Login

Tag Archives: Matt Mullenweg

26 Sep 2024

No Business or Group of Individuals Is Supposed to Benefit From the WordPress Foundation’s Existence

With Matt Mulleneg’s continued expansion of attempted extortion of WP Engine and the security threat posed by that, the WordPress Foundation has come in to more focus. Notably, the WordPress Foundation owns the WordPress trademark, but as a letter from Automattic’s lawyers put it, Automattic has “exclusive commercial rights to the world famous WORDPRESS trademark.” Probably connected to what is going on there, in July, the WordPress Foundation filed trademark registrations for MANAGED WORDPRESS and HOSTED WORDPRESS. The foundation doesn’t have any obvious need for those trademarks, since they are not involved in hosting WordPress websites (not WordPress’ own website). The question raised then is the WordPress Foundation functionally operating as an arm of Matt Mullenweg and is that legal?

Here is how an Automattic employee writing in a post on the WordPress website about the foundation, explained how the foundation is supposed to operate: [Read more]

24 Sep 2024

Automattic’s Matt Mullenweg Basically Admitted on Reddit That He Was Trying to Extort WP Engine

After days of WordPress and Automattic head Matt Mullenweg attacking a competitor of Automattic, WP Engine, there was a response from WP Engine as to what was going on here. That came in the form of a cease and desist letter they released yesterday. In that, the legal counsel for WP Engine, Emanuel Quinn, made this stunning set of claims in the second paragraph of their letter:

Stunningly, Automattic’s CEO Matthew Mullenweg threatened that if WP Engine did not agree to pay Automattic – his for-profit entity – a very large sum of money before his September 20th keynote address at the WordCamp US Convention, he was going to embark on a self-described “scorched earth nuclear approach” toward WP Engine within the WordPress community and beyond. When his outrageous financial demands were not met, Mr. Mullenweg carried out his threats by making repeated false claims disparaging WP Engine to its employees, its customers, and the world. Mr. Mullenweg has carried out this wrongful campaign against WP Engine in multiple outlets, including via his keynote address, across several public platforms like X, YouTube, and even on the WordPress.org site, and through the WordPress Admin panel for all WordPress users, including directly targeting WP Engine customers in their own private WordPress instances used to run their online businesses. [Read more]

24 Sep 2024

Who Is on the WordPress Foundation Board?

With the recent drama surrounding Matt Mullenweg’s extortion attempt of WP Engine and potential legal action resulting from that, the WordPress Foundation has been getting more attention. There is fairly little information on the foundation and a lot of understandable confusion over it. On its homepage there is this explanation for its existence (emphasis in original):

The point of the foundation is to ensure free access, in perpetuity, to the software projects we support. People and businesses may come and go, so it is important to ensure that the source code for these projects will survive beyond the current contributor base, that we may create a stable platform for web publishing for generations to come. [Read more]

27 Sep 2023

Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability

On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ data. An explanation for that hacker targeting could be that WPScan was claiming that there is an unfixed SQL injection vulnerability in the plugin.

As of Saturday, the only information WPScan provided was this vague description of the issue “The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users”.  Without more information it would be difficult for anyone else to confirm their claim. They also stated that a proof of concept for the vulnerability would “be displayed on September 26, 2023, to give users the time to update.” Considering they were also claiming that this wasn’t fixed, there wouldn’t be any update to apply. So something seems amiss there. [Read more]

23 Mar 2023

Let’s Learn From WordPress Security Provider Automattic’s Incredibly Insecure Code in WooCommerce Payments

It’s a bad look when a major WordPress security provider is disclosing that one of their own plugins has a serious security issue, which happened six months ago with the developer of iThemes Security. It’s even worse when the code is so insecure, which was also the case with iThemes. Automattic, the company of the head of WordPress Matt Mullenweg, which provides security solutions under brands including WPScan and Jetpack, today fixed a serious vulnerability in one of their plugins. That this happened runs counter to the view we see often that Automattic are security experts, but in line with previous security issues with their software. Unlike the situation with iThemes, though, this isn’t known to be a zero-day (a vulnerability being exploited before the developer knows about it) and doesn’t involve a security failure at such a basic level. It does involve having incredibly insecure code running in a situation that is high risk.

With that said, this situation could be used as impetus to finally move WordPress plugin security to a better place. But first, let’s look at what went wrong here. [Read more]

4 Jan 2023

Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript

Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting unflattering information about a company they promote). At the same time, they don’t take action when there is something they could help with. That is the case involving the 8,000+ install WordPress plugin Bulk Delete Comments. Two weeks ago, a one-star review was left with a concerning claim:

This plugin might be hacked or it is shady on way or another because it have started to slow down wordpress when including a an inclusion of javascript located at: alishahalom.com [Read more]

19 Dec 2022

Matt Mullenweg’s WP Tavern Didn’t Allow Question on Significant State of the Word Related Security Issue

The heads of tech companies controlling the online conversation has been a big issue recently based on Elon Musk’s takeover of Twitter and subsequent actions. WordPress has a similar issue that doesn’t get much attention, probably explained, in part, because of the more systematic control. The head of WordPress Matt Mullenweg is the person who controls what news outlets are shown in the WordPress dashboard. He also has at least some level of control of multiple of those, including direct ownership of what is probably the largest WordPress news outlet, the WP Tavern.

The ownership of the WP Tavern is barely disclosed. For example, a recent story about a State of the Word speech given by Matt Mullenweg makes no mention of that, despite him being central to the story. The only place that appears to be disclosed is on the About page, which is linked to from the footer of the website and even that mentions that his ownership was hidden away for two years: [Read more]

7 Oct 2022

Automattic Employees Don’t Appear to Understand What Security Is

The WordPress community is in the midst of a controversy involving a strange, largely unexplained, situation. A chart that used to be shown on the Advanced View page for plugins in the WordPress’ plugin directory was removed. This is an example of that chart:

[Read more]

5 Oct 2022

Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin

As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this wouldn’t be all that notable, as the plugin only has 200+ installs. But the plugin, Create Block Theme, comes directly from WordPress:

[Read more]

4 Oct 2022

WordPress is Obfuscating the Connection Between the WordPress Plugin Directory and Automattic

An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth of installs of a plugin over time. This is what that looked like:

[Read more]