In March 2021, the Executive Director of WordPress announced that she was planning to put forward a Conflict of Interest Policy as part of a larger Contributor Handbook. In April 2022, she announced the release of two sections of the Contributor Handbook and said that in “coming weeks” a Conflict of Interest Policy and other sections would be released. Later that month, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released. In May 2022, she announced another section and again said that in “coming weeks” a Conflict of Interest Policy would be released.

That was the last announcement they made about the Contributor Handbook. The Conflict of Interest Policy and a promised Code of Ethics policy never materialized. We don’t know what happened, but we do know that the Executive Director of WordPress’ own situation seems like a major conflict of interest.

The Executive Director of WordPress sounds like a role that would be payed for by the WordPress Foundation. It also seems like a position that would be approved by the community or a board. It is neither of those things.

Instead, Executive Director of WordPress is an employee of the for-profit company from the head of WordPress, Automattic, “where she leads the open source division that focuses on all aspects of open source contribution including design, development, volunteer engagement, and the health of the overall WordPress ecosystem.” She put in that position in 2019 by the head of WordPress, Matt Mullenweg. There was no disclosure of that she was employed by him or Automattic. There has been a continued lack of mention of her employment by Automattic, while others are frequently labeled as being sponsored by their employers. That has been especially noticeable at the Matt Mullenweg owned WP Tavern.

Interestingly, she was announced in that role alongside someone in the role Marketing & Communications Lead. That other person wasn’t an employee of Automattic. He left the role after less than four months and made this comment about Automattic:

My position is unclear, not just to me, but to many people which makes me uncomfortable. I’ve been asked dozens of times on Twitter, Facebook and at WordCamps why I now work for Automattic, which of course I don’t but that is the perception for a lot of people. On other occasions I seem to be the token non-Automattician, which I’m also uncomfortable with.

How exactly could someone have the role Executive Director of WordPress while being an Automattic employee without there being a conflict of interest? How many decisions could they be making in their Executive Director of WordPress role that wouldn’t impact the interests of Automattic?

As one example, where there is a very obvious conflict of interest. WordPress is considering restricting plugins from automatically installing other plugins during setup. That is something that Automattic prominently does. They weighed in with this comment:

That’s where I’ve landed as well. I think for anyone building/managing a complex ecosystem using WordPress, the proposed ways forward could end up increasing user friction which has the potential to lower their success.

I would like to get a sense for the commonalities of this type of business apart from being commercial/community/canonical etc. I believe there is a lot of variety in the scale of support and company size for each of those groups, and I don’t want a rule that helps end users to become too onerous for small companies.

They don’t even disclose a potential conflict of interest there and the cite small companies, while Automattic and other large companies are well known for doing this.

Their employement situation also seems like an ethical nightmare, which might explain the lack of a code of ethics ever being released.

For years, WordPress has notably not taken rather obvious actions that would improve security. Plenty of that would be positive for the WordPress community, but would not necessarily be a positive for Automattic. For example, last week we noted again that WordPress is not warning about known vulnerable plugins that are closed on the WordPress Plugin Directory while Automattic sells access to inaccurate information about.

We don’t see how have clear rules for handling of conflict of interests could make security worse and it likely would make it better, as those blocking improvements often have conflict of interests that others interested in implementing the changes don’t have.