Automattic Deleted Blog Post Praising WP Engine, Where WP Engine’s VP of Security Admitted to Not Doing Basic Due Diligence
One question that has come up a lot recently when the situation with Matt Mullenweg and WP Engine, is who is the bad guy? Considering that Matt Mullenweg is engaged in a now very public extortion campaign against WP Engine, they are clearly a victim. But that doesn’t mean they are good guys. Sometimes they are the bad guys alongside Matt Mulleweg’s company Automattic.
In July of last year, we covered a situation where WP Engine was falsely claiming that a popular WordPress plugin contained a vulnerability. (Because everything is related, the developer of that plugin has become another victim of the current mess.) The cause of the false claim was that WP Engine didn’t actually vet vulnerability claims. Instead, they used a source well-known to not be a reliable source, WPScan. WPScan is owned by Automattic.
In looking to link to something for that post, confirming that was the source for WP Engine’s data, since they didn’t disclose the source (or more importantly, disclose the unreliability of it). We ran across a post on WPScan’s blog about their partnership. That was originally published in April of last year. The post was recently deleted from the blog, likely as part of larger effort to hide Automattic connections to WP Engine and their usage of the WordPress trademark in connection with them.
From an archived copy of the page from September 18, you can see that they referred to WP Engine as a “WordPress hosting platform”:
WP Engine is a leading WordPress hosting platform, empowering thousands to create and share their unique digital stories with the world.
The post unintentionally paints WP Engine is a rather poor light. It quotes Brent Stackhouse, WP Engine’s VP Security having admitted to having failed to have done basic due diligence:
We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else.
That seems like something that should have led to his firing. Not just for admitting to having not done basic vetting, but because WPScan has long been known to not be a reliable source.
Another quote from him is also quite bad:
Our customers love it. It really helps them stay out of a bad security state. And we couldn’t do it without WPScan.
Their customers likely have no idea that the information they are being provided is wrong. That includes earlier this year when WP Scan and WP Engine falsely claimed that an unfixed vulnerability in one of WP Engine’s plugins had been fixed.
He hasn’t been fired. Our own very short recent interaction with that guy suggests he still really doesn’t care about handling security properly at WP Engine.
There was more praise of WP Engine in the post. Including calling them a “hero” and writing this:
The results have been overwhelmingly positive, solidifying WP Engine’s position as a true security partner for their customers and helping them build a customer base that is more loyal than ever before.