If you have followed what is going on with WordPress recently, a word that wouldn’t be something you would use to describe things would be transparency. And yet an unnamed “WordPress.org spokesperson” speaking to an undisclosed employee of the head of WordPress, Matt Mullenweg, claimed that WordPress.org is committed to continued transparency:

WordPress.org is committed to increasing security expectations, adopting secure development practices, continuing to lead the project with transparency, and being a willing and helpful partner regarding any government requirements.

The comment is odd on so many levels. WordPress.org is apparently just Matt Mullenweg. His lawyers specifically said recently that “WordPress.org is not WordPress.” So should the comment be read as saying he is committed to those things, while not being transparent, that WordPress.org is actually just him? What else could it mean?

When it comes to WordPress.org, there are lots of things that are not transparent, including how much it costs and if Matt Mullenweg is making a profit off of it.

The transparency claim also runs up against the reality of WordPress’ security operation. We don’t have even basic information on the security team (or teams) that exist for WordPress. Matt Mullenweg also has been portraying the security team of his company, Automattic, as being the “WordPress security team.” Whatever teams there are, there isn’t transparency about why they are failing to address publicly known security issues.

If we assume that increasing security expectations doesn’t just mean increasing expectations, but actually improving security. That is a low bar, as with two known security issues in WordPress, there hasn’t even been any developments on addressing them since 2017. Those being the is_admin() and maybe_unserialize() functions.