Last week’s hearing on a preliminary injunction in the legal case between Matt Mullenweg/Automattic and WP Engine featured an Automattic lawyer we hadn’t heard mentioned before. That would be their General Counsel, Jordan Hinkes. That role has been their second to the top lawyer. Bloomberg Law reported on Friday that he was newly on the job. His LinkedIn profile shows him having taken the job in October:
Because of recent actions taken by Matt Mullenweg, the control of WordPress.org has become a big security concern. It continues to be unclear who actually is in control of it. Lawyers representing Matt Mullenweg and Automattic have put forward varying explanations. In a legal filing on October 22, they put forward the view that Matt Mullenweg is personally in control of it:
WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility. [Read more]
As if there were not enough issue with what Automattic has done related to WP Engine’s Advanced Custom Fields, they are also violating the rules of the CVE program. As CVE’s website puts it, “The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” Through their WPScan subsidiary, Automattic are able to issues CVE ID as CVE Numbering Authority (CNA). That seems like a bad idea, based on their track record of inaccurate and false claims of vulnerabilities, but CVE has been very clear that they don’t care about the accuracy of their data. The rules of their program do require that within 72 hours issuers must publish records once they disclosed CVE IDs:
4.5.1.3 CNAs SHOULD publish a CVE Record to the CVE List within 24 hours of Publicly Disclosing a CVE ID assigned by the CNA. CNAs MAY publish or update CVE Records as part of the CNA’s processes to manage Vulnerability advisories or other public information that references the CVE ID. [Read more]
We have been covering a mystery surrounding the takeover of WP Engine’s Advance Custom Fields (ACF) on the WordPress Plugin Directory, who was behind in the takeover. When Matt Mullenweg announced the takeover, he said he was doing “[o]n behalf of the WordPress security team.” Yet an Automattic employee not involved in any WordPress security team publicly claimed they were aware of this ahead of time. We have also received information suggested that it was more widely known about in Automattic. Someone saying they were a member of the WordPress Security Team claimed they were not aware of this. What is going on with the security team of WordPress is largely a mystery, with it being unclear if it is named the WordPress Security Team or the WordPress Core Security Team. Or possibly there is more than one team. New legal filings in WP Engine’s case against Automattic and Matt Mullenweg suggest that the takeover wasn’t actually done by a security team in WordPress.
In a filing opposing WP Engine’s motion of preliminary injunctions, the lawyers for Automattic and Matt Mullenweg explain the take over this way: [Read more]
When Matt Mullenweg publicly started going after WP Engine one issue that got a lot of attention was the disparity between how much time he’s company Automattic was claiming to sponsor its employee doing work for WordPress versus WP Engine. The metric being used, Five for the Future, has plenty of issues. One that has been out in the open, which we happened across, is that there are many pledges that couldn’t be real. At the time, Automattic was claiming to currently be providing sponsored to the Tide team, despite that team having gone inactive in early 2022. They were not alone, as there were 331 current pledges to the team. The story wasn’t all that different with another team, where there were 14 listed members of the team and 338 pledges. There is a form for reporting problems with pledges, though one that doesn’t seem designed for systematic issues, as you are supposed to report the URL of an individual pledge. We filed a report about those issues at the time, so what has happened more than a month on?
After our post about Automattic’s pledges, their Five for the Future page was updated and no longer lists time pledge to the Tide team. That appears to be unrelated, as that change came alongside many Automattic employees leaving the company. There were significant changes to Automattic’s pledging when those people left. [Read more]
As part of the whole situation with Matt Mullenweg and WP Engine, there has been a reoccurring issue. His odd and sometimes possibly illegal interactions with the CEO of WP Engine, Heather Brunner. There was the incident documented in WP Engine’s lawsuit where he sent her a text offering her a job and threatening to tell the press about claimed interactions they had previously had if she didn’t accept the job. In a follow up legal filing, there was this odd statement, ‘Recently, Automattic began sending purported security alerts about WPE’s “ACF” plugin to WPE’s CEO, in another act of harassment.’ Why would Automattic send the CEO of a company security alerts? That is not something we have ever heard of happening and it isn’t something we have ever done in reporting security issues over the years, including to Automattic. In a related declaration from WP Engine’s CEO, she says the same:
One of those attacks occurred on October 4, 2024, when Automattic sent WPE a security alert about ACF, a plugin that WPE develops and contributes for use by the open source community. A true and correct copy of this email is attached as Exhibit H. Both Mr. Mullenweg and myself were cc’d on the email, which is without precedent. As the CEO, I never get copied on such routine security patch emails for minor security issues. [Read more]
On Monday, the new Executive Directory of WordPress.org started on the job. The position raises serious question about what is going on with WordPress. The WordPress post by Matt Mullenweg announcing they were going to be taking on the role made it sound like they were going to be employed by WordPress.org:
We’re proud to announce that Mary Hubbard (@4thhubbard) has resigned as the Head of TikTok Americas, Governance and Experience, and will be starting as the next Executive Director of WordPress.org on October 21st! [Read more]
We have been following the confusing situation with what WordPress.org is and who owns the website hosted at wordpress.org. That has included Matt Mullenweg disagreeing Automattic’s lawyers over that, which became a legal “mystery”. One place that you can’t find answers to those questions is the About page on wordpress.org and the rest of the About section on of the website. In the text of that page, there are 11 references to WordPress and none for WordPress.org. The title of the page does include WordPress.org. So you would reasonably think that the website of WordPress is wordpress.org. Not so says the lawyers defending Automattic and Matt Mullenweg in the lawsuit brought against them by WP Engine. Instead, they make this claim in a legal filing submitted yesterday:
WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility. [Read more]
Trust is a big part of security and trust is in short supply with the head of WordPress these days. He keeps saying things that are problematic. At the top are the outright lies to highly misleading statements. One of his arguments against WP Engine had been problematic before and then got more problematic late last week.
Recently, the Trademark Policy page of the WordPress Foundation was updated to include this message about WP Engine: [Read more]
In a cease and desist letter dated September 23, a lawyer from Perkins Coie wrote that they were writing while representing “Automattic Inc. and WooCommerce, Inc.” One section of that was titled “Violations of Our WordPress Foundation Trademark Policy” and has this information under the heading:
It is further inappropriate that you violated the terms of your WordCamp US Sponsorship Agreement, which specified clearly that “any use of the WordPress trademarks is subject to the WordPress Trademark Policy listed at http://wordpressfoundation.org/trademark-policy.” You repeatedly and intentionally violated the WordPress Foundation Trademark Policy’s prohibition on the “use [of] the[] [WordPress marks] as part of a product, project, service, domain name, or company name,” as demonstrated in Exhibit B attached hereto. [Read more]
