8 hours ago
Got a call today from a client I hadn't heard from in 5 years. They use ACF, they use another plugin that WPEngine acquired to move their uploaded files to S3. They're freaking out at all this and worried about how the next thing might impact their business... so they want off WordPress.
Thanks for the work, Matt!
11 hours ago
Wordpress banned forks from the plugin directory a while ago, so they're doing what they ban everyone else from doing. https://make.wordpress.org/plugins/2021/02/16/reminder-forke...
10 hours ago
That post seems to be about forking open source plugins which cost money. From what I can tell they did fork this plugin but are not offering its premium features for free.
Just to preempt people arguing with me, please note that this comment isn't meant to be an ethical defense of them one way or the other, but just a factual correction.
5 hours ago
It's a freemium plugin though, the advertisements for the pro-version and the update-funnel are how you pay for it.
If WP had only fixed the error but not removed all of those things & and hadn't claimed authorship themselves ("By Wordpress.org", and putting themselves at the top of the contributors while they're certainly the one with the fewest contributions), that argument would be different, I believe.
Would wordpress.org allow WooCommerce to be forked, uploaded with no modifications beyond the all references to WooCommerce being changed to YouCommerce and all mentions of Automattic being wiped? I don't see that being allowed.
10 hours ago
It’s not a premium plugin.
10 hours ago
Wordpress did not fork the plugin. They just took ownership of the plugin.
Wordpress removed all premium features after the hijacking of the plugin.
https://plugins.trac.wordpress.org/changeset?new=3167679%40a...
10 hours ago
It has premium features, it may be a grey area, but that makes it a premium plugin IMO.
12 hours ago
> It’s not clear what security problem Mullenweg is referring to in the post.
Where is the CVE? What risk is there continuing to use the original plugin? No details at all. This results in fear: we don't know if the original is safe to use.
> Going forward, Secure Custom Fields is now a non-commercial plugin
Does this imply that Wordpress is potentially going after a revenue stream from WPEngine?
If the plugin had Pro options* then are those closed source and so not available to Wordpress in their fork of the codebase? It's not clear.
11 hours ago
> Where is the CVE? What risk is there continuing to use the original plugin?
Here’s the diff showing what has changed: https://plugins.trac.wordpress.org/changeset?new=3167679%40a...
11 hours ago
I do see various security fixes in that patch, but most of the changes are removing references and code for a "pro" version of the plugin.
I'm guessing the WP security team has been pentesting any WPEngine code they could get their hands on to find an excuse to make all of these changes. The security issues do look bad (once again proving that WordPress' worst vulnerabilities come from the plugins they install) but I think the branding removal is pretty wild.
A quick skim through the plugin development guidelines does seem to indicate that trialware isn't allowed, and the plugin seems to be doing all kinds of other stuff that isn't really permitted by the guidelines. I don't know if WordPress is as strict in enforcing those as they are with this plugin, but the changes do seem to be based on them.
With WPEngine recommending people to install their (vulnerable) version, I once again feel like there's no right side in this conflict. What a mess.
11 hours ago
WP Engine fixed the vulnerability about a week ago [0].
The WP security team may have just backported the fix, even using the same line in their changelog [1].
[0]: https://www.advancedcustomfields.com/changelog/
[1]: https://plugins.trac.wordpress.org/changeset?new=3164480%40a...
11 hours ago
- public $version = '6.3.6';
+ public $version = '6.3.6.2';
Edit: To make matters worse, elsewhere in the code, it's referenced as 6.3.8. Very confusing.
11 hours ago
For those reviewing the changeset: There are two places where they read a value directly from $POST into an $args array. There is no validation applied, which means an attacker can inject whatever value they wish.
9 hours ago
And 2 problems jn the fix:
- It’s a specific symptom fix: The same problem could occur with $_COOKIE or $_REQUEST always being available
- The cleanup is not done in a finally{}, so random missing vars when an exception occurs.
Exec summary: Horrible code as always in WP.
11 hours ago
In 2024, wtf. How can anyone especially on software with this kind of reach still do such absolute amateur things?
10 hours ago
I can't speak for WP Engine devs specifically but for Wordpress customization developers, the ones I've worked with were just absolute amateurs. The people doing this are mostly untrained people hacking together stuff layer upon layer until it kind of worked. Don't even ask about using version control. I don't want to say this applies to every Webdev but it attracts a group of people that aren't too much into IT but want to quickly learn programming to have a job.
8 hours ago
> want free software to run website
> want free plugins to add functionality to site
> absolutely will not hire developers or pay for software or plugins
> how dare the free plugin for my free software not be coded to the highest standards
5 hours ago
That code is identical to the commercial version ACF Pro which currently costs $49/yr for a single website.
11 hours ago
wow, they deleted 300 lines, many giving credit to others, just to replace it with
> Security - ACF defined Post Type and Taxonomy metabox callbacks no longer have access to $_POST data. (Thanks to the Automattic Security Team for the disclosure)
If I was on that security team, I would be livid they used my team's name on this behavior.
If this was done by that security team, their ethics are disgusting, and likely non-salvageable...
Still looking for the security exploit worthy of a plugin takeover though.
edit; best I can figure tonight is it's some concern over CSRF, but they don't even sanitize $_GET nor $_SESSION, only _POST and _REQUEST... so either it's more complicated than it looks on the surface, or this "fix" is partial at best, and wasn't written by someone from security. (It's also possible or likely that I'm missing some context, it's been a long time since I've had to work on php)
11 hours ago
Wieldy enough, that line likely came from the original developer (ACF/WP Engine) [0].
I believe WordPress.org backported the change and named it v6.3.6.1 at that time [1], before rebranding ACF in a later version (v6.3.6.2).
[0]: https://www.advancedcustomfields.com/changelog/
[1]: https://plugins.trac.wordpress.org/changeset?new=3164480%40a...
11 hours ago
Ah, that would explain why those fixes are noted as "since 6.3.8".
11 hours ago
It's extra funny when you consider all the recent acts where some plugin developer sells his plugin to some shady company, they go and add "functionality" to it that fundamentally changes the plugin, adds forced widgets to users' websites to promote their services etc, and the WP security team is like "they're allowed to do that, that's perfectly fine".
I don't know how much overlap there is between the Automattic and WP security teams but I assume there's some like with most things in WP.
11 hours ago
> This results in fear: we don't know if the original is safe to use.
The exact result intended by Matt, I presume. He wants to scare WPEngine's customers away from their services.
At this point, this looks more like a war between personalities.
10 hours ago
> At this point, this looks more like a war between personalities.
There only seems to be one personality at play to me.
8 hours ago
Who’s the other “personality”?
12 hours ago
My understanding is ACF injected notices for their personal legal gains on everyone's dashboards. I wouldn't be surprised if such thing is a breach.
6 hours ago
My understanding is that it was actually matt who did that, and he did it so he could denounce WPEngine to their customers, due to his personal vendetta against WPEngine, because WPEngine refused his shakedown attempt for money.
This is cited in WPEngine's lawsuit. Like you said, I wouldn't be surprised if this behavior of matt's was a breach.
11 hours ago
> If the plugin had Pro options* then are those closed source and so not available to Wordpress in their fork of the codebase? It's not clear.
Because WordPress is licensed under the GPL, all plugins must be licensed under GPL-compatible licenses. This applies to ACF Pro as well.
11 hours ago
As far as I've understood, the copyleftness of the Wordpress's GPL tainting themes and plugins is or at least has been controversial (I'm not in the WP community, but have read stuff regarding this drama). Wordpress itself uses React and other non-GPL licensed software in the core that yes, may be GPL-compatible but doesn't enforce everything to be GPL'd. When it comes to themes and plugins, I'd consider that userspace, akin to installing Spotify on Ubuntu doesn't make Spotify suddenly GPL'd.
10 hours ago
In Linux, not even in user space: ZFS is developed as a kernel module rather than mainline Linux kernel because of its incompatible with GPL license. Or Nvidia's Linux driver aren't even open sourced. Well AMD has proprietary Linux drivers too, but they have an open sourced one also.
10 hours ago
Not detracting from the point you're making, but the kernel side for Nvidia drivers for Linux is published on GitHub, by Nvidia. The userspace side is still delivered as pre-compiled binaries, tough.
9 hours ago
You're right. But that's a somewhat recent (2 years) release and not compatible with as many GPUs as their closed source kernel side ones drivers, which are still on version parity.
My 1080Ti isn't compatible with those drivers, so I do forget about the open sourced ones.
11 hours ago
Fundamentally yes, though it hasn't really been tested in court and I'm not sure that plugins really are obviously derivative works - you can create a plugin that doesn't depend on WP but can be used with WP, but I'm not a lawyer.
Matt and WP's position however includes that this applies to the PHP code but not to accompanying assets like images, CSS, JS (because those can obviously be used without WP). Those only need to be GPL if you want to host it on wordpress.org which the commercial versions of those freemium-plugins are not.
11 hours ago
The appropriate twist here would be to have WPEngine find a trusted third party (one or more), start a foundation together and successfully fork wordpress.
11 hours ago
Didn't this whole thing start because Automattic was complaining that WPEngine wasn't contributing much to the Wordpress development but competing with them for free?
9 hours ago
That was my impression too, but now we learn that they have made plugins available, so they are contributing to the Wordpress community, but they're doing it wrong?
I feel like Wordpress is going down the same path as Elastic and other companies have done, make something, open source it and then make a fuss when other companies "misuse" their code? If you want that tight control over how others use your code, then maybe consider not picking an open source license?
10 hours ago
That one of Matts claims. Personally I suspect the actual trigger was WPE removing Automattic's affiliate key from WooCommerce and costing them $m/y of revenue.
10 hours ago
That's also one of Matt's claims. According to WPE's court filings, they claim it was an alternate/fork of WooCommerce's Stripe integration they provided with additional features, and makes them less than ~2000$/mo.
If that claim is false, that's perjury.
10 hours ago
Our attempts at resolving trademark issues with WPE predate our discovery of the attribution removal.
9 hours ago
Who is our in this context?
If you are a party to this dispute, why on Earth would you comment publicly?
7 hours ago
It really is strange Automattic's lawyers haven't clamped down on any public comment. Have any of WP Engine's people been as free with commentary as Automattic employees have been?
If I were an employee at a company being sued I wouldn't say anything related to it even without an order from legal because I wouldn't want to have to risk answering for it in the trial. Why dangle yourself out there as a target for the opposition's lawyers?
10 hours ago
What do you mean by “trademark issues”? Is this about the WP in the WPEngine’s name? If yes, what about other companies in a similar position?
9 hours ago
The abbreviation "WP" was initially permitted for use before they retroactively changed it a few days ago. Saying "We host WordPress" on WPEngine's site constitutes as much trademark violation as a random shoe shop listing Nike shoes in their catalog. It seems this is more about attempting to undermine a competitor, with trademark issues serving merely as an excuse.
7 hours ago
The claim is they spent over a year trying to convince WP Engine to pay up. But based on what I've seen, it was probably increasingly pouty complaints and demands leading up to the threat to go nuclear at WCUS 2024.
I wouldn't take how this played out as evidence that WP Engine was opposed to making more significant contributions like sponsoring a real, independent foundation or even putting a significant portion of its revenue toward the project.
11 hours ago
If not for Microsoft I'd suggest calling it "Word", no need for the Press.
11 hours ago
What about "Press"?
10 hours ago
I like it, a lot of room to play with things like 'imPress'
10 hours ago
I think PressWord sounds nice
9 hours ago
Just call it TextPress.
11 hours ago
I think Matt would be quite happy with that. His issue is WP Engine not contributing to WordPress. If they decide to maintain a fork and infrastructure, they won't be freeloading anymore.
Edit: That attracted a lot of downvotes. I was giving my option in response to the parent comment. In my option Automattic would be happy if they forked it.
10 hours ago
On one hand, the claim is that WP Engine contributes nothing to the WordPress ecosystem. On the other hand, the necessity for Automattic to fork a plugin developed by WPE suggests that WPE has been contributing something significant—so significant that its continuation is essential for the community.
11 hours ago
If the new project offers a more stable platform, one that cannot be controlled by a single person, the community might like that more and might move; then there will be little left to freeload.
Is that an option btw? I.e. is it possible to offer hosting with seamless migration from wordpress.org?
11 hours ago
Where is it in the license that you need to contribute to the project if you make big bucks? We have open source licenses for a reason, contributing back is never a requirement. If you believe that is his issue, I have a bridge to sell you.
10 hours ago
Mullenweg literally said that this was his issue. That’s what kicked off the whole debacle.
10 hours ago
Bill Clinton said he didn’t have relations with that woman.
At some point in life, people usually stop believing everything that others “literally said”.
7 hours ago
Right, sorry, I see what you mean. You mean “if you believe that the issue is truly as he describes it publicly and not in fact something else” rather than the literal interpretation of “if you believe that this is his issue”.
My answer was based on the fact that I’ve seen several people who are unaware of what Mullen’s said that precipitated the row.
6 hours ago
matt's actions which precipitated the row were to demand that WPEngine pay 8% of their revenue to Automattic, a private-equity-associated, for-profit corporation matt runs.
Money, more and more money for matt, seems to be the matt's driving motivation here. He seems to be projecting his own greed onto others.
10 hours ago
> Where is it in the license that you need to contribute to the project if you make big bucks? We have open source licenses for a reason, contributing back is never a requirement. If you believe that is his issue, I have a bridge to sell you.
I never said that the license forced them to contribute.
11 hours ago
WPE contributes to WordPress; Matt is just full of shit on this. It's an excuse, not a reason.
11 hours ago
What does WPE contribute? I ask from a place of curiosity. Code, money?
10 hours ago
Beyond code and money, both of which I believe they contribute - though apparently not enough to satisfy Matt Mullenweg - you could argue that they offer a very straight forward distribution/adoption channel in terms of straightforward infrastructure.
I hate WP Engine - having had first hand dealings with them after they acquired a company I’d spent tens of thousands of dollar with - but nonetheless I fee like there’s probably a pretty strong argument that simple straightforward Wordpress hosting means more people use Wordpress which strengthens the overall ecosystem.
When I first started using Wordpress there was a steep learning curve to get it configured correctly on hosting where stuff wouldn’t break.
I used to pay someone to do that for me, and when they gave up doing that I moved to Flywheel (which was later acquired by WP Engine) and suddenly all of my previous problems with Wordpress from a hosting perspective vanished.
It just worked and the Flyhweel support team was amazing and would even unofficially support the wider implementation of Wordpress (“I changed this and now that thing has broken… I know it’s not your fault but any suggestions?” “Hey, here’s the problem, plus we have fixed it for you!”)
That made me stick with Wordpress for years and build out more sites in Wordpress and recommend it to friends and clients.
Most small businesses (which represents the majority of Wordpress users) don’t want to have to think about hosting: in the same way they expect their mobile phone service to just work, and email to just work, they need Wordpress to just work.
Whatever issues I have with WP Engine they offer a very straightforward “forget about it” service for running Wordpress which ultimately means more people are likely to use it.
10 hours ago
On code contributions, I believe the accusation was that the amount of developer time they fund is tiny relative to the size of the company.
I've not seen numbers comparing other significant WP users to them, though, only comparing them to Automattic itself, which seems a bit apples to aardvarks to me.
10 hours ago
At a minimum a plugin that Wordpress was forced to “fork”.
4 hours ago
They have an equivalent of 1-2 full time people working on it, they sponsor the WordPress conference, and they make a couple really important plugins almost everyone uses
11 hours ago
Both. Matt just does not think they contribute enough. Either that or he is angry that they are more successful than his own company.
11 hours ago
Even if they find a middle ground to this mess that Matt has created, I very much fear that the damage to the community is done and it's only a matter of time before the popularity of the once famous platform that almost everyone uses in one way or another collapses.
11 hours ago
For better or worse, I would optimistically say that that might be a good thing. WordPress has given a lot to the internet over the years, but a very large portion of its giving has been pwned sites and security issues. If this leads to either the birth or popularization of a tool that's modern and secure, that would be a net win for everyone involved.
9 hours ago
I can only imagine how worse it will be if wordpress is hastily replaced with some javascript contraption
10 hours ago
It sounds a bit similar to when Drupal faded to obscurity during the Larry Garfield sage. Of course there is a long run up that finally explodes with a high profile issue, but the writing could be on the wall for WordPress.
10 hours ago
Depends how good their PR is. By all accounts, their current PR is not very good
10 hours ago
I think their current PR seems to be Matt Mullenweg himself.
And the more I hear him speak - having never really concerned myself with anything he said - the more loopy and disconnected from reality he seems. Post-economic!
Sometimes it’s great to have a slightly crazy visionary with utopian ideals who is prepared to say whatever they think will effect change. But also: Elon.
10 hours ago
Good. WordPress is merely the tallest dwarf.
12 hours ago
They either have some of the best or worst legal counsel; or they just ignore the legal counsel.
12 hours ago
They also have the worst social media team I have ever seen:
11 hours ago
This is wild. Surely Matt isn't tweeting from the official account - marketing would not allow that, right?
10 hours ago
Seems to be unavailable to me now, but Archive link here: https://archive.is/WKx4a
9 hours ago
What's that in response to? I don't have an account so don't seem to see anything beyond 'Sorry, who are you?'
9 hours ago
According to https://bullenweg.com/#matt-uses-wordpress-to-dismiss-founde... , "Laura Elizabeth, founder of WordPress Plugin Client Portal" posted "Guess I can’t contribute to WordPress "
11 hours ago
I thought I was reading a tweet from Wendy’s.
11 hours ago
Who is she, though?
11 hours ago
1. It doesn't matter.
2. It takes one click to find out that she's the "founder of http://Client-Portal.io, a WP plugin for freelancers to use with their clients to keep track of all the deliverables in a centralized portal"
11 hours ago
Mullengweg taking a leaf out of Musk PR playbook, clearly.
12 hours ago
Some people just think they're above the law. This Matt guy has gone mental.
12 hours ago
Yeah, but pretty sure some of the employees/volunteers are in on it or "just following orders."
11 hours ago
Yes, no one stopped the co-funder and it's unlikely he did the fork and the change of ownership only by himself. Other people at Automattic are responsible too.
11 hours ago
All the sane people left when Matt offered them $30,000 or six months of salary to quit.
11 hours ago
Considering how many people stayed, it's clear that they've been brainwashed to think what he's doing is ok.
10 hours ago
Or they didn't feel confident about quickly getting a new job in this market. Especially since Automattic is mostly/entirely WFH.
It's pretty unlikely the company will go completely broke any time soon so their jobs are probably fairly safe.
11 hours ago
One of Automattic’s statements was issued by Neal Katyal, who was Acting Solicitor General of the United States. I would tend towards thinking the client himself may be the problem.
11 hours ago
While the situation is much less problematic, I think WordPress management could listen to their lawyers more
12 hours ago
Mullenweg is hijacking existing users with supply chain attack.
11 hours ago
> supply chain attack.
Where's the "attack" part? I thought that was a crucial part in the definition
11 hours ago
The author of a library has lost all control over the codebase, and a third party is now making changes to it. That's pretty much the textbook definition of stage one of a supply chain attack.
Considering what Matt has already done, it wouldn't even remotely come as a surprise if a future ACF update would, say, brick all WP installations using ACF on a WP Engine host.
11 hours ago
> brick all WP installations using ACF on a WP Engine host
That tactic would work, if WP Engine had access to the update server hosted at wordpress.org.
11 hours ago
It's like claiming going to the bank is stage one in a robbery. So if you go to the bank you're a thief.
WordPress have the rights, just like the responsibility and possible liability of everything distrubted on their platform.
11 hours ago
It's more like gaining backdoor access to the bank's server.
At this stage no attack has happened(but can happen)
11 hours ago
They didn't gain access anywhere, it's their platform.
11 hours ago
If the bank starts fiddling with the numbers in your account: "I'm not being attacked, it's their database"
10 hours ago
> bank starts fiddling with the numbers in your account
If a bank messes with your money, you ask for your money when that happens. Not defame the bank based that they updated their database, business as usual, but you liked the old one.
how exactly did they mess with your stuff? where's the attack you're speaking about? where's physical harm?
8 hours ago
This is how users will unknowingly update from ACF to Secure Custom Fields:
7 hours ago
As user how were you affected? Are there any features you can no longer access?
11 hours ago
Injecting code that creates misleading or malicious dashboard warnings is a supply chain attack, even if it’s the intent of the supplier and not a malicious third party interfering with the supply chain.
11 hours ago
> misleading or malicious dashboard warnings
Who did that? WP Engine was the one making these before the change
10 hours ago
Wow, the WordPress name is being ploughed into the ground with this sort of behaviour.
10 hours ago
Well, they banned Wpengine from updating their package in the repository. Then the package maintainers found security problems - which they can’t fix with an update because they’re locked out.
It makes a weird sort of sense. Ie, wp.org backed themselves into a corner where they needed to close the security hole. And to do that, they needed to patch it themselves, which in turn requires them taking over the package.
It’s shocking, yeah. But it would probably be worse if they just left the (known, publicised) security vulnerabilities in.
9 hours ago
They could have backed down and allowed WPEngine to publish an update or even published it on their behalf. Instead they've doubled down and taken this ridiculous action that undermines the whole wp/plugin eco system.
None of this is necessary.
7 hours ago
This was engineered and deliberate, they were never gonna let WPEngine have their space back. We called this a week ago: https://news.ycombinator.com/item?id=41751856
12 hours ago
Previously on Hacker News. https://news.ycombinator.com/item?id=41821400
11 hours ago
Also
https://news.ycombinator.com/item?id=41821336 (165 comments, including 5 by photomatt)
https://news.ycombinator.com/item?id=41824852 (63 comments)
11 hours ago
This is starting to be just vanilla sad.
Pity that there isn’t a comparable eco system that is less…mercurial
8 hours ago
What the hell is Mullenweg smoking? Seriously. This dude has completely lost what little was left of his mind.
6 hours ago
Just finished submitting our companies RFP to 4 vendors for our 2025 website redesign. We are moving from WP to a React enterprise CMS. Thanks for the job security Matt :).
12 hours ago
Yesterday's link https://news.ycombinator.com/item?id=41821400
11 hours ago
I just cancelled my ACF subscription as it's up for renewal in 30 days. I'll wait and see how the dust settles.
11 hours ago
My advice would be to make plans to move away from WordPress entirely. While I think that the “supply chain attack” is hyperbolic, if technically true, it’s indicative of an organization that cares about winning more than ensuring any form of stability whatsoever to their users and clients. Beware.
9 hours ago
I agree, If I were an IT manager this sort of stuff would make me start looking at alternatives.
If an app/pluging/package is maintrained and published by X, I want to make sure no one else can interefere with it - even if they have good intentions.
What Automattic should have done is removed the plugin from distribution and told WP Engine to fix the problem. By doing what they did they have breached the trust of their users.
9 hours ago
This is gonna be a hard move for some of the IT companies I've seen who have based their entire business around WordPress websites. They literally don't have the skill to use anything else as WP is all they know. Rip.
11 hours ago
Good advice, but it's a subscription I'm paying on behalf of a customer for a website I made 5 years ago. It's one of the few Wordpress websites I made as I hate the development process and the bloat of it all.
8 hours ago
Didn’t WPE change ACF to pull updates from WPE (on Oct 2nd), essentially at Matt’s request … because one of Matt issues with WPE, is that they were putting undue infrastructure load/cost on Wordpress.org
And then days after WPE makes this update, Matt then hijacks their plugin.
Am I understanding this correctly?
12 hours ago
Mullenweg calls it a fork. I could see that being somewhat okay if it's indeed for security fixes, but removing the upsells is petty at the very least. But a fork doesn't take control of the original, so I wonder what they did there? Perhaps a redirect from the ACF entry to SCF?
To be honest, none of this makes WordPress look good... It just seems like a douche move.
9 hours ago
It can hardly be called a fork when you wipe every mention of the original dev team in the codebase, and start a fresh changelog with 'Patched security fixes' whilst thanking his team. It's an absolute takeover not a fork.
9 hours ago
The thanks come from the upstream release notes for 6.3.8, FWIW.
9 hours ago
10 hours ago
Well, I hope he's going to pay people to maintain that plugin now.
Because the original author (or team?) is probably motivated to move on to other endeavours instead.
9 hours ago
can someone please explain the feud for those of us who are out of the loop?
9 hours ago
Matt Mullenweg - owner of wordpress.org (open-source project) and wordpress.com (paid WordPress hosting provider)
He is angry that WPEngine makes money with Wordpress hosting. He thinks wordpress.com should be the only paid WordPress hosting provider.
He demanded 8% of revenue of WP Engine or he would embark on a “scorched earth nuclear approach” to WP Engine.
8 hours ago
wordpress itself is GPL, so anyone, not just WPEngine, should be allowed to freely provide hosting.
This is exactly what elastic search faced, which necessitated their changing of their license, and subsequently, caused AWS to fork elastic search.
Elastic search cannot, and do not, have the right to demand payment from AWS.
11 hours ago
Now who's the heel and who the face?
10 hours ago
Not a WordPress client but seems like this Matt dude has go-away heat
12 hours ago
You make an opensource project, provide hosting services, then others take your project, modify it for their needs, cut into your hosting market share and then you try to get rid of them.
...What was the end game plan?
10 hours ago
Automattic was an early investor in WPE in 2011, but then they made a mistake and sold their shares.
In addition, the GPL allows you to do what you mentioned. You can take any GPL-licensed code and use it for commercial purposes without having to contribute back. The license is designed to protect you in this way, and it aligns with the spirit of GPL. Expecting something in return for open-sourcing code is not in line with the spirit of GPL and open-source software. If you're not comfortable with other people making money from your code, it's best not to open-source it.
11 hours ago
At this point I wouldn't be surprised if he'd had secured funding for a new CMS platform startup and is secretly working on it. He seems absolutely hellbent on assuring nobody should use Wordpress.
10 hours ago
I don’t think this is a reasonable argument. The landscape when Wordpress was released was wildly wildly different to how it is today, and we shouldn’t begrudge someone for not foreseeing how this would unfold from the landscape in the mid 2000’s.
We should judge for how it’s being handled now.
9 hours ago
What a terrible take
WordPress.com is only successful in the first place because WordPress was open source and had so many hosting options
Also what do you mean it was modified? WPE didn't fork or modify WordPress any more than other hosts
10 hours ago
He didn't make shit, wordpress is a fork of b2/cafelog.
10 hours ago
To me, WordPress used to be the thing you used if you wanted a website that was easy to put together but was full of third party php spaghetti code and security holes.
Now, it's completely radioactive.
9 hours ago
I wouldn't even really call it that. I only think Wordpress is easier if one of two things is true:
1. You are actually building a dynamic site; eg WooCommerce is much easier than building your own storefront.
2. Your users refuse to use Markdown, and are paying you enough to double the overhead and put it all on you.
It gives me a good chuckle when I see posts on here like "We use Wordpress and then scrape the static assets and serve it as a static site from S3". I won't denigrate those people; I'm sure there are good contextual reasons to do that. I just think it's a pretty damning indictment for it to be downgraded from "the software that runs the website" to "a web-hosted WYSIWIG editor for people who can't/won't do Markdown".
9 hours ago
In my experience, Markdown isn't the barrier. It's the:
- Plugin ecosystem. Marketing people want to use specific plugins for SEO, automatic internal linking, etc. Those plugin only work with wordpress.
- Marketing people want to deploy to production. They hate waiting for dev to do anything (which brings us back to the importance of the plugin ecosystem, to add functionality without developers).
- It's a familiar system that doesn't need to be "learned" by end users (the same way VS Code, VIM, or whatever is your preferred code editor)
If it weren't for the first 2 barriers, I think the 3rd (learning markdown) is the easiest to overcome. Especially with side-by-side realtime markdown rendering, which itself is a form a WYSIWYG.
Edit: FWIW, we moved to Webflow at my company, used to be on Wordpress, and before that used to have a Markdown-compiled site, help docs, and blog. Markdown-compiled was my favorite as a developer (and also the most performant), but it was everyone else's least favorite because it required me to deploy and make code changes, and they weren't patient enough to put a ticket in for every change request. They also understandably didn't want to login Github to make updates to markdown files.
2 hours ago
Not really. Weird syntax is intimidating, GitHub for CMS is intimidating, people want nice goowies.
2 hours ago
Asking your dev team to prioritize deploying updates to your markdown site is also intimidating. In most companies, everyone outside of engineering has a view of engineering that “Developers hate to be interrupted and need everything scheduled in a sprint 2 weeks in advance” - when marketing teams decide between Wordpress and a markdown system managed by the dev team, the choice is obvious (avoid anything that requires dev getting involved)
Easy GUI for writing and publishing to production, with no-code installable plugins that extend functionality, is exactly what Wordpress offers that markdown does not.
Webflow has a very similar value prop.
10 hours ago
Absolutely. I moved a big revenue generating content site away from Wordpress about 18 months ago. With this absurd debacle going on, I’m so glad I made that decision.
9 hours ago
Wordpress made me quit web developement and my job at one point, custom plugins in php 5 running on wordpress I think version 4 were a nightmare to maintain.
9 hours ago
1. Release your code as open source.
2. Make a fortune.
3. Complain that people are freeloading.
4. Abuse your power as project founder to punish them, torching the community trust you’ve built up over decades.
5. Profit?
Whatever Mullenweg hoped to gain by undermining WPEngine can’t possibly be worth the damage he’s done to WP and his own company.
9 hours ago
I think the only reasonable course of action for Automattic would be for Mullenweg to step down and for them to make a mea culpa, but i doubt that will happen. Given that half of the web runs on WordPress, i wonder how many people will actually move away from WP as a CMS. Maybe if there is a succesful community fork.
8 hours ago
They could also buy WP Engine. Or vice versa.
I doubt it will result in a mass migration. Many wouldn't move to a fork. We are very engaged in this kind of news, but the kinds of users who use WordPress often aren't. Our small company actually uses WP Engine, and I asked our owner (who also handles content, marketing, etc, and who I report to) if he had heard of what was going on, and he hadn't.
8 hours ago
They actually sold their stake in WP Engine... Maybe they realised that was a bad move.
9 hours ago
If I understand it correctly, the core of the dispute is trademark and that WPEngine somehow implies WordPress affiliation.
I can see both sides of the story here, but the scorched earth strategy doesn't seem to be very effective for building trust
8 hours ago
The wording you use “effective for building trust” is a misnomer. As someone who uses ACF, I am suddenly an outcast in the world of Matt/Wordpress.org? And people who I know make money from plugins, are they next in line for the hostile take over treatment?
This IS a violent breach of consumer/user trust. Whatever you thought before of this takeover/stealing, this is what trust gone looks like.
8 hours ago
>If I understand it correctly, the core of the dispute is trademark and that WPEngine somehow implies WordPress affiliation.
No, the core of the dispute is Matt wants either money from WP Engine or for them to contribute to WordPress. He's using the trademark as leverage. However, their usage of WordPress does not imply affiliation instead saying stuff "We bring WordPress to the masses".
The use of WP in their name was them actually following WordPress' trademark policy where they asked people not to use WordPress in their names but WP.
9 hours ago
I think the trademark issue is weak in this case anyway. WP Engine has been around for 14 years with that name, and has been part of the Wordpress community.
But absolutely nothing about a trademark dispute excuses the lies, unethical behavior, and just downright personal animus Mullenweg is pouring into this takedown.
8 hours ago
Speaking of potential trademark issues, it looks like "Secure Custom Fields" retains some ACF branding:
https://x.com/TDKibru/status/1845178985308881146/ https://archive.is/sjuHl
Ironically, Automattic is actively taking legal action against a premium plugin reseller for trademark infringement on modified WooCommerce plugins: https://www.reddit.com/r/Wordpress/comments/1fqw2eh/automatt...
9 hours ago
He has certainly gained a lot of personal attention. Maybe he was feeling lonely?
11 hours ago
This seems blown out of proportion. Do you think Mrs Bakewell and her cooking blog set up by her 14yo son are gonna care about this drama?
No. Neither are the larger companies using it for microsites.
8 hours ago
Both Mrs Bakewell’s fourteen-year-old son and the couple of guys setting up the large company’s microsite are both downstream of what’s in among the larger web dev community, they’re just lagging behind it by several years (possibly; I wouldn’t be so sure about the fourteen-year-old).
There are of course platforms (it’s always platforms) that have survived losing their in-ness and are still in widespread use (even PHP, arguably), but those are generally described as proven, reliable, stable, well-supported, and so on. I’m not convinced that at this point Wordpress still has that road open to it, instead of only the usual slow decay of widely-deployed software, but either way I don’t think that a transition to a legacy status is a nonevent. It just takes some time to show up in the deployment statistics.
10 hours ago
Honestly I don't get the backlash Mullenweg is getting - a corp is trying to freeload on OSS community, GPL let's them have the code - but I'm all in favor of kicking then off of everything else.
10 hours ago
It’s a bit two faced. He’s clearly abusing his position, annd every time this topic comes up (see elasticsearch, terraform, redis from recent memory) HN has clearly been on the side of the open source license.
But, that’s not why he’s getting backlash. He’s getting backlash because he does what the “other side” did in all of these scenarios - invent reasons that are unrelated to the license dispute to cause the split. In this case, delisting their plugins from the central marketplace and implying trademark violations - while claiming that the problem is that they don’t contribute back to the ecosystem.
The real problem is that automattic want wpengine to “contribute their share” - by development or rev share, and they’re using dirty tricks and smear tactics to do so.
10 hours ago
Yep. And they’ve gone 0-to-100 within days.
I think he has a fair point - I’d be totally comfortable with a standing expectation in a community like Wordpress for companies to pay their way (or be looked down on & excluded from taking part in community events).
But the expectations have to be a fair & transparent, and ideally communicated from the start, so people and companies can make informed choices about how they want to be involved. Not suddenly enforced with no lead time, with demands of money amounts seemingly made up on the spot, and “scorched earth” tactics when the demands aren’t met.
As a rule of thumb, bikes can start and stop fast. Cars should be more predictable on the roads. And trucks should accelerate and turn more slowly still.
If you’re big and powerful (government, standards body, maintainer of a huge opensource project, etc) you need to telegraph your moves and act slowly and predictably so other people can react to you. This is not how you do that.
7 hours ago
> I think he has a fair point - I’d be totally comfortable with a standing expectation in a community like Wordpress for companies to pay their way (or be looked down on & excluded from taking part in community events).
I agree with you, but this is a well trodden topic in the development community, particularly on HN - see Terraform for example [0]. One of the problems is that the world WP came to exist in and came to dominate the web in doesn't exist in the same form. There's been a few attempts at thisand they've caused large fractures - nobody has really got it right yet.
On one hand you have a very vocal, and powerful group of people who believe that the freedom of the software is far more important than anything else, and those groups are often backed by large organisations that have the people-power to continue that effort (see: TF -> OpenTofu with Spacelift and co, Redis -> Valkey backed by AWS, and the OG split with Elastic). On the other hand you have a less vocal group who are more concerned with the functionality of the software rather than the original agreement that was signed (fair warning I fall in this category - I'm trying to remain Swiss in this comment), and accept that the terms of the deal have changed in that being Jeff'ed. (My reading of) The value of OSS in this group is the ability to for community to improve things, and to not end up locked into a problem that you have no solution to. The advantage here is that this group can just hitch their wagon to whichever solution appears to win out.
I don't see an easy path out of this that satisfies both camps, unfortunately.
7 hours ago
> ideally communicated from the start
if only a minority could grow big and sufficiently high revenue generating to be capable of paying anything, then having this concept of "paying back" from the start would've been a chilling effect on the adoption in the first place.
wordpress ecosystem is big, but it is the network effect, rather than the software itself. This network effect require lots of individual participants to kick start it at the beginning. Those participants will benefit from the software being free.
If it was known at the start, that if you grew to a certain size, you'd have to start paying a royalty of some sort (which is the "community expectation of pay or contribution"), then you may not even start using the software in the first place - or at least, consider alternatives. This makes the ecosystem small.
They don't call it bait and switch for nothing. The expectation of contribution will never be transparent from the beginning.
5 hours ago
> The real problem is that automattic want wpengine to “contribute their share” - by development or rev share, and they’re using dirty tricks and smear tactics to do so.
Again I don't see what's wrong with this ? Clearly they have no recourse through GPL but they have trademarks and infrastructure. I don't see anything unreasonable about his behavior.
10 hours ago
> a corp is trying to freeload on OSS community
automattic is worth a few billion. what are talking about?
5 hours ago
They are the single largest contributor to the project ?
10 hours ago
Because I disagree with this definition of freeloading. They've offer a free, open source, very popular plugin for Wordpress, according to the Wordpress.org's plugin page, with 2+ million installs.
Wordpress forking and taking over the plugin seems like they've accepted the code/contribution.
5 hours ago
Not contributing back to the project you're basing your business (eg. the smallest example being infrastructure they are cut off from).
Honestly zero sympathy for WP engine, and I don't really see a better way to force them to pay.
7 hours ago
There's history.
11 hours ago
So, ACF injected notices into everyone's dashboards to push their own legal agenda. It’s a move that reeks of self-interest more than community benefit.
While everyone’s ready to grab their pitchforks at Matt, this actually sounds somewhat reasonable. Still, given its impact, this could easily be seen as a breach of trust. Definitely a move that's going to stir the pot.
8 hours ago
I believe you may have the story confused. Please correct me if otherwise.
WordPress was the one who injected notices into everyone's dashboard. This started because the WP dashboard shows the blogs from wordpress.org, and then they published this post: https://wordpress.org/news/2024/09/wp-engine/
The result was WP Engine removing the widget that shows wordpress.org blogs on their installs.
11 hours ago
Where does this claim come from? The article doesn't include it. Matt hasn't made this claim either.
11 hours ago
They should do that for all plugins that do it then, if it’s reasonable, right? Which is a lot of plugins.
PS: isn’t WooCommerce doing the exact same?
9 hours ago
Assuming the notices are real and a problem, Automattic should cite that instead of making it about security issues. As it stands, that's just a claim.
11 hours ago
What notices were these?
8 hours ago
Just like WordPress does, right?
I assume you work for automattic, right? I've noticed when it comes to comments like this, normally they're made by automattic employees.
10 hours ago
Honestly, everyone involved in this situation seems terrible.
With my own experience of the WP "community", that isn't a surprise.
11 hours ago
I like this whole so-called debate because it mostly shows that if 40% of Websites can be run on top WP then there is clear telling that we either haven't gone very far as an industry or that people that make websites couldn't give less fucks about who owns what plugin and what the fuck else people are yapping about.
Hats of to Matt for at least showing some personality and showing a bit of faith.
Now, go build another CMS. Use Rust or Go perhaps and make sure it can scale wildly
8 hours ago
The whole thing is confuinsing. It turns out WP Engine is not part of WordPress (despite the name) and has never contributed to WordPress. WordPress are trying to take more control of their name/trademark.