What we already knew about WordPress

But first, Word Play!

My debut crossword in today's Wall Street Journal with Jeff Chen is called Safe Prospects. It's free to play: https://www.wsj.com/articles/safe-prospects-thursday-crossword-november-21-975fdcd9

Also read about puzzling in times of crisis from my crossword construction teacher Natan Last https://www.nytimes.com/2024/11/10/opinion/crosswords-comfort-crisis.html?unlocked_article_code=1.Y04.XmKP.zhjeYR3Zs6fc&smid=url-share

The Best Part of the Newsletter (you, dear reader-writer)

• Read Common Good Cyber's interview with John Todd, Quad9 GM. (I'm on Quad9's advisory council): https://commongoodcyber.org/news/interview-john-todd-quad9/
• US Approves UN Cybercrime Convention That Legitimizes Censorship. https://cepa.org/article/us-approving-un-cybercrime-treaty-would-legitimize-authoritarian-censorship/
• India follows through on threat to hold Meta accountable for WhatsApp privacy policy change that required users to share data, levies $25M fine. https://techcrunch.com/2024/11/18/india-fines-meta-25-4-million-over-whatsapp-privacy-policy/
• Google has to sell Chrome. Great, now do Apple and Safari (webkit)!
• Russia’s internet watchdog blocks thousands of websites that use Cloudflare's privacy service. https://therecord.media/russia-blocks-thousands-of-websites-that-use-cloudflare-service
• GitHub announces Secure Open Source Fund to help secure the open source ecosystem for everyone. https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund
• If you're going to FOSDEM, join the Social Web Devroom. (An activity of my org the Social Web Foundation): https://socialwebfoundation.org/2024/11/01/fosdem-2025-social-web-devroom-call-for-participation/
• My hottest take: Big Tech just won the US election. I think Nathan Schneider agrees with me: https://nathanschneider.info/2024/11/the-marriage-of-platforms-and-politics-is-complete/
• The Internet Archive is a cautionary tale. https://www.philanthropy.com/article/the-internet-archive-is-a-cautionary-tale-for-growing-nonprofits
• New report: From Skin to Screen Bodily Integrity in the Digital Age: https://www.databodyfutures.org/databodyintegrity
• Research on technosolutionism raises three serious concerns: (1) A subversion of democratic decision-making; (2) Big Tech in the sphere of public policy; and (3) the foresaking of carefully constructed problems that technosolutions can’t easily solve. https://link.springer.com/article/10.1007/s13347-024-00807-y
• Research: Direct disclosure has limited impact on AI-generated Child Sexual Abuse Material. https://partnershiponai.org/hai-researchers-framework-case-study/
• A new military-industrial complex: How tech bros are hyping AI’s role in war https://thebulletin.org/2024/10/a-new-military-industrial-complex-how-tech-bros-are-hyping-ais-role-in-war/
• Did you know? The UN has a dedicated Open Source Programme Office situated under the ITU Development sector https://www.itu.int/hub/2024/11/open-source-programme-offices-step-up-digital-transformation/
• Watch Maria Ressa and Meredith Whittaker– Enough said! https://www.rappler.com/moveph/social-good-summit/video-technology-harms-panel-2024
• ICYMI: (2021) This is what happens when ICE asks Google for your user information https://www.latimes.com/business/technology/story/2021-03-24/federal-agencies-subpoena-google-personal-information

The WP Engine Dispute Reveals What We Already Knew about the WordPress Ecosystem

Open source ecosystems are built on collaboration and shared innovation, but these processes can also lead to conflict, security and reliability concerns, and a disregard for the most vulnerable. A recent dispute between WordPress co-founder Matt Mullenweg and WP Engine highlights the frailty of open source projects, which show up early and often for at-risk communities.

WP Engine is a popular managed WordPress hosting service and Mullenweg publicly criticized them for benefiting from WordPress’s open-source foundation without contributing back to the ecosystem. This escalated to a point where Mullenweg banned WP Engine from WordPress.org, effectively cutting off websites built with WP Engine from critical updates, sparking a controversy that left many content creators scrambling for solutions. WP Engine has filed a lawsuit accusing Automattic, Mullenweg’s company, of extortion and abuse of power.

For Mullenweg this dispute is about licensing and intellectual property and what it means to “contribute” to a shared project. For WP Engine it’s about reputation and survival in a fiercely competitive market. But for small hosting providers that serve niche communities, the path to contributing back to the WordPress project is unclear. eQualit.ie (EQ), which has been running the open-source eQpress managed hosting platform supporting hundreds of media and human rights organizations, is one such provider and an organization that I have supported as a member of its board for the past 11 years. Additionally I have been a web developer and systems administrator since the early 2000s and continue to work with a variety of independent providers called the In.fra.red network, many of whom host WP websites. Lastly it’s pertinent to mention that Automattic is a supporter of the Social Web Foundation, an organization I co-founded this year. 

eQualitie builds tools for at-risk organizations, civil society groups, activists, and nonprofits to keep them online and connected in the face of powerful government adversaries. Many rely on WordPress for their digital presence so the team developed eQpress, a managed WordPress hosting service, as a response to the widespread issues with low-cost hosting options that fail to prioritize security and reliability. eQpress emerged from efforts to provide a more secure, dependable solution for these organizations, ensuring their websites remain resilient against digital threats while still benefiting from the flexibility of open-source software. Another key innovation of the hosting platform itself is that it is architected behind the Deflect caching infrastructure. Deflect.ca protects websites from DDoS attacks, offering an enterprise-level service to nonprofits and at-risk communities the world over, for free. eQPress ensures that Deflect clients also have reliable hosting.

Building, maintaining and growing these services for over a decade informs EQ’s perspective on the broader issues facing the WordPress ecosystem and raises concerns on what it could mean for our community if Mullenweg decides to pass the bat to us next. This case isn’t just a matter of two tech companies butting heads; it has significant implications for the broader open-source community, yes, but it risks sweeping up vulnerable groups, too. 

Managed Hosting Solves WP Security and Reliability

One of the key reasons managed WordPress hosting services like WP Engine and eQpress emerged is the gap left by cheap, unmanaged hosting options. While these low-cost providers, such as GoDaddy and Bluehost, offer plans for as little as $5 per month, their focus has been on maximizing profit rather than ensuring the security or reliability of their clients’ websites. As a result, many users found themselves relying on hosts that were under-resourced and prone to vulnerabilities, leading to widespread issues of poorly maintained and insecure WordPress sites.

Before migrating to eQpress, many of our community members were using these cheap hosting services and were dealing with barely functioning websites prone to hacks and failures. While these services were inexpensive, they left organizations with little support or recourse when things went wrong. 

This problem wasn’t created by WP Engine or managed hosting providers. It is a byproduct of the open-source nature of WordPress, the accompanying ecosystem of plugins and themes, and the race-to-the-bottom pricing strategies of many hosting companies. Managed hosting services like WP Engine and eQpress saw an opportunity to address these issues by offering more secure, reliable solutions to clients who needed more than just budget hosting. This shift emphasizes that in hosting (as in life?) you often get what you pay for. It’s our value proposition that the additional cost of managed services can bring substantial value in terms of platform stability, security and peace of mind.

The Double-Edged Sword of “Open”

The open nature of WordPress’s plugin and theme marketplaces has fueled a thriving ecosystem that proves the value of free and open-source software. However, this same openness has also created significant challenges. The WordPress ecosystem has become a breeding ground for spam, malware, botnets, and outdated code. Many plugins and themes, left unmaintained for years, sit vulnerable on millions of production websites, posing a significant security risk. On the Deflect network, a substantial percentage of the DDoS attacks that we see against our community are the result of compromised WordPress installations the world over, where outdated or insecure plugins and themes are exploited by bad actors.

In this context, it’s understandable why Mullenweg feels frustrated. While many companies profit off of WordPress’s open-source foundation, few contribute back to the ecosystem to help secure and improve it for everyone. WordPress is in a unique position: it’s not quite like Debian or even the Drupal community, where FOSS principles are more rigorously maintained and community contributions are central to the culture and the codebase. Instead, WordPress exists in a hybrid space—a mix of open-source ideals, commerce, and cybercrime—where millions of clients rely on their websites for business, but often at the cost of a fragmented, sometimes insecure ecosystem.

The challenge lies in balancing the innovation and accessibility that open-source fosters with the responsibility to maintain and secure that ecosystem for the millions of users who depend on it. Automattic stands to benefit from the experience of small front-line WP hosting providers, particularly those serving high-risk communities, such as eQualitie's clients who are largely independent media and human rights organizations in some of the world's most complicated environments. The eQpress platform is also a bellwether for novel malicious activity, including malware and exploits targeting newly discovered WP vulnerabilities. As such, Automattic should not only reach out to such groups but do its utmost to ensure their continued operations and progress.

Cooperation can Redeem WP

While WordPress has achieved massive global success, it has largely failed to engage the diverse communities of human rights defenders, nonprofit organizations, and independent providers around the world who rely on its platform. Despite running millions of WordPress installations, many providers—like Deflect—have not contributed to WordPress core development. The reason? There’s a lack of community and outreach to these providers, and no coherent effort to involve them in shaping the future of WordPress, despite their unique experience and requirements. 

At its heart, WordPress operates more like a closed business than an open-source project, despite the open-source nature of its code. Automattic, the company behind WordPress, primarily focuses on its own commercial product offerings, with little effort made to cultivate contributions from the broader ecosystem of providers that also use their core WordPress code. There’s a noticeable absence of outreach programs, developer conferences, or opportunities for these organizations to contribute to core development. There is no financial support or sustainability considerations coming from WordPress or other tech companies. This leaves providers like us on the outside, maintaining and securing our own installations but with no clear way to feed that work back into the larger WordPress ecosystem.

If WordPress truly wants to lead by example, encouraging others to contribute back to its core, it must make efforts to reach out to its partners and peers. By actively engaging with providers who run WordPress for diverse, global communities—especially those in the nonprofit and human rights sectors—WordPress could foster a more inclusive and collaborative ecosystem. Such mutually beneficial cooperation means growing other ecosystems like the social web by extending and implementing ActivityPub. Mutually beneficial cooperation means bringing back WP Engine, too. Mutually beneficial cooperation means meeting the unique security requirements of at-risk organizations like those in the EQ family, raising the bar collectively for all WP sites. These actions require WP to show leadership and demonstrate that everyone involved can be better off by doing better for each other.