> Amusingly, in its war against WP Engine, Automattic might have created the single best advertisement for their chief rival. WP Engine now has proof it’s immune to unauthorized plugin takeover.

This is a great point. By weaponizing the fact that Automatic controls the plugin registry against a rival by doing something (at best) dangerously adjacent to a supply chain attack, WP Engine stands out now as uniquely immune to that type of attack.

This whole thing makes me sad, I used to use wordpress back in the 2000s and even had some plugins in the directory at the time. I was rooting for Matt but the more I read about this the more it seems like Automattic isn't the good actor here.

This seems like a pretty damning indictment of Automattic. The WordPress foundation (that they presumably set up) may have rules that give them legal cover for some of the moves they’re making, but it’s going to hurt them in the court of public opinion. I think that matters to developers, who are the people ultimately responsible for choosing whether or not to contribute to / use their product. It’s true that migration cost might prevent churn from these actions right now but stopping the train of logic there seems short sighted. What about all the business that they may have received in the future that they might not get now because they’ve tarnished their brand?

I don't see it catching on that this is a "supply-chain attack" (from the article, but what came to mind when you said that it seems pretty damning). It isn't an attack because it's done deliberately by the owner (yes, owner) of the platform users are downloading from and not some upstream platform. The part of the chain involved is only one level deep. Maybe it's time to stop hyping up the term "software supply chain" because it gives me You Wouldn't Download a Car vibes.

Judged on its merits and not an exaggeration, I predict that the court of public opinion is going to go the same way as the court of law – a light pushback.

The article mentions they made subtle changes that broke websites. One user had 150 broken client sites and had to fix one by one. If that happened to me I’d consider it a supply chain attack

How is this not a supply chain attack? Mattomatic literally took over a plugin that WPE owns/maintains by co-opting its plugin URL/slug. They renamed the plugin but took control over the URL that everyone’s plugin points to for updates. Literal MITM attack.

Wordpress.org is not the publisher of that plugin - WPE is. Wordpress.org was just hosting it in their plugin directory, which is where just about the entire community goes to for plugins. I’d guess that because of this drama, more plugin publishers will choose to not publish theirs in the directory anymore.

https://www.advancedcustomfields.com

npm is a good analogy to this, but I don’t see how either one would be considered the publisher. Those are indexes/directories/whatever-you-want-to-call-it of packages/WP plugins. Another example would be something like GitHub. If GitHub (Microsoft) decided to take over the repo URL of a rival’s repository, I don’t think there would be any ambiguity about who was in the wrong.

Anywho - I’m not looking to get into an argument with a random internet stranger so have a good one.

Agreed that it's not a MITM but for other reasons: Automattic didn't insert themselves in between two communication nodes. Instead, they replaced one node with themselves. No further communication between the original nodes to in-the-middle intercept.

Isn't it rather a flavor of Impersonation Attack?

And "fraud" is maybe an ok word too?

> wrongful or criminal deception intended to result in financial or personal gain

(says some dictionary)

If npm or Ubuntu would deliberately replace a package with their own implementation, without giving you notice or making this opt-in, would you call that a supply-chain attack? I would, unless the original package contained malicious code (which is not the case with WPE's custom fields plugin)

Ubuntu patches all the time. WordPress could have done exactly the same with patches! Good idea.

Sometimes a patch isn’t enough so there is something like SilverWolf. That’s kinda like ACF/SCF.

That's LibreWolf.

It’s only technically a supply chain attack. Pretty much all they did was apply a security patch and remove the other company’s IP. It doesn’t really attack a user or put anyone at risk, which is what you normally mean with an attack, so it sounds hyperbolic.

That said it is absolutely scummy and dumb, and a sign that Automattic puts its own whims ahead of its clients’ stability. Even if this issue gets settled tomorrow, we now know that Automattic is an irrational actor. Who is going to choose a software platform for new projects where every week a new drama unfolds?

> Automattic is an irrational actor

They're more human than the WP Engines of the world, though.

Indeed. To err is human.

No one wants to talk about what WP Engine does, because Matt is making own-goals twice a week.

I'll talk about what WP Engine does, because I've been following this whole saga and I think they've done nothing wrong. Worse, I'm pissed that some open source folks are defending Matt's position that's basically "well, open source is whatever I say it is".

That is, WP Engine's cardinal sin (according to their detractors) appears to be that they make a ton of money from WordPress but they don't contribute back "sufficiently" to the ecosystem. I believe (as someone who has contributed a bunch to different open source projects) that this is complete and total bullshit. Since when do individual open source creators get to decide "how much" other people/companies need to "give back"? There is a very good reason open source licenses explicitly specify what you can and can't do with code. If you don't like that, you shouldn't be releasing your code as open source. More to the point, even outside of WP Engine's legal obligations (which nobody is really seriously believing they are in violation of, Matt's post-hoc ridiculous claims of trademark infringement notwithstanding), I think the arguments that they were a bad actor in the community were false, too, especially given Matt's actions.

Other open source creators have discovered that the economics of the cloud world means that it's easier for hosting providers to make a lot of money off open source projects than the original creators of that open source software. And while this may suck, many of these other creators handled this situation in a sane, adult manner, e.g. by forking and relicensing their software, or also see the whole nascent "fair source" movement. What they haven't done is decide to hold the whole community hostage because they decide, after the fact, that they're "owed" 8% of another company's revenue.

Seriously, I'd be interested to hear any rational argument about what WP Engine did that was so objectionable. If the best they can come up with is "they don't support infinite versions as the default out of the box", you'll have to excuse me if I don't think that's some sort of cardinal sin.

I see a pattern of open source leaders being judged more harshly than proprietary software leaders. I think it’s because of a feedback loop. It started before the current crop of social media. People saw they could criticize Theo de Raadt more easily than Google because Google had its own weird nerds about a decade before the phenomenon with Elon Musk. These defenders were encouraged by the money and connections of the people they were defending, which is greater than those of the open source leaders.

I’m not saying you’re doing this deliberately but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context. People have forgotten a lot of the drama with FAANGs during these two decades and their leaders were never held to account.

What WP Engine has done is be soulless. They got acquired by a private equity firm, which makes them like a FAANG. The ways they’ve acted are more visible to WordPress than they are to us - they undermined the way they operate with other big hosts whose datacenters communicate with their datacenters, and users with their support. Matt explains it pretty well in this video: https://youtu.be/WU3sd1kDFLg?si=Og9QZ4_onwhbwvB3

> I see a pattern of open source leaders being judged more harshly than proprietary software leaders.

I will only speak for myself, but I find this to be baloney. I'm not judging "open source leaders" more harshly - I'm judging a single open source leader, Matt Mullenweg, harshly solely due to his own actions and statements.

You say "What WP Engine has done is be soulless." That's kind of my whole point - I don't give a fuck, at all, that WP Engine is "soulless". First, they're a hosting company, not a church. My fundamental issue with Matt's behavior in the first place is that just because a company is "soulless", i.e. whatever line he has in his head that is the "minimum" a company should have to contribute back because they use open source software he first created, that he gets to do a shakedown, take over what was their largest open source contribution in the first place, and then demand 8% of their revenue.

Frankly, I don't believe any of this moralistic framing in the first place. I think he saw WP Engine as an "unfair" competitor to WordPress.com, and his actions are simply to cripple a business competitor.

> I'm not judging "open source leaders" more harshly

On purpose, no. But it's a question of interest. People seem to have a lot of interest in going after open source tech leaders that they don't have for going after closed source tech leaders, partly because any time they go after closed source tech leaders they have to deal with paid defenders (many who are simply paid by being on the much larger payroll, partly funded by government contracts obtained through bribery).

If you'd have judged a FAANG the same way but don't ever get around to judging them, that amounts to being more harsh with open source leaders.

> People seem to have a lot of interest in going after open source tech leaders

Also, this: Often there's more OSS users (since usually it's free).

If 1% of the users are angry, that could mean many more angry people for a popular OSS project, and comments here at HN, than for some similar proprietary software?

Whatever man. I think this is all completely irrelevant to the current WordPress saga, not to mention that I totally disagree with your 0-evidence hypothesis in the first place that people are somehow more critical of open source leaders. FWIW, there is plenty in my HN comment history lambasting Google's fall from technically-admired leader to "just another big company led by the bean counters".

> They got acquired by a private equity firm, which makes them like a FAANG.

I’ve read this sentence 5 times over and still have no idea what you mean by this? How does a company being acquired by a private equity firm make them like a multinational public company? What does being “like a FAANG” mean to you?

As an aside, Automattic was an investor in WP Engine and sold their shares to that same private equity firm.

Eh, I'm not completely convinced open source leaders are judged more harshly.

Go find people on the street and ask them to name the CEO of WordPress and then ask them to name the CEO of Google. Like the average person doesn't criticize an open source leader because they have no idea who they are.

In any sort of big tech thread there are tons of criticisms about privacy violations, basic functionality, lack of support, etc.

However, more to the thread. If say Amazon yoink'd Apple's store and started selling Amazon Basic Macbooks on it there would be complaints.

> I’m not saying you’re doing this deliberately

No, but by even mentioning that you're rather slyly implying they might be.

And apparently forgetting — or trying to obfuscate — that the one person we know is doing something deliberately here is mr Mullenweg.

> but if you look at how long Matt Mullenweg has been leading WordPress, I think that puts the drama into context.

The relevant context here is what he is doing now.

Regardless of all else I'm hoping we can all agree on:

* The wordpress foundation (and wordpress.org) is not independent enough from Matt & Automattic

* taking over a package in a package registry with automatic updates is really, really bad

> The wordpress foundation (and wordpress.org) is not independent enough from Matt & Automattic

I see people call for this, and I'd like to see that energy used to call for antitrust against Facebook, which grew at the same time as WordPress. https://en.wikipedia.org/wiki/Federal_Trade_Commission_v._Me....

I don't think they meant to express the intention of it being independent when creating a nonprofit. I think they just created a nonprofit because that's what made the most sense of the available options. I think a B Corp is more along the lines of what was intended.

I don't think anyone thinks of Meta or Facebook products as open-source in the same way as WordPress (they have open source projects but none that are as core to their business as WordPress is to Automattic).

Even now it seems like Matt is trying to shroud himself in open-source as a defense. If so the foundation should be more independent.

I don't know if they committed "theft" under criminal law, but I would bet lots of money that Automattic is going to get obliterated by the complaint filed by WP Engine, probably including injunctive relief. Tortious interference in a contract is normally difficult to prove because one of the elements is malice or intent to cause harm, but Matt basically handed WP Engine's lawyers all the ammo they would ever need during his yappy media tour.

I would further bet that Matt's either on drugs or maybe has a brain tumor or some other undiagnosed medical condition. Only an insane person would destroy their entire reputation and life's work like this.

Alternatively, he could have been like this all along and now he’s just striking. It’s in vogue to “re-align” your corporate backed FOSS project to squeeze money out of everything you can. Collateral damage be damned. Enshittification seemingly knows no bounds.

Once the self-sabotage is over perhaps we can dig into the self-dealing.

Under which open source license was ACF originally released? That would help to answer the question.

Forking ACF is not the issue, automatic is perfectly within their rights to do that. Hijacking the ACF WordPress.org page and having everyone who uses WordPress.org for plugin updates to auto update to the fork is the problem.

> Hijacking the ACF WordPress.org page

is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial, which was shown to be false here of course.

This means that this community page/list should no longer be trusted, and an alternative be sought out.

IANAL, but the only expressly illegal thing that they seem to have done is maintain the "acf" tag, and used the "advanced-custom-fields" URL, which could be trademark violations.

I'm sure there are other laws that are relevant here related to deception and misuse of the subscription to the plugin updates by the 2 million users involved.

Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.

> Legal issues aside, this is an extreme erosion in trust for any user of the WordPress.org platform. They can no longer have confidence that their commerical (or non-commerical) plugin won't be chopped up and have its users stolen at any moment.

Not just the plug-in creators, but those (“stolen”) plug-in users, too. There is an example in TFA, the guy who had to update many (150, IIRC?) of his customers’ sites after the plug-in was switched out from under him.

I don't remember this scene in The Force Awakens

Standard HN jargon, "The Fff...ine Article".

> is it a hijacking, if they own that page in the first place? The community placed trust on that owner of the page to be impartial

I would say yes, it is hijacking. It is very very similar to any MITM attack ever, like anyone in the looong chain of trust deciding that they will do something with the trust they have. Like, can your ISP redirect google.com to their own google.com? They surely can, and it probably wouldn't even break their contract with you. It would be a trademark infringement, probably GDPR violation, but not much else.

Since WordPress.org acts as a traditional package repository, they can: serve you the package, or don't serve you the package for various reasons. Everything else is hijacking or worse, especially if the intent is just to turn you their user, and the result is to break your website. Even if you don't have a contract with them that they will serve WP Engine's unmodified plugin to you.

GPL. All WordPress code is GPL and plug-ins need to call WP APIs to register themselves with the CMS.

The "spirit of open source" or whatever implicit terms come with the piece of free software was that Matt/Automattic are good stewards of the software, especially in regards to it being hardcoded to use to wp.org. It's incredibly silly to throw that goodwill away when you're load-bearing for almost half the web. These actions will create forks with different stewards and at worst fragment the codebase.

> This debate is extremely dumb,

Well, yes... At least some contributions to it certainly are.

> and everybody gish gallops and implies something terrible when they try to explain what Automattic is doing wrong, because they can't figure it out

Funny, I thought I'd seen several perfectly cogent explanations of exactly what mr Mullenweg and Automattic is doing wrong, both here in this thread and in TFA.

The only thing that looks remotely like a Gish Gallop to me is your post. (And perhaps those of benatkins.)

maybe they made a commit to some open source that they stole in broad daylight.

The title made me wonder where they would go with this,

then it starts with "Imagine Apple decided Spotify was a big enough business threat that it had to take unfair measures to limit Spotify’s growth on the App Store."

Um, okay - apple's store is not open, and spotify is not open source - so the article is over in it's first line..

but let go further

Lock Spotify out of its developer ecosystem - sharecropping on someone else's land has risks - good thing about then a plugin or theme gets kicked out of wordpress.org's system is that WP users can "sideload" from anywhere with any sort of 'jailbreaking', you don't even need to click/tap 'it's okay to load from outside sources' (point 1 from the story)

point 3 - this is completely false - see https://wordpress.org/news/ - and everyone got to see news about this in the wp-admin dashbaord (I think I recall from more than one source)

the other 4 points are eye-roll worthy from me, again see point one.

This is not the first time a similar thing has happened with the wordpress plugin or theme directory.

The rest of this post is clearly very one sided and includes other falsehoods such as "The response was universally negative:"

Growing tired of the article, I scroll and I see a headline "Is WP Engine the only enterprise-ready WordPress hosting provider left"

are you kidding me?

Disagree with the entire piece.

and a return how about "Imagine Apple decided Spotify was a big enough business"... that they could easily afford to pay 30% of the proceeds they make from an app that lives in their ecosystem so that Apple can continue to develop, secure and grow

- so that the app could enjoy those benefits and all can grow.. and if they didn't pay up, they get kicked out of the Apple store, I mean that would be outrageous!

And you could re-write the article replacing automatic with apple.. oh wait.

> then it starts with "Imagine Apple decided Spotify was a big enough business threat that it had to take unfair measures to limit Spotify’s growth on the App Store."

> Um, okay - apple's store is not open, and spotify is not open source - so the article is over in it's first line..

Exactly. "Imagine that Apple wrote a GPL streaming music app, and Spotify was a redistributor of that app with almost no changes, but also used some of their own infrastructure to serve part of the backend of their fork. Now imagine that the reseller started doing nearly as much business as Apple with the app, but barely contributed any code. Apple asks Spotify to contribute more, Spotify replies 'lol.' Then, Apple tells Spotify that they can't call their fork 'Apple Music' anymore, and bans the Spotify fork from relying on Apple's infra for what Spotify doesn't find profitable to do."

> Um, okay - apple's store is not open, and spotify is not open source - so the article is over in it's first line..

Only for people (wilfully?) blind to the screamingly obvious parallel.

As mentioned later in the comment, the real parallel to consider is that this whole thing (I believe, am I wrong?) started with:

Matt/Wordpress asking for (sizable) donation from wp-engine, and them refusing (maybe they offered an amount but balked at what was being suggested?)

and then they got kicked out of the 'wordpress store' (.org directory and access to it)

my limited understanding is that Apple demands you pay 30% of what you make from your apps, regardless.. and I think fortnite and a couple others have balked at that and got kicked out..

my DDG first result suggests Matt asked for 8% of wp-engine revenues..

and given that automattic/wp does WAY more for enhancing and securing the actual thing that their users use, compared to what Apple does for fortnites code..

seems that the parallel the author attempts to draw with Apple and it's store is hilarious- it actually shows that Matt is asking for less and providing more to wp-engine.. way more.

The amount is not the parallel they're drawing. That's what makes your insistance on only seeing that so, to borrow a word, hilarious.

I don't see the amount as being the issue they pointed out, the parallel as far as I read it, is that it would be horrible if Apple kicked out an app for not paying them money.

And the piece leaves out that indeed Apple does kick out apps for not paying money, AND if one was to consider the amounts it makes the ask from Automattic seem even less of an issue comparatively, AND if one was to consider the amount of stuff Automattic does that enhances the product it's even more puzzling that it's left out or not considered.

This is without getting into open source and all sorts of other things that make the parallel hilariously bad.

> I don't see the amount as being the issue they pointed out, the parallel as far as I read it, is that it would be horrible if Apple kicked out an app for not paying them money.

Nope, still missing it. In the G(GGG...)P's parallel, Apple didn't "kick out" the app, only the creator. Just like Automattic / WP.org (is there really any difference, or has that only been an illusion?) didn't "kick out" the plug-in, but WP Engine, the company.

The issue they pointed out was that Automattic (via WP.org?) hijacked the plug-in's user base. They basically stole the plug-in from the creator -- like if Spotify on the App Store was now, as far as users are concerned, an Apple app.

Do you finally get it now? (Please, please do.)

okay - not apple banning the app, but banning the company - well yes they have done that - DDG -> Apple Explains Why It Terminated Epic's Latest Developer Account

and that being about not getting their proper cut of Epic's revenues

Now if the piece was to solely focus on the 'taking the plugin' / their user base..

Many plugins have been kicked out over the years, and it's been publicly understood and discussed that given the GPL licensing, literally anyone can 'steal' a plugin and re-upload it to the wp repo..

They did not steal the user base - as anyone with the premium plugin has their email address (and their site urls) in the ACF system.

In this unusual case, ACF is so embedded in so many WP things that they could not just shut it off like they have with others (still missing / miffed about wp-spamshield getting a similar treatment btw) - it needed to be replaced if removed.

as a semi-tangent - I was really miffed when wp-engine took over ACF, I wish that had been disallowed somehow - it felt like a consolidation of power that could be abused, and today we see that playing out as a difficult thing.

Luckily WP core has been rolling out an ACF like things in base / Gutenberg the past few months - so it's likely that adoption will continue and sadly those of us with old legacy ACF modded themes will be seen as less and less important.

It's probably a good thing in the long term, it is a little messy right now though.

To your point, this would not be the first time apple or google or samsung released their own thing that a developer previously had a super popular version of, and it won't be the last year such things happen.

another tangent - I wish google would make a better 'missed call / text / reminder app' - not that I want the developers of the other ones kicked out, but the community could expect better than what exists.

anyhow, things continue to evolve and no one has an ownership of any platform they don't own, stark reminder.

Are you still refusing to see the obvious parallel, or have you shifted the goalposts to some totally other subject by now?

I mean, you know, I could of course read your wall of text to find out... But why should I bother? Neither alternative would be you discussing in good faith, AFAICS.

Dammit, I looked at it! And what immediately leapt out was of course

> To your point, this would not be the first time apple or google or samsung released their own thing that a developer previously had a super popular version of, and it won't be the last year such things happen.

Yeah, except this isn't Automattic's "own thing". It's WP Engine's plug-in, lock, stock, and barrel.

Have you always been such a shill, or is it only in this case?

Ah, you know what? Don't even bother to answer.

Have a good life.

I assure you I am not a shill, in fact I have been so critical of some of what Automatic has chosen to do over the years, that I single-handedly got the moderation policy of wp-tavern to be created. (true story)

This does not make sense to me here, you wrote:

-------

> To your point, this would not be the first time apple or google or samsung released their own thing that a developer previously had a super popular version of, and it won't be the last year such things happen.

Yeah, except this isn't Automattic's "own thing". It's WP Engine's plug-in, lock, stock, and barrel.

-------

my comment specifically stated that it was not the first time a developer had something and then an app store made another version of it so what you are saying is not making sense.

I'm well aware ACF was not Automattic's, my comment clearly mentioned I was shocked and salty when wp-Engine acquired it.

(I am and have been an ACF pro license holder since before it was bought my wp-engine)

I use ACF on a half dozen sites.

But just so the world knows, and this was made blazingly clear many moons ago in the open source and WordPress community back in the day of the heated exit of wpmu-dev and their plugins..

no one owns all the GPL stuff, and no one owns a slot in the Wordpress.org's servers, plugins directory or themes directory.

All sorts of plugins and themes and developers have been kicked out over the years, some rightfully so, so questionable.. either way, you don't own the directory, you can take your code, their code, and host it anywhere you want.

A lesson I hope many others aside fro wp-engine are (re-?)learning at the moment.

It's worth pointing out that even Apple (whom the auther uses as an exam to illustrate the point) has engaged in similar behavior. Not quite as bad, i.e. they didn't take over an app, but they have suddenly blocked apps from updating when the app had similar functionality to one they released.

Throwing someone out from a marketplace is .. quite common. They (marketplace owners/publishers) don't need much reasoning for it, and I'm sure they did it many times bc they've perceived on of their clients dangerous to them, or wanted to take over their businesses.

But silently redirecting the users to yourself is practically unheard of, and it is indeed a red line.

That is not as bad, taking the url, auto-updates, reviews, etc. makes it so much worse. Apple might be anticompetitive, but replacing the app via auto updates is really bad.

This is a trademark dispute. WP-Engine uses the trademark, and made a tactical decision not to license it. Their thought was better to ask for forgiveness later then pay up front. Protecting your trademark is critical for an organization governing an open source product. Just look at Docker to see what happens when you lose control of your trademark. Last I checked, most owners aggressively protect their trademark. It's one of the few IP protections open source companies have. Why are you all defending the freeloading open source strip miner? Is WP Engine's use of the trademark fair use? Something tells me that they will end up settling this out of court...

Bollocks and hallucinatory nonsense. The trademark page had made it abundantly clear that use of "WP" was not protected by trademark and only made it an issue ex-post-facto when Matt decided one day that he didn't like the competition. The trademark claims are bollocks, nonsense, bogus — entirely without merit.

If you don't like your open source work being used by others to do for-profit things then don't license it as GPL or don't open source it to begin with. You can't retroactively come out and complain after the fact once you've already given all your IP away and made it abundantly clear that "WP" isn't a trademark, and BY THE WAY the jurisprudence on trademark law makes it difficult to even try to claim a trademark or servicemark from two letters put together!

We will see. You can say it's bollocks, but I'm betting you are not an IP lawyer. Silverlake, the PE firm that acquired WP-Engine has a gaggle of IP lawyers that assessed the risk before the investment. Were they right or wrong? Like any sporting event, everyone has a strong opinion before the game. But it's only the final score that matters. I'm wishing Automatic the best of luck.

Even if you agree with the trademark claim (I have no idea one way or the other), the way that Automattic is acting is wrong, pure and simple.

No one ever won a law suit by putting forward a tepid case. They will position for maximum damage as a bargaining position, just like any of you would.

Are you talking about Automattic? I'm not talking about the lawsuit, I'm talking about the things surrounding. Especially the checkbox when logging into Wordpress.org in which you must proclaim you aren't affiliated with WPEngine.

That is simply terrible behavior, one that impacts users, not just WPEngine. I personally will never use Wordpress again because of this.

If we want to read mr Mullenweg’s unfiltered (and undigested...) thoughts on the matter we can easily find them directly from him.

If you want to contribute your own take to the discussion, you'd have to... You know, develop a take of your own; not just regurgitate his.