Matt Mullenweg’s recent unilateral decision to stop customers of WP Engine from getting updates for the software hosted on wordpress.org has exposed a huge security issue that has long existed with WordPress. That one person has control of WordPress infrastructure. That is something he has presumably intentional hidden away, as we noted in a post about the ownership situation of the WordPress website. That is a significant problem when that person also has a large business that competes with others in the WordPress ecosystem.

It would be deeply irresponsible for others in the community to assume this is a one-off situation looking at the “rational” he provided. He claimed that WP Engine needed a “trademark license,” despite WordPress not offering trademark licenses (an unrelated entity he controls does). He claimed that WP Engines’ “legal claims and litigation against WordPress.org” caused the block, despite a complete lack of those things being true (they had sent a cease and desist letter targeted to unrelated entities he controls). He also claimed that WP Engine had engaged in “attacks on us,” who the us isn’t specified. They had responded through their lawyers to Matt Mullenweg’s attempted extortion against them. Not attack anyone.

As part of Matt Mullenweg’s, surely advised against by his lawyers, attempt to post through his civilly liable, if not criminally, actions, he was responding to questions on the Hacker News. Unsurprisingly, one question asked about WordPress support for using alternative infrastructure:

When do you plan to add support in the admin UI for alternate source urls for plugins and themes, so that others can more effectively mirror your apparently overtaxed infrastructure?

His response says it all about what he is doing:

Why would I build that? The built-in source works great, for tens of millions of servers.