The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way:

When it’s right for the people, the company, and you’re proud of the decision, then it’s the right thing. Sometimes doing the right thing is hard, but doing it over is harder. This is why we must always do the right thing, every time.

And they claim that companies should be a force for good:

We Believe Companies Should Be Forces for Good

Looking elsewhere, you get a very different story. For example, if you look at the comments on stories at the WP Tavern about their acquiring plugins, you will find things like this:

Another product lost to a company that really is a parasite on the WordPress community. How sad.

And this:

Judging by the track record of this company, I would start looking for a new plugin…

Or take this example of their deceptive marketing from earlier this year:

In the article linked in the above tweet, you’ll see a plugin called Smash Balloon (owned by Awesome Motive) publishing an article on the “Best Smash Balloon Alternatives”.

And guess what?

4 out of the 6 recommended alternatives are Smash Balloon itself. That’s like saying that the best alternatives to Facebook are Facebook Groups and Facebook Marketplace.

The final two alternatives? SeedProd, a landing page builder also owned by the same parent company, and a Shared Counts plugin developed by two people who are also associated with that company.

None of these are actual alternatives.

Or this tweet thread about fake countdown timers and other issues with the company.

Five for the Future

We have noticed another problem with Awesome Motive, which gets to a larger problem in the WordPress space, companies sponsoring people in WordPress roles where they are causing a problem. The head of WordPress has been a promoter of sponsored involvement, which has been branded as Five for the Future. This approach has its detractors.

When it comes to the team of four running the WordPress Plugin Directory, they are all sponsored like this, though they have strangely claimed to be volunteers. One problem with having these people sponsored is it creates an accountability issue. If you are spending your own time on something and producing bad results, it is reasonable to think that you would stop, but if you are being paid to be in the position, but failing, you don’t have that same incentive. Presumably your employer would care about that, but as we found with Awesome Motive, that isn’t always the case.

Awesome Motive’s Chris Christoff

The “Security Reviewer” for the team running the Plugin Directory is Chris Christoff, who is sponsored in that role by Awesome Motive. His WordPress bio indicates he has a security role with them, as among other titles, he is their chief security officer (CSO):

CIO and CSO of AwesomeMotive. Also Partner responsible for Analytics (MonsterInsights, ExactMetrics, etc)

He also claims to be a member of the “WordPress Core Security team”.

Failed Security Reviews

The Plugin Directory has had repeated failures in their reviewing of the security of WordPress plugins.

In the last three weeks, monitoring we do of changes made to WordPress plugins for serious vulnerabilities has led to us finding serious vulnerabilities in brand new WordPress plugins five times (one, two, three, four, five). Those plugins are supposed to be going through a manual review, which includes a security review before the plugins are allowed in to the Plugin Directory. That isn’t a new issue, it has been going four and a half years. We have offered for years to provide access to a tool that would allow the team to check plugins for the same issues flagged by that monitoring or help them build their own tool. They have never taken us up on that. Despite that, they have never taken other steps to catch these issues during the review. That seems like something that Awesome Motive’s employee would have a role in.

Another area where that team continues to fail over and over is that they are allowing plugins that have been pulled from the Plugin Directory for security issues without those issues being resolved. We noted an instance of that last week. With another plugin, which was another brand new plugin we noticed contained a serious vulnerability in January. It was reopened recently with the security vulnerability possibly still in the plugin. We don’t know for sure, because the plugin breaks the website when it is activated, which makes it hard to be believe this was properly checked before being allowed back in the directory. Surely, a security reviewer should have noticed that. In yet another instance, a new plugin was reopened, after it had been closed because we had noticed it contain a serious vulnerability, with the changing of its settings still being incredibly easy to spot as being insecure.

It’s hard to look at those results and think that Awesome Motive is doing the right thing by sponsoring this person in a role they seem incapable of handling. Yet they are.

We contacted Awesome Motive about this to better understand what can be done about this type of situation. We asked them for any information they could provide on their vetting for sponsorships and if they have a mechanism for reporting problems with sponsored employees:

Does Awesome Motive vet that sponsorships are beneficial to WordPress? Do you have a method for someone to report to you if a sponsored employee is engaged behavior that isn’t beneficial to WordPress? Any other information on your process you could provide would be helpful.

While they clearly read our message, as there was a flurry visits to posts on our web site that we linked to in our message shortly after we submitted it, we never got any response.