Once you log in to the backend of a WordPress website, one of the things you then you see by default is a widget showing the latest WordPress “News.” What you actually get is very different. Late last year, you would have seen a promotion for the WordPress.com service:
While the timeline of the public part of Matt Mullenweg’s extortion campaign against WP Engine sometimes starts with his talk at WordCamp US on September 20, there were two events that happened before that. On September 17, he published a post on his own website that included criticism of WP Engine. That post was promoted in the admin dashboard of every WordPress because he decided years ago that the posts on his personal blog should be included in the “news” feed of WordPress. Two days later, another website included in the “news” feed of WordPress ran a post simply repeating lots of the information from his post. That post started this way:
WordCamp US 2024 is in full swing, and Matt Mullenweg, co-founder of WordPress, shared his thoughts on a powerful philosophy driving Open Source. [Read more]
A new legal filing from lawyers representing Matt Mullenweg claims that he loves the WordPress community. That is hard to square with so much of what he does. For more than a decade, he has run a WordPress news outlet that fails to follow the basic journalistic standard of disclosing when the news outlet is covering the owner of the news outlet and related parties. That news outlet being the WP Tavern, which is also included in the WordPress news feed that he controls without a disclosure of the situation either. In addition to the news coverage, the WP Tavern has a podcast done by Nathan Wrigley. He isn’t someone who has shown any concern for the accuracy of what he covers. The latest podcast episode shows that off.
Before we get in to the podcast episode, let’s step back in time to April 2022. That month, hackers started targeting a vulnerability in the very popular Elementor plugin. The vulnerability allowed arbitrary code to be run on the website by anyone logged in to WordPress with any user role that had access to the admin area of WordPress. Normally anyone logged in to WordPress has access to the admin area. That vulnerability was caused in part by Elementor failing to implement a very basic security check to make sure only a user with an intended capability could access functionality. Another part of the cause was that Elementor was leaking a security nonce to users that shouldn’t have had access to it. [Read more]
Matt Mullenweg’s extortion campaign against a competitor of his-for profit company has led more focus on the web of entities Matt Mullenweg has created and a lot of confusion between them. We are going to try to untangle those in this post. There are three or four central ones and two additional ones worth mentioning. If we have missed something (the web is complicated), please leave a comment so that we can update the post.
Automattic is Matt Mullenweg’s for-profit company that has various WordPress focused solutions as well as unrelated ones. The WordPress related solutions include Akismet, Gravatar, Jetpack, Pressable, WooCommerce, WordPress.com service, and WP VIP. They also are investors in other companies in the WordPress space. [Read more]
In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after a machine learning (AI) based system we have flagged the fix being made. The journalists claimed that an attacker was trying to exploit this. With headline claims including, “Hackers target WordPress plugin flaw after PoC exploit released” from the Bleeping Computer, as well as “Hackers exploit WordPress vulnerability within hours of PoC exploit release” from CSO Online, and “ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement” from the WP Tavern.
Those stories are somewhat inaccurate, as they are citing another company’s disclosure a day after us as being when the vulnerability was disclosed. But the far larger issue is that it seemed highly unlikely that an attacker was really trying to exploit this. If this was true, it would be rather news worthy since we have seen no evidence of any wide scale exploitation of reflected XSS vulnerabilities in WordPress plugins. It turns out the source for those stories, Akamai Security Intelligence Group (SIG) confused a script kiddie with an attacker, leading to those misleading stories. [Read more]
The heads of tech companies controlling the online conversation has been a big issue recently based on Elon Musk’s takeover of Twitter and subsequent actions. WordPress has a similar issue that doesn’t get much attention, probably explained, in part, because of the more systematic control. The head of WordPress Matt Mullenweg is the person who controls what news outlets are shown in the WordPress dashboard. He also has at least some level of control of multiple of those, including direct ownership of what is probably the largest WordPress news outlet, the WP Tavern.
The ownership of the WP Tavern is barely disclosed. For example, a recent story about a State of the Word speech given by Matt Mullenweg makes no mention of that, despite him being central to the story. The only place that appears to be disclosed is on the About page, which is linked to from the footer of the website and even that mentions that his ownership was hidden away for two years: [Read more]
Earlier this year we ran across claims from the web security company Patchstack that a bug bounty program they were running, which they were misleadingly market as a “red team”, was finding an extraordinary amount of vulnerabilities in WordPress plugins.
In May, for example, they claimed that there were 292 vulnerabilities found and that one of the submitter found 149 vulnerabilities and another found 101 vulnerabilities. Both the total and individual numbers sounded hard to believe based on our experience, both collecting up data on vulnerabilities in WordPress plugins and discovering vulnerabilities. [Read more]
One of the biggest impediments to improving the security of WordPress is the sheer amount of misleading and outright false information that exists out there. Take the most popular security specific WordPress plugin, Wordfence Security, which, as we noted on Friday, is promoted by its developer and by others with the unqualified claim that it stops websites from being hacked. Not only could it not provide that level of protection, but testing confirms that it actually fails to provide the kind of protection it should be able to and that other security plugins do provide. If people knew the truth, they could be taking advantage of the additional security that other plugins provide. On the developer’s part, they clearly know what they are saying isn’t a true, and that statement isn’t an aberration, as we have repeatedly seen them telling lies that involve overstated claims about the capabilities of their plugin and services.
You would reasonably expect that journalists covering security would be warning the public about a company like that, but what we have found instead that those journalists often act more as a PR arm of security companies (often dishonest ones) than as journalists. In some cases that is rather literal situation, as there are multiple security journalism outlets that are publicly acknowledged to be owned by security companies (and another that is no longer acknowledged to be owned by a security company). [Read more]
