their US conference took place in Portland between 17 September – 20 September. It’s THE place to be for WordPress geeks.

WordPress founder Matt Mullenweg made an appearance, promising his ‘spiciest WordCamp presentations ever’. And it was.

He claimed that WP Engine is controlled by a private equity firm that “doesn’t give a dang about your open source ideals it just wants return on Capital” (which is every company really).

He criticised the company for not contributing to WordPress’ Five for the Future initiative (which is optional) and announced that WP Engine would not be allowed at future WordCamps.

And then he said that “WP Engine sounds like WordPress, and their colors are even similar to WP’s blue. There’s brand confusion.” We’ll come back to this claim.

Matt mentioned that he had attempted to discuss increasing WP Engine’s contributions to WordPress, but after not getting anywhere going public was his only choice.

WP Engine quickly posted a reply: https://wpengine.com/blog/highlighting-wordpress-innovation-contribution/

WordPress.org blog post

September 21: Matt publishes a blog post on WordPress.org calling out WP Engine: WP Engine is not WordPress.

Specifically, it claims that WP Engine isn’t WordPress because they’ve altered the code to turn off content revision data, so once you change a page you can’t see what the previous version was. It’s not a feature any of us who use CMSs use a lot let’s be honest.

The article doesn’t hold back, and calls WP Engine a cancer for this:

What WP Engine gives you is not WordPress, it’s something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it.

This is one of the many reasons they are a cancer to WordPress

Remember, this is the CEO of Automattic, WP Engine’s competitor, using his role with the WordPress Foundation to post this, a massive conflict of interest.

Twitter poll

September 21: Matt did an X poll to check ‘community vibes’ if he was right to ban WP Engine from WordCamp. 68% thought he was wrong to ban them, and the community on socials are increasingly against his view.

WP Engine fight back with a cease and desist letter

September 23: WP Engine send Automattic a cease and desist letter demanding a stop and retraction of ‘false, harmful and disparaging statements against WP Enging’.

A cease and desist letter provides notice that legal action may and will be taken if the conduct in question continues.

The letter reveals that Automattic CEO Matt Mullenweg demanded that WP Engine pay Automattic tens of millions of dollars in exchange for his silence. The letter includes texts threatening to run the slides at the 20 September conference unless WP Engine agrees a payment %. WP Engine ignored these texts, and as we know Matt went on to slam WP Engine in his talk.

An interesting quote:

‘Mr. Mullenweg quietly demanded tens of millions from WP Engine for his for-profit company while publicly claiming to be selflessly safeguarding the interests of the community is shameful.’

Automattic sends a cease and desist letter back to WP Engine

September 23:  Automattic claims that since being taken over by private equity firm Silver Lake in 2018, WP Engine has built a half-a-billion a year business by confusing consumers with their commercial use of the WordPress and WooCommerce trademarks.

Basically Automattic are saying that WP Engine shouldn’t use WordPress or WooCommerce in any of their web pages. Weirdly it references the number of hours Automattic spends in contributing to WordPress core, which has nothing to do with anything.

WordPress Foundation changes their Trademark policy

September 24: WordPress Foundation changes their Trademark policy page for the first time in a decade.

Old content: The abbreviation “WP” is not covered by the WordPress trademarks and you are free to use it in any way you see fit.

New content: ‘The abbreviation “WP” is not covered by the WordPress trademarks, but please don’t use it in a way that confuses people. For example, many people thing WP Engine is “WordPress Engine” and officially associated with WordPress, which it’s not. They have never once even donated to the WordPress Foundation, despite making billions of revenue on top of WordPress.’

WP Engine removes WordPress news from user dashboards

September 24: On the default install of WordPress, there’s a widget on the dashboard when you login with the latest news from WordPress. Everyone ignores it, but it’s notable that WP Engine removed the widget for their millions of sites after the feed included the ‘WP Engine is not WordPress’ post.

WP Engine is banned from WordPress.org

September 25: WordPress.org publishes a blog post saying ‘pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources.’

This catches everyone off guard and means WP Engine sites won’t have access to the core themes and plugins anymore. Users with WP Engine sites can’t update themes or plugins to their latest versions. This means that potentially millions of sites have security vulnerabilities.

WP Engine says it’s working on a fix, but the immediate action caught them off guard.

WP Engine’s 185,000 customers are caught in the middle.

WordPress.org lets WP Engine back in for a few days

September 26: After the chaos of the 26^th , WordPress.org lets WP Engine use its resources again until 1 October so it has time to make a workaround.

Mullenburg confirms this is a trademark issue

September 26: After a lot of confusion over what this is actually about, getting WP Engine to contribute code, engineers, money to WordPress, Matt Mullenburg publishes a blog post claiming WP Engine is violating WordPress’ trademarks.

But here’s a key paragraph:

This isn’t a money grab: it’s an expectation that any business making hundreds of millions of dollars off of an open source project ought to give back, and if they don’t, then they can’t use its trademarks.

It claims that using open source software should come with strings attached which is dangerous thinking.

I get the point that a billion dollar company should be giving back to the community it started in, but the whole point of open source is they don’t have to. What price point should open source not be open source?

WordPress.org also put in a trademark earlier this year for ‘Managed WordPress’ and Hosted WordPress’.

This is an important point for all businesses.

How this affects businesses and freelancers?

Let’s say the courts decide in WordPress.org and Automattic’s favour that they own all commercial copyright to everything WordPress, it essentially destroys any marketing other businesses use to get customers.

The end of WordPress

We won’t be able to advertise our service as a hosted or managed WordPress service. We’d be restricted to what to say and use, and if we did use WordPress we’d have to ‘contribute’ 5% of revenue, wiping out profit margin completely. That’s why this could be the end of WordPress, not because it won’t exist, but because Automattic would have a monopoly and it would be ‘open-source’ in name and theory only.

WP Engine clarifies wording on its site

September 30: WP Engine adds some clarification on its website footer adding it’s not affiliated with WordPress Foundation or WooCommerce. It also removes the word WordPress from it’s hosting plan names.

WP Engine cut off again

October 1: As promised, WordPress.org cuts off WP Engine servers from being able to access its resources, like plugins and themes. WP Engine has a solution deployed this time.

WP Engine files a lawsuit against Automattic

October 2: After the cease and desist letter led to no changes in Mullenburg or Automattic’s position, WP Engine officially file a lawsuit in the state of California, accusing them of extortion and abuse of power. It’s quite the claim:

https://x.com/wpengine/status/1841643374090031461

‘Matt Mullenweg and Automattic’s self-proclaimed scorched earth campaign against WP Engine has harmed not just our company, but the entire WordPress ecosystem. The symbiotic relationship between WordPress, its community and the businesses that invest millions to support WordPress users, and advance the ecosystem, is based on trust in the promises of openness and freedom. Matt Mullenweg’s conduct over the last ten days has exposed significant conflicts of interests and governance issues that, if left unchecked, threaten to destroy that trust. WP Engine has no choice but to pursue these claims to protect its people, agency partners, customers, and the broader WordPress community. Like so many of you, we love WordPress and are committed to the stability and longevity of the community.’

Read the complaint here: https://wpengine.com/wp-content/uploads/2024/10/Complaint-WP-Engine-v-Automattic-et-al.pdf

Automattic responds saying ‘Their complaint is flawed, start to finish. We vehemently deny WP Engine’s allegations—which are gross mischaracterizations of reality—and reserve all of our rights.’

Automattic employee buy-out

October 3: The fallout has the tech world talking and taking sides. And these discussions lead to some uncomfortable staff at Automattic.

Mullenberg offers anyone who resigns by 8pm on 3 October $30k or 6 months salary (whichever is higher) to clear the company of anyone that didn’t fancy the fight with him.

8.4% of staff take the deal and leave Automattic.

No affiliation with WP Engine button on WordPress.org site

October 9: WordPress.org adds a new checkbox to its contributor login page. To contribute to WordPress.org in any way now (which is open source) you have to confirm ‘I am not affiliated with WP Engine in any way, financially or otherwise’. A lot of regular WordPress contributors are banned from the community on Slack for opposing the move.

This means anyone working for or with WP Engine in any way can’t contribute plugins or themes to the .org library, or update ones they’ve already published.

Advanced Custom Fields Plugin drama begins

October 5: Automattic and Matt Mullenweg are upping the ante again and users are caught in the middle again.

Advanced Custom Fields is a very popular WordPress plugin with over 2 million active installations. So 2 million websites have it installed.

It’s run and developed by a company called Delicious Brains. They joined WP Engine in 2022.

Images: https://www.reddit.com/r/Wordpress/comments/1fwviwk/stage_appears_to_be_set_for_the_removal_of_acf/

Matt Mullenweg posts on X asking for the best alternative, at around the same time Automattic announce they’ve found a security flaw in the latest version of Advanced Custom Fields. In my opinion it’s clear they’re going through everything WP Engine touch to find vulnerabilities to get them off.

Because the team behind Advanced Custom Fields are part of WP Engine, they can’t contribute a fix because anyone affiliated with WP Engine is banned from WordPress.org.

Advanced Custom Fields plugin taken over by WordPress.org

October 12: In an extremely rare move, WordPress.org takes over the code for Advanced Custom Fields plugin and renames it Secure Custom Fields.

This is WordPress.org’s only plugin. Their justification is plugin guidelines 18 : We reserve the right to maintain the Plugin Directory to the best of our ability.

They update the plugin to remove commercial upsells and fix the security problem (even though the 30 days weren’t up).

But it’s the principle that has really hurt developers. This shows that WordPress.org is capable of taking control of any plugin, changing the rules to make their case, for their own benefit. 

As you can expect, the Advanced Custom Fields team are pissed:

We have been made aware that the Advanced Custom Fields plugin on the WordPress directory has been taken over by WordPress dot org. A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21 year history of WordPress.

This essential community promise has been violated, and we ask everyone to consider the ethics of such an action, and the new precedent that has been set.

https://x.com/wp_acf/status/1845169499064107049

Will this affect my site?

Regarding the specific Advanced Custom Fields plugin, if you have automatic updates on it’ll update and be called Secure Custom Fields in your plugin list. It should still work as it did before.

The problem will be with future updates. The benefits of having a commercial organisation run plugins like this is that they’d release a free version and a paid version. They would then have capacity to make sure the free version is up to date, has no security vulnerabilities and works properly with every update of WordPress.

It’s not clear who will be maintaining this plugin from now on. So when there’s a security issue it might take a while to fix, not be fixed at all or even noticed until it’s too late and someone’s hacked your site.

You can still download and use the free version of Advanced Custom Fields from their website directly. It’ll update from there and it’s what I would recommend.

It could make developers wary of recommending WordPress

More broadly, this whole saga has highlighted that yet again in tech, things can all go wrong because one man has too much power and influence.

Developers are becoming cautious about using third-party WordPress-related products, fearing WordPress.org could revoke their access. It’ll also cause companies to be careful around saying they are a WordPress hosting provider.

WordPress powers 43.5% of all websites as their CMS. More competition in this field can only be healthy and this fallout is making people consider other choices.

How have others reacted?

October 13: An influential figure in the open-source community is David Hansson. He created Ruby on Rails in 2004. It’s an open-source web development framework used on over 600,000 sites (including AirBnb, GitHub and Shopify), and millions more historically.

He is the Chair of the Rails Foundation, which commits to keeping it up to date. As opposed to the WordPress Foundation, the Rails Foundation has a Board of Directors and maintains Ruby on Rails with a budget of $525,000.

For context, WordPress is demanding $32m from one organisation.

Anyway, David Hansson wrote a very interesting piece titled open source royalty and mad kings:

Matt, don't turn into a mad king. I hold your work on WordPress and beyond in the highest esteem. And I recognize the temptation of gratitude grievances, arising from beneficiaries getting more from our work than they return in contributions. But that must remain a moral critique, not a commercial crusade. You can't just extract by force that which you believe to be owed beyond the license agreement on a whim.

Why have I decided to single out David Hansson’s blog post though? Well because of the almost unhinged nature of WordPress’ Matt Mullenweg’s response. It’s since been deleted because of backlash, but he basically blasts David’s work, ‘his toxic personality and inhability to scale teams means that although he has invented about half a trillion dollars worth of good ideas, most of the value has been captured by others.’

And that’s what this comes down to. Matt Mullenweg suddenly thinks that as the owner of WordPress he should make the most money from it. But that’s so far from what open-source is meant to be.

And he’s going to take WordPress to breaking point just to prove his point.  

Another popular plugin prepares for a hostile takeover

October 14: If you use the NitroPack plugin, you could be at risk of vulnerabilities because of the WordPress / WP Engine fallout. The NitroPack team is part of WP Engine, so they’ve been banned from updating their plugin for WordPress sites.

If you use it, follow these steps to make sure you’re getting the latest updates.