The heads of tech companies controlling the online conversation has been a big issue recently based on Elon Musk’s takeover of Twitter and subsequent actions. WordPress has a similar issue that doesn’t get much attention, probably explained, in part, because of the more systematic control. The head of WordPress Matt Mullenweg is the person who controls what news outlets are shown in the WordPress dashboard. He also has at least some level of control of multiple of those, including direct ownership of what is probably the largest WordPress news outlet, the WP Tavern.

The ownership of the WP Tavern is barely disclosed. For example, a recent story about a State of the Word speech given by Matt Mullenweg makes no mention of that, despite him being central to the story. The only place that appears to be disclosed is on the About page, which is linked to from the footer of the website and even that mentions that his ownership was hidden away for two years:

On June 8, 2011 Jeff Chandler announced that a new owner had purchased the site. One of the stipulations after the purchase was to remove all forms of advertising.

It wasn’t until May 20th, 2013 when everyone was informed as to who the new owner was. It was none other than Matt Mullenweg. It’s important to note that Jeff Chandler was hired as an employee for Audrey.co, Matt Mullenweg’s personal research and investment company with the primary duty of creating and managing content on WPTavern.

Despite the lack of basic disclosure in relevant stories, Google includes the outlet in Google News with no warning about the lack of disclosure.

In that aforementioned WP Tavern story, there was mention of Matt Mullenweg saying that an unspecified security team was going to be involved with canonical WordPress plugins:

Some of these plugins will be canonical plugins, those that are officially supported by core developers and receive attention from the security team. Gutenberg and the importer plugins are a few examples.

The speech itself didn’t clear up what the team that would be involved with that is. But with both of the teams that seem relevant, giving them that role would be problematic, considering they are not handling their existing duties all that well, leading to unnecessary security issues for WordPress websites. We left a comment on the post asking about that, which also noted those teams’ connection with Matt Mullenweg. It wasn’t approved to be shown, which is unfortunate since the security situation with WordPress could be easily improved.

Here is the comment we submitted (we have added links with more information on things mentioned in that):

With one plugin that already appears to be a canonical plugin, as the developer is listed as WordPress.org, Create Block Theme, security hasn’t been handled well. Two months ago, a very serious vulnerability was introduced in to it caused by multiple basic security failures. The developers of that plugin work for Automattic, meaning they work for Matt Mulleweg. So more focus on security for canonical plugins would be a good idea, but what security team is going to be involved with canonical plugins?

The core WordPress security team currently seems too understaffed to handle addressing publicly known security issues with core WordPress software, or at least they haven’t addressed multiple of them for quite some time. So it seems like they shouldn’t be taking on more work, unless the team is expanded. Apparently about half that team work for Automattic as well.

The plugin review team doesn’t seem up to the task. For example, they keep failing to catch serious vulnerabilities during the manual security reviews they are claiming to be doing of new plugins and they have refused help to better address that. They are also rather understaffed, with only 4 members, but are refusing to allow others to join. Half the team works directly for Matt Mullenweg.

It would be great if Matt Mullenweg was willing to work with the WordPress security community to address the shortcomings of the current security processes of WordPress, which are closely connected with him, but are not delivering great results.