Because of recent actions taken by Matt Mullenweg, the control of WordPress.org has become a big security concern. It continues to be unclear who actually is in control of it. Lawyers representing Matt Mullenweg and Automattic have put forward varying explanations. In a legal filing on October 22, they put forward the view that Matt Mullenweg is personally in control of it:

WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility.

Eight days later, they put forward a more nuanced explanation:

Separate from the WordPress software, from Automattic, and from the Foundation, is a website that Matt supports called WordPress.org (the “Website”). Matt is the owner of the WordPress.org domain name. Matt created the Website to support the WordPress community and software. Over time, the content the Website provides has become more robust. It takes significant resources from Matt and others to maintain the Website. For example, Matt and other employees of Automattic contribute over 3,500 hours weekly to support and maintain the Website, including the core software and other features offered through the Website.

Various things we have run across show that Automattic plays a fairly significant role in running the website. A recent posting on the WordPress.org Status Blog adds to that, but also raises other questions. If you are not familiar with that blog, you are not alone. We were not aware of it until now. On November 13, a post was published explaining recent instability of the website. It started this way:

On Nov 12th 2024 beginning at 21:20 UTC, WordPress.org experienced intermittent elevated latency and increased error rates. These affected both the WordPress.org website and API. This initial incident was quickly resolved by the team, but reoccurred briefly on Nov 13 at 0110 UTC, 0900 UTC, and 1400 UTC. The underlying cause was network saturation of the hosting provider’s network that hosts some of the WordPress.org infrastructure. Although all of the servers and switch interfaces that our team has visibility into were within normal levels of utilization, there were some upstream network bottlenecks that created increased latency and packet loss that affected the WordPress.org environment.

The author is only identified as Barry. Those following the legal back and forth going on might recognize that Barry, as it is Barry Abrahamson. Here is how he described his role at Automattic in legal declaration under penalty of perjury:

I am currently the Chief Systems Wrangler at Automattic, where I am responsible for running the globally distributed infrastructure that powers WordPress.com, Jetpack, WooCommerce, WordPress.com VIP, WP Cloud, and Pressable, among others. I joined Automattic in April 2006 as a consultant and started full-time in May 2007. I have been with the company in a Systems Wrangler role for around seventeen years.

As with other things he neglected to mention in that, he didn’t mention any role managing WordPress.org, only saying this:

As part of my role as Chief Systems Wrangler at Automattic, I regularly work with the WordPress software platform, and am also familiar with the website located at www.WordPress.org (the “Website”). Automattic contributes significant time and resources to the operation of the Website, in excess of 3500 hours weekly.

That wasn’t Barry’s first post on that blog. The first one was in 2017 and he later posted in 2020, 2021, and 2022. He has written the last three posts on the blog.

Curiously, Barry Abrahamson’s WordPress profile makes no mention of Automattic sponsoring him for any time spent on WordPress.

Some of the other posts on that blog were written by current or former employees of Audrey Capital, Matt Mullenweg’s investment vehicle. Posts also come from two other current or former Automattic employees. One of them worked both at Audrey Capital and Automattic. In a post on his own blog last week that former employee of both, Samuel Sidler, made this interesting comment:

When I worked at both Audrey Capital and Automattic, I helped oversee design and development of the WordPress.org website. One of the many pain points at the time was getting support from Automattic’s systems team—led by Abrahamson—which maintained the infrastructure of WordPress.org. Requests were posted to a public make/systems “P2” blog—resolutions were anything but swift.

Among the questions this raises is if the block of WP Engine’s customers’ websites from WordPress.org systems was done by Automattic employees.

There is also the important question of who is paying for the WordPress.org infrastructure. Especially when Matt Mullenweg is making it seem like he might be personally spending millions of dollars a year on it (something his lawyers appear to disagree with).

We have reached out to Samuel Sidler to suggest he provide a follow up with more details on the handling of the infrastructure of WordPress.org.