The WordPress community is in the midst of a controversy involving a strange, largely unexplained, situation. A chart that used to be shown on the Advanced View page for plugins in the WordPress’ plugin directory was removed. This is an example of that chart:

The chart simply showed the install growth of the plugin.

The chart was removed by someone that works for Audrey Capital, which is a business entity belonging to the head of WordPress, Matt Mullenweg. The reason given by that individual, Scott “coffee2code” Reilly, for the change was:

Plugin Directory: Remove active install growth chart from advanced view due to insufficient data obfuscation.

A different explanation for the change has been given by at least one employee of another of Matt Mullenweg’s entities, Automattic.

Yet another entity of Matt Mulleweg’s is the WP Tavern, which has twice covered the situation with the author of the stories, Sarah Gooding, not disclosing that they work for Matt Mullenweg or that he owns the news outlet. In the second story, an Automattic employee was quoted claiming that the chart was removed due to a “security or privacy concern”:

George Stephanis, an Automattic employee who was not involved in the decision, claims that, “This chart was removed due to a Security or Privacy concern,” and speculates that it hasn’t been disclosed yet because it can’t be shared without putting users at risk.

It is odd to state that it was removed due to a security or privacy concern, while not even knowing which of those it is.

We tried to interact with an Automattic employee, which might be the same person quoted there, on Twitter. We first asked them what the possible security or privacy concern was in response to this tweet:

I believe the very first comment on the issue stated that after looking at the code (the non-public code that he has access to) JJJ confirmed it was for security or privacy reasons.

If you’re unwilling to take his word on it, why would any further assurances satisfy you?

The next day we tried again in response to this tweet:

It’s profoundly concerning to me the number of people who can hear “This feature was removed because of security/privacy concerns” and just demand it back, irrespective of who may be harmed.

Like, aren’t you the same mob that rips folks for not prioritizing security and privacy?

In both situations, they had no response.

If there is a security or privacy concern with that chart, it is beyond us. The best we can think of is that it refers to someone gaming the install count system, but that wouldn’t really be a security concern.

The mentality of that second tweet is concerning. Just because someone claims that there is a security issue, it doesn’t mean there is one. Automattic through their WPScan service is often an example of that, when they falsely claim there are vulnerabilities in ways that don’t make any sense. We noted yet another example of that today,  where they claimed a WordPress plugin with 5+ million installs had a vulnerability and it was fixed, but either there wasn’t really a vulnerability or there still is a vulnerability they are not warning about.

To put it another way, security doesn’t involve trust without verification. When you don’t do verification, it can open up serious vulnerabilities, like the one that another Automattic employee caused to be in one of WordPress’ plugins this week by failing to implement basic security checks.

Also, it isn’t a great look to think that people concerned about security and privacy are a “mob”. Especially, coming from someone that works for a company selling security solutions.