Login

Tag Archives: Automattic

15 Jan 2025

Audrey Capital Employee Samuel “Otto” Woods Closed Discussion About WordPress Not Promoting Automattic’s Jetpack Plugin

Last week Automattic, the company from the head of WordPress Matt Mullenweg, announced they were going to contribute less to WordPress. In doing that, they complained that “we’ve observed an imbalance in how contributions to WordPress are distributed across the ecosystem, and it’s time to address this.” The credited author of the post is the Executive Director of WordPress.org. What was left unsaid was how Automattic benefits from WordPress over other companies because of its level of control over the project. We just ran into an instance where an attempt to address that wasn’t allowed predating the current situation with WordPress.

Last week, we wrote about how an Automattic employee who had access to non-public data on what top search terms for the WordPress Plugin Directory and their admission to changing the search algorithm for that to promote Automatic’s Jetpack plugin. That isn’t the only way that Jetpack is promoted in the WordPress Plugin Directory. From the admin interface of WordPress, going to the page to add a new plugin brings up a set of Featured plugins: [Read more]

13 Jan 2025

New Executive Director of WordPress.org Now Credited as Author of Automattic’s Post Announcing Company’s Reduction in WordPress Contributions

Last week, Automattic announced that they would be reducing how many hours they claim to contribute to the WordPress project under the Five for the Future program. (The accuracy of the Five for the Future pledges in general seem highly suspect.) At the time, the post didn’t have an author shown, but ended “– The Automattic Team.” Since then, the design of Automattic’s website has been updated, causing the credited author of the post to be displayed. You can now see it is listed as Mary Hubbard:

[Read more]

10 Jan 2025

The New Executive Director of WordPress.org is Now Claiming to Only Spend 5 Hours a Week on WordPress

When it comes to the security problems with WordPress plugins, as well as many other problems with WordPress, the project’s lack of proper governance is a key problem. In addition to Matt Mullenweg, the only person that appears to have an oversight role for the project has been the Executive Director of WordPress. That hasn’t produced good results.

While not disclosed by Matt Mullenweg when he announced the position, the first holder of the position was the head of the open source division of Automattic, Matt Mullenweg’s company. The obvious conflict of interest might explain why that person never released the conflict of interest policy they promised for over a year. That person held the position from 2019 until September, when Matt Mullenweg’s offered a buyout to Automattic employees after his extortion campaign against WP Engine went public. They unsurprisingly operated largely in line with what you would expect from someone that is an employee of Automattic who happens to hold that title. [Read more]

10 Jan 2025

Automattic Employee Changed WordPress Plugin Directory Search Algorithm to Promote Automattic’s Jetpack Plugin

As part of working on our Plugin Security Scorecard last year, we spent a fair amount of time using the search functionality of the WordPress Plugin Directory. Through that, we again and again ran across search results that prominently featured plugins with high install counts that were not relevant to the search results, while relevant plugins were sometimes buried later in the results.

One of the examples were you can see that happening is on a search for “translation”, which has as its fourth result, a 3+ million install backup plugin: [Read more]

16 Dec 2024

Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability

We are currently looking in to yet another problem with handling of security by Awesome Motive and the Security Reviewer from the WordPress Plugin Review Team. In doing that, we ran across another example of the incredible sloppy work done by prominent providers of data on vulnerabilities in WordPress plugins.

In January, the WordPress plugin SimpleMap Store Locator was closed on the WordPress Plugin Directory for an unspecified “security issue.” [Read more]

13 Dec 2024

WPScan Ignores That Security Issue From Website of Their Boss, Matt Mullenweg, Played Vital Role in WordPress Websites Being Hacked

Two days ago, a news story about WordPress websites being hacked was published titled “Hunk Companion WordPress plugin exploited to install vulnerable plugins.” The last part of that is important, but was largely ignored in the story. With the only mention saying that “While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console.” That plugin was closed on the WordPress Plugin Directory on October 21.

[Read more]

9 Dec 2024

Automattic Isn’t Sponsoring 3,500 Hours a Week to the Maintenance of WordPress.org

While WordPress is an open source project, there is so much that isn’t open and transparent about it. That includes one team that largely operates anonymously, seemingly to avoid people being able to identify individuals taking harmful actions, and it includes a security team (or teams) where even basic details are mystery. We also still don’t have a clear picture of who is managing and paying for the WordPress website. That is obvious concern with everything that has been happening recently involving Matt Mullenweg’s campaign against WP Engine. One thing we can say with good certainty is that Automattic isn’t sponsoring its employees to spend 3,500 hours a week maintaining that the WordPress website, as some people have been mentioning recently.

The confusion over this seems to be based on a declaration made in the legal case between Automattic/Matt Mullenweg and WP Engine. In the declaration, an Automattic employee stated: [Read more]

9 Dec 2024

The Executive Director of WordPress.org Works For Automattic, Not WordPress

Back in 2019, Matt Mullenweg announced a new role, the Executive Director of WordPress, without disclosing the role was being filled by someone working for his for-profit company Automattic. When that person was brought up after that, it was rarely mentioned that they worked for Automattic, despite the obvious conflict of interest inherent in the situation. That conflict of interest might explain why the WordPress never got its conflict of interest policy, which that person said was coming.

That lack of disclosure continued when Matt Mullenweg announced that person’s replacement, under the slightly changed title, Executive Director of WordPress.org, in October. Considering how clear it has become recently that Matt Mullenweg has been intentionally obscuring the control of WordPress and intermixing of different entities, you might reasonably expect that journalists would be careful about accuracy on things like this. That continues to not be the case. [Read more]

2 Dec 2024

For the Second Time This Year, Automattic’s Top Lawyer Has Left

Last week’s hearing on a preliminary injunction in the legal case between Matt Mullenweg/Automattic and WP Engine featured an Automattic lawyer we hadn’t heard mentioned before. That would be their General Counsel, Jordan Hinkes. That role has been their second to the top lawyer. Bloomberg Law reported on Friday that he was newly on the job. His LinkedIn profile shows him having taken the job in October:

[Read more]

2 Dec 2024

Automattic Apparently Manages the WordPress.org Infrastructure

Because of recent actions taken by Matt Mullenweg, the control of WordPress.org has become a big security concern. It continues to be unclear who actually is in control of it. Lawyers representing Matt Mullenweg and Automattic have put forward varying explanations. In a legal filing on October 22, they put forward the view that Matt Mullenweg is personally in control of it:

WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility. [Read more]