Dissecting Matt Mullenweg’s comments at WordCamp Europe, part 1

This past weekend, I listened with interest to Matt Mullenweg and Mary Hubbard’s “fireside chat”, as I anticipated some discussion about FAIR, the WordPress Foundation, and Five for the Future, all topics I’ve recently covered.

There are a few interesting quotes that I’d like to highlight and comment on. I’m going to split this into a couple of posts, to keep things a bit more targeted. I’ve transcribed the relevant quotes, but feel free to listen to the entirety of Mullenweg and Hubbard’s performance.

Today, I’d like to cover the big one: FAIR.

Mullenweg’s initial comments on FAIR, dissected

I don’t think it’s any surprise that Mullenweg was asked about FAIR. Given the launch the night prior, and given that it challenges the dominance of WordPress.org—which, again, is owned by Mullenweg personally—I had assumed someone would ask a question or two.

I also assumed that Mullenweg wouldn’t yet have well-formed thoughts. It takes time to review new initiatives. While objectives can be clear in initial documentation and materials, how those objectives are implemented is incredibly important to forming an opinion. That said, it’s worth looking at Mullenweg’s initial thoughts, as they will likely inform his long term feelings and actions.

The initial question, via Mary Hubbard

The initial question came via Mary Hubbard, who was filtering community-submitted questions directly to Mullenweg.^[1] Hubbard, for her part, had a heads up about FAIR, given she provided a quote to Fast Company. This is key, as it’s very likely that both Hubbard and Mullenweg prepared for this question and were ready to answer it.

Starting about 00:06:45 into the fireside chat:

Hubbard: So, yesterday, at a side event, the announcement of Project FAIR came out. There’s highlighted interest, discussions that are happening. How do you see initiatives like this co-existing with WordPress—dot org, the infrastructure, etc—and what would be your ideal outcome?
 
Mullenweg: Well, it’s open source, so everything can coexist with WordPress and I think that’s part of the beauty that something like this can be written with the APIs that WordPress has. I don’t know if I want to comment too much further on it, just because, kind of just found out about it last night. (chuckles) There hasn’t been that much time—there’s a lot of code and complexities. I do wish, if the team did want to collaborate—the team says they want to be transparent and everything, but it did sort of drop as a surprise; it was worked on in secret for six months. But, we can work past that and look at it. I do think the things we need to keep in mind are: you know, what are users are asking for, what are the challenges they’re facing around finding the right things, knowing it’s secure, getting updates, the stats around how many sites that are hacked are from out-of-date plugins. Those are the things that are top of my mind, for the plugin directory. And sort of the trust and safety elements of that. For the dot org directory, I think it’s actually a super existing time…

I stopped transcribing here, as Mullenweg pivoted to talk about plugin scanner enhancements which, while related to the plugin directory, was clearly a planned pivot.

Embedded in this initial response is a “dig” at collaboration, and working within a community. Mullenweg seems to have forgotten that, just 8 months earlier, he started unilaterally banning people from WordPress.org and the community more broadly (e.g. WordCamp attendance), solely because they disagreed with him, and/or proposed alternative forms of governance and infrastructure. Is it a surprise, given his actions, that a segment of the community would work behind the scenes to launch something that directly opposes the stranglehold Mullenweg has on fundamental WordPress infrastructure?

Mullenweg’s response is also a bit hypocritical.

While Automattic often works in public (“it’s all on GitHub”), many of their actions take place behind the scenes and appear as a ”drop” to the community, aligned with a very public announcement and associated PR. Take the Data Liberation project, an effort Mullenweg announced in December 2023 during his annual “State of the Word” address. The project launched on WordPress.org without any community involvement or discussion. If Mullenweg wished to collaborate on data liberation—he says he wants to be transparent and everything, but it did sort of drop as a surprise; it was worked on in secret for who knows how long.

But this isn’t limited to major announcements; this also applies to the day-to-day, where Automattic has often led major changes in WordPress, dropping them without community input and seeking input after-the-fact. I wrote a bit about this previously, noting the barriers to contributing.

Near the end of his pivot to the plugin scanner, Mullenweg continued with some real data that’s worth pulling out:

Mullenweg: And I actually got some cool stats around this from our systems and plugin team, because I haven’t heard it recently. So, we are now up to 72,000 plugins and themes. This is about 3.2 terabytes of zip files. That’s not counting all the SVN history and everything like that, so there’s a lot of data there, which is also why we need to make sure, if 500 mirrors are setup and they’re all sucking down the directory, that could DDOS us. And, in the last 12 months, we’ve done 630 billion requests, with 17.5 billion downloads.

One of Mullenweg’s underlying points, in sharing these stats, is to show how much WordPress.org does for WordPress: look at all of these plugins, themes, data, requests; look how much we I do!

But, Mullenweg actually makes a reverse point—he bolsters the argument for FAIR! You see, with a federated approach to package management, WordPress.org would not need to handle 630 billion requests. Dozens, or hundreds, or even thousands of servers worldwide could handle those requests, reducing the load on WordPress.org and enabling faster infrastructure for everybody.

And Mullenweg’s concerns about ”500 mirrors” that could “DDOS” WordPress.org is unfounded—perhaps because he did not (yet?) understand the technology, but more so because WordPress.org already goes down every major release, as millions of WordPress installations around the world DDOS WordPress.org. A single point of failure is clearly bad for the ecosystem.

The organic question, via Milana Cap

As Mullenweg and Hubbard wrapped up their performance, they opened the floor to questions from anyone in the audience. The very first question was from Milana Cap, a long time contributor, and was about FAIR.

Starting approximately 00:27:15 into the recording, the full exchange:

Milana Cap: My name is Milana Cap, I am from Serbia. I’ve been contributing to the documentation team for 14 years and contributing to the plugin review team for a couple of years and my whole work in documentation was serving a user. Every decision we made, we made to serve user. And, in plugin review team, we also include plugin authors, so everything we do, we do for plugin authors and users, to make their lives easier and better. Now, you said you didn’t have time to take a look at the FAIR project, so let me give you a gist.
 
Mullenweg: Deeply, deeply. I took a look at the announcement and everything, but…
 
Cap: Yeah, okay, let me just give you a quick gist of it.
 
Mullenweg: I don’t think you need to read it right now.
 
Cap: No, no. So the FAIR project is actually federated and independent repository of trusted plugins and themes. And, it is under Linux Foundation, so that means a lot, when it’s under Linux Foundation. And, what it means for users and plugin authors and theme authors is actually making their lives easier and better, more secure. It makes all the products more discoverable. And also, developers can choose the source where are they using their supply chain from. But also, it is helping WordPress.org because these are mirrors. So it will, you know, reduce the load from WordPress.org for every update and all of that. Now that you have a gist and you heard me saying… I don’t know if you trust me but it seemed to me that this aligns with the idea of having user and developers first in mind. Would you, you as WordPress.org, consider collaborating with this project?
 
Mullenweg: Of course we consider everything.
 
Cap: Okay.
 
Mullenweg: But, even in what you said, I think there’s a lot of challenges to it. So, for example, right now a supply chain attack needs to breach WordPress.org, which has never been hacked.
 
Boisterous audience laughter
 
Mullenweg: (clueless) What? … What? (awkward chuckle) Now all of a sudden there’s n places that could potentially be compromised. You know, there’s ways to do that, many ways. There’s n places with uptime issues. It makes it much more difficult—I don’t know if it’s actually better for WordPress.org because it makes it much more difficult to do things like rollouts, phased rollouts, where let’s say we get plugin authors the ability to ship to 5% of users and then see what happens, which means we also need things being checked back and then we can rollout to the rest, which is something I’ve heard a ton of plugin authors ask for. It’ll break all the analytics and stats that we provide, and also that we currently use to make decisions. For example, which versions of PHP do we support, or how we do databases. So… I think that it’s—a big part of where WordPress is where it is today is because of the infrastructure and the sort of feedback loop that we get from WordPress.org. Also, the trust that we’re able to engender by having that be a resource. When you look at marketplaces, people aren’t asking necessarily for… I want it to be downloaded from more locations. They’re asking for… how do I know this is trustworthy? How do I know these reviews are real? Whose moderating? Who’s checking the IP on these different reviews? What’s the plugin rating? What’s the compatibility for it? How does it compatible with my other plugins? These are the things I’m hearing from users, not I need it hosted in a different place. So, just as one example.
 
Mullenweg: And, again, I don’t want to get too far into it because I want to read the code, I want to dive more into it, I want colleagues to look at it. So, I think it’s kind of premature, less than 24 hours in, to say, like, we’re going to contribute or use this or not. But I do think it’s awesome that people are shipping code versus just arguing or talking or writing blog posts, and I think that’s a pretty productive way to channel possible disagreements or anything. And then we can see how it looks. It might be a super niche thing that a few people use, maybe one or two hosts, or it might be something that maybe there’s something in there that becomes ultra popular. But, like things, like something we probably need to do in the plugin review team is something about these admin banners, right? How is that enforced in a distributed and FAIR system? It probably gets a lot worse.
 
Cap: Well, there are a lot of problems that you just mentioned. But, if they are solved, you know, maybe we could actually collaborate with all of that.
 
Mullenweg: But how would you solve, like a plugin…
 
Cap: I am not the smartest person here. I have no idea how, but I know that we have a lot of smart people and, you know, if we talk to each other and collaborate we can come… and there is AI. We can always ask ChatGPT.

There’s a lot to pull apart here, but I wanted to include the entire exchange because it’s very interesting, and I think is the tenor we can expect from future discussions with Mullenweg about FAIR.

Mullenweg starts with the most dismissive response possible: “of course we consider everything.” Whether his intention was to be dismissive or not, this kind of answer from a leader is unhelpful as a response to any question.

But then, Mullenweg digs into his first objection, noting that “right now a supply chain attack needs to breach WordPress.org, which has never been hacked.” The audience responded with laughter, which Mullenweg seemed baffled by. The problem with Mullenweg’s statement is that, while WordPress.org may not have been officially “hacked” in one sense of the word, Mullenweg himself disrupted the supply chain.

In October 2024, Mullenweg hijacked the Advanced Custom Field (ACF) plugin, renamed it as “Secure Custom Fields” (SCF) and updated every single user of that plugin to the new SCF plugin. By definition, this was an attack on the supply chain. Supply chain attacks can happen in any industry, after all, supply chains are everywhere. But, in the software ecosystem, when an attacker (Mullenweg) compromises a trusted party (WordPress.org) and replaces one piece of software (ACF) with another (SCF), that is a supply chain attack.

I will grant Mullenweg that WordPress.org itself was not ”hacked” in this instance—no one inappropriately gained access to its systems. But, people who were given access to WordPress.org by Mullenweg or his team abused their access at Mullenweg’s direction, and attacked the supply chain of WordPress plugins. WordPress.org can no longer be a trusted source of WordPress plugins.

Mullenweg had more to say, digging into a number of areas and questions on his mind. Again, I think it’s important to reiterate, as he did, that it was still early days—Mullenweg had not yet had time to review FAIR’s code and approach to addressing these questions. Still, let’s document his questions and concerns.

Feature development

Mullenweg calls out a plugin directory feature that he’s thinking of—phased rollouts for plugins—and notes that it would be “much more difficult” to implement that feature. The underlying point here is that feature development within the plugin directory may become more difficult.

This is true—some features may be more difficult to implement in a federated ecosystem.^[2]

But, when considering tradeoffs, it’s important to consider the benefits as well. With a reduction in systems overhead and needs, resources could be diverted to help solve complex feature development problems. Or, perhaps some features exist in some repositories but not others—plugin authors would have a choice of where to host their plugin and how and when to roll it out.

Mullenweg notes other areas that cover feature development, like considering how analytics from WordPress.org (a site which he personally owns) feed into WordPress feature development. This is also a solvable problem, but it assumes that everyone is okay with the status quo of Mullenweg, solely, controlling all data and analytics. We have turned a blind eye to this for the better part of two decades, but there are real privacy implications with all of our data going to a single individual, who can do with it what he pleases.

Trust-based services

Then, all at once, Mullenweg covers a bunch of questions he has, which centre around “trust” and the services that WordPress.org currently provides.

There’s a fundamental problem with these questions, however. When Mullenweg asks “how do I know this is trustworthy”, he’s asking the right question, but about the wrong thing. How do I know WordPress.org is trustworthy? When Mullenweg coordinated a supply chain attack in October 2024, he broke the community’s trust in WordPress.org. Today, I have little confidence in the stability of WordPress.org, because Mullenweg has shown he can and will take action against competitors, disrupting what were otherwise “neutral” services provided by WordPress.org.

How do I know the reviews on WordPress.org are real, when the owner of WordPress.org has shown they can and will steal a plugin’s listing and all of its associated reviews? Who’s moderating the plugin directory, given the owner of WordPress.org can unilaterally make whatever changes he wants? What’s the plugin rating, if a plugin listing can be stolen and replaced with a completely different plugin?

These are things I worry about, when it comes to trust. These are not things I worried about in August 2024, but Mullenweg has opened the flood gates. FAIR is a response that ensures no one person can disrupt the supply chain of WordPress plugins and themes.

Like Mullenweg, I don’t hear users clambering for a different place to host plugins, but they are asking for a trusted ecosystem for plugins.^[3]

The post-WCEU follow up

After WordCamp Europe, Mullenweg made additional comments on Twitter and LinkedIn about FAIR.

Asking for a cut of revenue

One of the side comments from Mullenweg was regarding FAIR mirrors asking for a cut of revenue. He noted on Twitter:^[4]

I wouldn’t be surprised if host FAIR mirrors distributing paid plugins starting asking for a cut of revenue, it’s what they have always wanted and tried several times before by putting paid directories in the admin or hijacking core plugin page.

This is an interesting take. Ryan McCue, a co-chair of the technical steering committee for FAIR, responded to Mullenweg, but let’s consider this a bit more deeply.

Automattic built its business on hosting WordPress and charging people for those services—both WordPress.com and VIP, but also Pressable. Mullenweg, thus, effectively gets a cut of hosting revenue from any of Automattic’s properties. And, because that wasn’t enough, in September 2024, Automattic demanded an 8% cut of WP Engine’s revenue, effectively attempting to charge them to use WordPress.

But FAIR is part of the non-profit Linux Foundation. Infrastructure runs through the Linux Foundation, with support from other organizations. And, it’s not unreasonable to expect large organizations to donate to FAIR, whether in-kind donations like infrastructure or monetary ones that could fund infrastructure. Unlike the WordPress Foundation, donations will go to the stated cause.

Given that, I’m not personally concerned that a future state will exist where a single mirror gains an outsized influence. FAIR can fund its own future, if needed, and ensure that such influence does not result in ”tolls” from plugin authors.

Social media shade

Also on Twitter, Mullenweg added some shade directed at FAIR’s federated approach.

Here are WordPress' Plugin Directory Guidelines: developer.wordpress.org/plug… For the good of WordPress, I hope they remain in place. User experience chaos will follow if they fall.

I, too, hope we can maintain consistency within the WordPress plugin ecosystem. Except, wait… Are all plugins subject to these guidelines? No, they are not. Those guidelines only apply to plugins that are hosted on WordPress.org, not plugins on GitHub and not premium plugins, the combination of which numbers in the tens of thousands, and likely well beyond the “over 59,000” the WordPress.org plugin directory notes today.

Has the WordPress ecosystem fallen because thousands of plugins do not adhere to the WordPress.org plugin directory guidelines? Not at all.

Now, I absolutely dream of the day when WordPress has a proper set of human interface guidelines, along with requirements for user security and privacy (among others).^[5] The consistency would be phenomenal. But, make no mistake: we don’t have that today.

And also make no mistake about this: Mullenweg violated the WordPress.org Community Code of Conduct, a finding affirmed by the Incident Response Team. That makes him in violation of the very WordPress.org Plugin Directory Guidelines he wants to remain in place, which state:

9. Developers and their plugins must not do anything illegal, dishonest, or morally offensive.
    
   […]
    

• Violations of the WordPress.org Community Code of Conduct

Except, because the code of conduct covers WordPress.org, which is Mullenweg’s personal site, there are no ramifications. Mullenweg expects guidelines to remain in place for others, but not for him. The plugin directory guidelines do not apply to him. The code of conduct does not apply to him.

Building on Mullenweg’s tweet, Jesse Friedman, ”Head of WP Cloud” at Automattic, posted the following on LinkedIn (among other places):

We have all said to beginners: "make sure you download your plugins at WordPress.org; it's the safest, most secure place to extend WordPress."
 
That single source of truth has been hugely beneficial and crucial to the success of WordPress. I am seriously concerned with how diluting that source of truth will lead to confusion and malicious actors.
 
There's a reason Apple and Android have official app stores and make it very difficult to install unauthorized apps. If your phone came hooked up to dozens of unvetted app stores it'd be complete chaos.

This is a great piece of PR, given how deftly it ignores the facts.

As I outlined earlier in this post, the official WordPress.org plugin directory was subject to a supply chain attack, allowing a third party (Mullenweg) to take over the original developer’s plugin without permission. The point Friedman attempts to make works against him: users can no longer trust the WordPress.org plugin directory, because it’s no longer the safest, most secure place to extend WordPress. Mullenweg broke that trust. We need a new model to reestablish trust, and I think FAIR gives us a great vision for the future.^[6]

Mullenweg has also chimed in on Friedman’s LinkedIn thread, responding to comments, without engaging further.

In responding to a commenter’s concerns about link injection from plugins that today live in the WordPress.org plugin directory, Mullenweg notes that it “is going to get radically better with AI scanning and mitigation.” Of course, AI cannot be the saviour when it comes to supply chain attacks instigated by the owner of the site.

Mullenweg also responded to a well-reasoned comment, which noted that, while WordPress.org was a great resource for plugins and themes in the past, the WordPress ecosystem has matured, and multiple sources for plugins and themes exists. FAIR’s specification enables these disparate sources to be combined together, and can be mirrored similar to how Linux repositories have been mirrored for years. The comment also noted that “it’s unreasonable to expect 42% of the internet to update their software solely from the personal website of some guy from Texas.” Instead of responding to the substance, Mullenweg pulled out the Linux comment:

I hope we don't regress to the usability of Linux package management! 😀 I think it's one of the main reasons Linux on the desktop has never taken off. Just because something is technically possible doesn't mean it's better, especially from a user experience point of view. P.S. My personal website is ma.tt, not wordpress.org.

Naturally, WordPress.org is also Mullenweg’s personal website, as he’s attested to in legal filings and shown more practically with his posts on the site.

But, more to the point, ”package mirrors” are not why Linux has never succeeded on the desktop. Instead, let me explain what’s going on with Linux on the desktop… Just kidding. You, do not deserve a treatise on why Linux will never truly succeed on desktop. Others have written about it at length, and I won’t subject you to more commentary. Package mirroring is absolutely not one of the reasons it hasn’t taken off though.^[7]

Mullenweg also responds to a comment with a completely unrelated comment:

Wait to you see hosts start to block plugins from other hosts or that compete with their in-house offerings, which they already do this will just make it more invisible to users. Migration plugins may not even show up.

But, as Mullenweg notes in this very comment, it’s already a problem. Implying, or otherwise asserting, that a project is not viable because issues that exist today might still exist in the future only shows your opposition is not to the project itself, but to any change that dethrones you.

I also enjoyed Mullenweg’s explanation of how WordPress.com’s duplicated plugin directory works:

WP.com (non-simple) uses .org as the source of truth for installs, updates, etc. This is partly so that plugin and theme authors can benefit from the stats from those users. That's also why most plugin authors point to the .org-hosted download even from their own site.

So, the WordPress.com plugin directory is a mirror of WordPress.org? I swear someone was opposed to mirrors of WordPress.org.

Perhaps most interesting is the fact that Mullenweg is engaging in this way in the first place. It’s not often the CEO of a large company—in the midst of court battles, layoffs, product launches, and acquisitions—comes down from their ivory tower to comment on a LinkedIn thread. I have to wonder how communication works in most communities; are there safe spaces for discussion, disagreement, and alignment? Or, do they rely on threads started on disparate social networking platforms to hash through open issues?

Final thoughts

Obviously, I’m biased—I joined FAIR before its launch and have strong thoughts about its success and the overall success of the WordPress ecosystem. I’ve also strongly disagreed with the structure of many things Mullenweg has built, from WordPress.org to the WordPress Foundation. His performance at WCEU did nothing to dissuade my fears—in fact, after months of reflection, he still seems to have no understanding of just how bad his actions have been. That lack of introspection should be concerning to everyone in the community.

But hey, I’m just writing blog posts which, as Mullenweg made clear at WordCamp Europe, isn’t a productive way to channel disagreements. Democratize publishing indeed, as long as you agree with the dictator.