As part of Matt Mullenweg’s extortion campaign against WP Engine, he blocked off WP Engine’s customer from software updates coming from wordpress.org. In an interview he did during the weekend, he wanted to highlight another aspect of this campaign. He had blocked WP Engine from providing updates to their 2+ million install plugin Advanced Custom Fields (ACF), which is free, in the WordPress Plugin Directory. That also applied to their other plugins. His comments were, like everything else from him, highly problematic.

He said that “They need to figure out how to get all those people using their own update servers.” It is actually easy technically to provide updates for plugins outside of the Plugin Directory. You only need a little bit of code in the plugin and have hosting for a file that lists information on the latest version of the plugin and .zip file of the plugin. WP Engine is a major web host, so they could handle serving up the .zip files. Presumably, Matt Mullenweg should be aware of that, as his competing company is in the hosting business as well. The problem is that WordPress Plugin Directory doesn’t allow you to add the code needed to do that to the plugin. That is spelled out in guideline 8 of the Detailed Plugin Guidelines:

8. Plugins may not send executable code via third-party systems.

Externally loading code from documented services is permitted, however all communication must be made as securely as possible. Executing outside code within a plugin when not acting as a service is not allowed, for example:

• Serving updates or otherwise installing plugins, themes, or add-ons from servers other than WordPress.org’s

So WP Engine would need to get people to replace the copy of their plugin with one that has the update code.

There are two solutions for the problem of plugin developer’s being held hostage, which Matt Mullenweg’s action has highlighted. Either the Plugin Directory guidelines could be modified to allow providing update from the developer’s server. Which isn’t a good idea, as it would make it easier for a developer with malicious intent to add malicious code to people’s websites. A plugin from the directory using the developer’s own update server to distribute malicious has happened before (the guideline preceded that happening). Or WordPress could have proper governance, so that Matt Mullenweg and those working for him are not allowed to abuse their access to WordPress resources like this. Employees of his at Audrey Capital and Automattic are involved in the Plugin Directory, with the latter company’s employees not being disclosed in that role.

When the interviewer follows up mentioning that WP Engine’s customer are being “screwed,” Matt Mullenweg responded “It’s the people who spend half a billion dollars a year with WP Engine.” The reality is that he blocking people using free plugins who are not using WP Engine for hosting from getting updates. WP Engine can provide their own customers using their own plugins updates. Right after he made that comment, he smiled.