WordPress has long had a reputation for poor security. The reality behind that is that many of the claims about poor security are not true and that real security issues haven’t gotten attention or fixes. A recent story at The Repository about the response to Matt Mullenweg’s recent action by core contributors to WordPress helps to explain why things are going wrong. The story anonymously quotes “[v]eteran WordPress core committers and contributors,” painting a rather bad picture of of many of those people.

The most striking comment is this:

“I know plenty of people who are working at various companies because of their level of influence in whatever area of WordPress. Absent that influence, their employability could be questionable though,” said one committer.

So you have people with a lot of influence in WordPress who don’t seem to be the best equipped people to handle things, like security. Instead of being focused on what is best for WordPress, they have been focused on being in the good graces of Matt Mullenweg and others around him. This had led to them ignoring the problems that others have raised for years. For those familiar with what has been going on with WordPress for year, the idea that WordPress’ lack of governance hadn’t caused problem in the past is hard to fathom. Yet that is what those people are claiming is true:

“Everything in WordPress hummed along mostly fine under this governance model for years, with the occasional, mostly inconsequential tantrum from Matt,” one committer said. “But now, sensibility has been thrown out the window. This governance model is no longer viable for me as a contributor.” Another echoed this sentiment: “Without governance, it’s just Matt’s will. It’s not a community-driven project.”

When it comes to fixing problems with security, if there was proper governance, you could reach out to people with oversight of individuals who were behaving inappropriately. Under the current set up there is no one to go to and the only chance for change was that those people left, which usually didn’t happen because they were able to profit off remaining in their position. So you end up with situations where things are going very wrong. For example, it isn’t even clear who is in charge of security, so you can’t address with them the inability to even report many security issues.

Another troubling comment involved someone admitting knowing that Matt Mullenweg has been behaving badly, but having kept quiet about it:

One committer described his shock at seeing “private Matt” on the stage at WordCamp US 2024, as opposed to the affable “public Matt” the WordPress community is more familiar with. “For a lot of us who have gotten to know Matt in various capacities over the years, the sentiment itself (WP Engine not contributing enough) was not really news. But private Matt and public Matt are very different personalities, and in some ways it was shocking to see private Matt show his face in public with how he called out WP Engine,” they said.

One has to wonder what else these people know that they are not saying.

Other comments suggest a complete lack of awareness of what has been going on. How is it 2024 and contributors are unaware that they are simply executing Matt Mullenweg’s vision:

Many contributors expressed feeling disenfranchised. “Some of us feel we’re just here to execute [Mulleweg’s] vision, not shape it,” said one committer. “For people who have dedicated years, sometimes decades, to WordPress, that’s hard to accept. We’re invested in this project, but we have no control.”

When it was clear going back to Gutenberg editor, which was put in to WordPress back in 2018.

We would love to wrap this up by pointing how things could be improved, but the picture painted by those and other quotes in The Repository’s story don’t paint a picture of there being a willingness to change things for the better. Instead, it seems like the people that have been part of the problem are looking to continue on, hoping they don’t lose their influence.