It gets so much worse. Today, my sales guy was trying to register for WordCamp, a conference that we have been attending for years as an essential place to meet customers. And then he encountered the registration form for a WordPress.org login, which neatly specifies that you affirm you have no “affiliation with WP Engine, whether financial or otherwise.” [1]
Of course, my company does have an affiliation with WP Engine. We use their service to host our website. Therefore, nobody on my team can register for a WordPress.org account.
I wrote an open letter to Matt Mullenweg complaining about the requirement and stating that I believe it violates the Sherman Act and Section 3 of the Clayton Act by being an overly broad prohibition that is clearly anti-competitive and has no clear business justification (aside from limiting competition).
Matt and the rest of the people backing Automattic should take note: Moves like this that destroy your community will eventually usher in a replacement. WordPress is pretty neat, but it only got that way because thousands of people put millions of hours into building add-ons and hosting services to make it blossom into what it is today. If their efforts are redirected in another direction, WordPress will wither away to nothing in a few years.
> Of course, my company does have an affiliation with WP Engine. We use their service to host our website
Does no one understand what "affiliation" means anymore? Just because I bought something from Amazon doesn't mean I'm now affiliated with Amazon. "Affiliation" (usually) means something like a formal association, partnership, or close connection, not that you're just a customer.
Besides that, dump Wordpress regardless, clearly they've lost focus from the actual users and Matt seems to be fighting some war others can't even see the reason for.
The language is intentionally vague, and leaves the determination on the person who has to check the box.
I have a competing product and shouldn't get too far in the weeds on what I truly think here, but the predominant feeling across people that have to interact with this is that it's done on purpose.
It's not so much that people don't understand what the word "affiliation" means, it's that you'd have to be completely certain that a lawyer, hired from what is clearly a litigious org, would have the same understanding.
This isn't a legal document from the federal government. There's no perjury risk. Just click the box and get what you need. What, is Matt paying for deep background checks on everyone that does check that box? It's one of the most ridiculous checkboxes on the interwebs
You’re thinking about this from the perspective of good faith. I think the people who are worried are looking at it from the perspective of no longer being comfortable saying something is too absurd to happen.
For example, say your company ends up on Matt’s legal radar and he trawls the logs looking for accesses from your IPs and says you violated CFAA – even if you’re totally comfortable that you’d prevail in court, that could be an expensive process and discovery might turn up things you’d prefer not to be public. In situations like that it’s easier simply not to risk dealing with him since people who are focused on vengeance will often waste resources on pointless activity just to prove a point.
maybe it's just me that always has that "under penalty of perjury" sarcastically running in my inner voice whenever I see these types of ridiculous EULA type of things.
Somebody should really force the issue to "have standing" to fight the ridiculousness. I'm shocked WP Engine hasn't already
Companies are absolutely allowed to arbitrarily ban certain people or groups of people from using their services, and if you sign a contract attesting to you being allowed to use the service, you can absolutely be found guilty and/or liable of breach of contract.
Some courts have interpreted the definition of "unauthorized access" in the CFAA pretty broadly. That checkbox about WP Engine is arguably an "access control mechanism" since you can't access the site without checking it. Maybe it's a stretch but it's not that much of a stretch.
IANAL either but I was under the impression that changed with the Van Buren v United States Supreme Court case [1]. If you register and accept a EULA, it’s no longer “unauthorized” access, regardless of whether you exceed EULA limits, as long as you’re using the authorized interface (as opposed to trying to get access to the servers via SSH or some other side channel). It’s not the criminal courts’ job to enforce access limits.
IANAL, not from the US either. But if you register, you are signing a legally-binding licence agreement. Doesn't lying or giving false information nullify this contract?
For example, if you register on wordpress.org while claiming you have no affiliation with WPE, but you did have any sort of affiliation, they could consider the contract null/void, and claim the access was unauthorised because the contract wasn't valid.
The contract can be null and void but if you can still login, it’s not unauthorized access. The burden is on the company to pursue breach of contract. That’s my reading of the decision but again, IANAL.
It is not illegal to beach a contract. You can be held liable for damages but there is no criminal penalty and some judges think beaching contracts can be good (so called efficient breach)
I saw this exchange too and was shocked - it is Matt who has chosen to add this checkbox and chose the wording of the question - if he cannot explain who should or should not check it, or what he means by his own words, how can anyone?
His responses to perfectly sensible questions about this ridiculous box has been awful.
Agreed, and I think this isn't really about whether he personally knows legal jargon, but about whether he had a clear idea WTF he wanted before making brash demands and threats.
(Or, much less charitably, the intentional use of vague language in bad faith.)
That analogy is backwards: You'd be the one asking your employer to clarify the terms they chose and wrote themselves which they are trying to press upon you.
It's totally reasonable to ask the party introducing "shall not associate with" into a contract exactly WTF "associating" is supposed to cover.
> You'd be the one asking your employer to clarify the terms they chose and wrote themselves which they are trying to press upon you
I’ve made edits to employment agreements. It would be totally inappropriate for the other side to demand legal advice from me. It would be polite for me to clarify. But I’m under no obligation to.
It sounds like there's some confusion here between "hard legal obligation to give non-binding external advice" versus "moral and practical obligation to fix the binding wording if they are actually interested in mutual agreement and understanding."
I suspect most people asking Mr. Mullenweg "what do you mean by X" are doing so with a subtext or next-step of "now go fix the text to correctly capture what you really meant."
I’m reading “he shouldn't get to ask” [1] as distinct from he shouldn’t ask in a hard legal sense.
> with a subtext or next-step of "now go fix the text to correctly capture what you really meant"
That’s unreasonable. An e-mailed clarification is a reasonable ask. (Adding a clarification is nice. But not a reasonable expectation. Especially from a proven nutjob.)
If you add vague additions in you ammendments and then refuse to clarify when asked about your intentions, potential employers might just decide it's not worth the risk. Same here.
If they can't explain the basic intent of the agreement in the first place, I'd be awfully hesitant to sign.
Matt was just asked if the spirit of the checkbox was to keep out customers and wouldn't answer. That's not really the same as asking him for legal advice.
Right. And these words can have bizarre meaning in legal terms. For instance, in Illinois law the word "shall" does not mean something is mandatory. Most of the time it should be read as simply "may".
> Does no one understand what "affiliation" means anymore?
I have neither a WordPress.com account (I mean, that I know of, anyway) nor an affiliation with WP Engine. However, can we back up for a minute? If a website is asking me to make an assertion that may have legal consequences, it should absolutely be spelling out the intention and meaning of the language it uses. If you ask me what "affiliation" means, I'll give you my best answer as to what I understand it means. If you ask me to sign a document that says I do or do not have affiliation with some entity, I will tell you to clarify what an affiliation is and refuse to sign without it.
If you buy something from Amazon you've made a one-time exchange.
If you use WP Engine, you have an ongoing agreement with them to provide and support a service on which your business depends. A reasonable and literate person could construe that to be an affiliation.
"Not necessarily" can apply to almost any use of language, but I feel like this kind of thing can commonly be interpreted as non-affiliated. In an analogous case, if you work for an organization that performs public elections, at least in my country, you can't be affiliated with a party, but your personal business (voting for them) isn't included. Being publicly connected with or being compensated by another entity would seem to me to present an arguable affiliation
> Being publicly connected with or being compensated by another entity would seem to me to present an arguable affiliation
It looks like it's a legitimate legal issue [1][2].
TL; DR It may make sense to explicitly clarify when you're using the term 'affiliate' as it is defined in 17 CFR § 230.601 / Rule 144 [3] versus "affiliate, including but not limited to []," or whatever.
The language is, as described, intentionally vague and people with varying degrees of “affiliation” have been hit by the consequences.
Matt also refuses to provide any elaboration on intent and instead says “you should talk to a lawyer”.
This has the chilling effect he is looking for. No-one is “talking to a lawyer” to create or use a Wordpress.org account. Anyone who has sniffed the same air as WPE knows the intent.
Isn't that what lawyers end up doing, arguing which definition of the word applies? And since (as far as I can surmise) elonmusk.php hasn't clarified what that word means in his checkbox, won't it be safer to be cautious?
The problem is that Matt/WordPress is not using the standard definition of affiliation. On social media, Matt suggested that being a customer or service provider to WP Engine was an "affiliation" for purposes of that checkbox.
Boilerplate is good but definitions are best, even with boilerplate words that have boilerplate definitions. Incorporating those definitions into the document at the time of execution benefits all parties. Again: minimize ambiguity, anticipate what will make dispute resolution easier.
Source: have worked through a lot of contracts, license agreements, labor agreements, and disputes over the same.
What if I being a customer "help" this company translating a part of the software? I am more than a customer then? should or shouldn't suggest features? how charm may I interact with support so I can still be a customer and not something more? Can I wear T-shirts of this company?
The fact he is using Wordpress.org would seem to be a clear violation of its 501(c)(3) IRS status. If someone has not filed a complaint by now with the IRS perhaps they should. The C3 must be very careful in sharing staff with the for profit entity, and it must be very careful in how they interact.
Wordpress.org is not part of the 501(c)(3). They tried, but the IRS turned them down. It's Matt's personal toy (staffed by people from Automattic), as far as anyone knows.
> Wordpress.org is not part of the 501(c)(3). They tried, but the IRS turned them down.
My interpretation of their story [1] is that holding the WordPress trademark wasn't enough for 501(c)(3) status, so they had to do something educational like promoting free software.
They transferred the trademark once they received 501(c)(3) status, and could have transferred the operation of dot org too if they wanted.
I believe the consensus among the moderate community is that Matt continues to hold onto dot org for "control", just like how the Foundation's board mostly comprises Matt's friends, and never had actual external community involvement.
I am not sure what you are saying. The assignment of the WordPress trademark to the Foundation was on the same day it was licensed back to Automattic and Matt for WordPress (commercial usage) and wordpress.org
Matt tried to put Wordpress.org as a 501(c)(3) but they ran into problems, e.g. it was a lead gen for paid plug-ins that Automattic owned. So Matt has used his and Automattic resources for wordpress.org for a long time. You can read more about this in the WPEngine suit (page 12). [1]
Let's put the trademark transfer and subsequent relicensing part aside, because I think we agree on that.
> Matt tried to put Wordpress.org as a 501(c)(3) but they ran into problems, e.g. it was a lead gen for paid plug-ins that Automattic owned. So Matt has used his and Automattic resources for wordpress.org for a long time. You can read more about this in the WPEngine suit (page 12).
Where in the lawsuit does it mention that "they ran into problems" transferring operation of dot org to the 501(c)(3)? All I see on page 12 is:
> Until recently, Defendants had given the WordPress community the impression that wordpress.org—the repository for the WordPress software and plugins—was owned and controlled by the WordPress Foundation.
Edit: I found it from a link in a different comment:
There is some more discussion here. [1]
I have no reason to doubt him...wordpress.org does support significant commercial activity, and even if it did go through, would likely require much more conflict/recusal issues. Not surprising he decided to pay taxes on an entity that probably runs at a loss anyway!
Which is another signal that Matt isn’t serious about the Wordpress Foundation. The correct move would have been to form a for profit subsidiary owned by the foundation to run Wordpress.org since it’s an unrelated business activity.
It’s a well trodden path used by tons of nonprofits like the Smithsonian, Mozilla, OpenAI, etc. when they need to operate something that the IRS won’t grant tax exemption.
> The correct move would have been to form a for profit subsidiary owned by the foundation to run Wordpress.org since it’s an unrelated business activity.
They formed WordPress Community Services PBC, which now runs the "official community" WordCamps, so sponsors didn't have to restrict their messaging:
Are you saying their governance is worse than Wordpress.org amid this giant fiasco?
Mozilla Corporation is the one receiving the hundreds of millions of dollars from Google that funds almost all the the development of the Firefox browser. Without it, Mozilla would be a tiny fraction of what it is now and FF would be dead in the water.
This is entirely orthogonal from the community. It's an IRS requirement.
> Mozilla Corporation is the one receiving the hundreds of millions of dollars from Google that funds almost all the the development of the Firefox browser. Without it, Mozilla would be a tiny fraction of what it is now
How do you know? I mean sure if the Mozilla Foundatio wouldn't have bothered with any alternative fundraising opportunities, but that's not exactly a realistic alternative realtity, is it?
> and FF would be dead in the water.
FF is dead in the water. It's market share is small enough that devs don't care about it anymore and it doesn't really provide any real advantages to users unless you really care about telemetry data going to Mozilla instead of Google. Mozilla has don't pretty much all it can to kill any kind of differentiation while refusing to innovate at all.
The Foundation gives its subsidiary money, just like any other parent company can.
Whether or not Wordpress.org makes money is irrelevant to its for/non profit status. It’s a legal technicality due to IRS tax exemption rules for unrelated business activities. They have to put those operations into a separate subsidiary, even if it never makes any profit.
If the nonprofit can’t afford to run Wordpress.org then the whole nonprofit was a farce anyway.
Unfortunately, anecdotally, there's a lot of group thinking in WordPress. It's one of the reasons "The WordPress way" is able to run counter to industry best practices. Most people don't know any better, and the handful who do don't speak up. It's a textbook case of toxic kindness.
Given the collective actions / behaviors / culture, I've been saying this for close to 10 years:
The other day I was thinking how communities around a programming language or software framework sometimes become toxic subcultures, where its members dogfood the product too much to the point where they can't think outside the box. I guess corporations take advantage of this mechanism of brainwash feedback loop to foster loyal employees who believe in the mission, who can speak the lingo and think in the given conceptual framework, no matter how arbitrary or wrong.
It also leads to "big fish in a small pond" syndrome, where people in the inner circle start to think highly of themselves, to look down on the "newbies" and users. They value thier expertise in this niche without realizing its relative poverty and low quality in the larger context. It's a mix of arrogance and ignorance that insulates their ego.
I hope the collective disillusionment that WordPress is going through will be healthy for ecosystem in the long run. Let a hundred forks and alternatives bloom!
The part which did it in for me was learning that Matt personally owns Wordpress.org. It's not the Foundation. It's not Automattic. It's Matt, personally.
Does merely hosting a website on WP Engine constitute an affiliation? I wouldn’t consider myself affiliated with Apple, Microsoft, or Volkswagen, just because I use their products and services.
The author (and myself, coincidentally) used to work at WP Engine. I still have friends there, I could still describe their infrastructure if I had to. How am I not to interpret myself as "affiliated?"
> I wrote an open letter to Matt Mullenweg complaining about the requirement and stating that I believe it violates the Sherman Act and Section 3 of the Clayton Act
Send a copy to your state AG [1]. Copy your governor’s office [2] and state representatives if you have the time.
That’s not what affiliation means. This checkbox is similar to T&C that “prevent” competitors from signing up. It’s more about having grounds to bring up WPEngine’s behavior in court if they check the box. It’s understandable you did not realize this, though, and perhaps that chilling effect was intended.
"is pretty neat, but it only got that way because thousands of people put millions of hours into building add-ons and hosting services to make it blossom into what it is today."
Insert Twitter, Reddit, Digg, MySpace, etc... at the beginning of that quote. The people who own the social networks rarely give a shit about the users once they hit critical mass. And the owners will eventually burn it down or enshitify it beyond recognition.
You believe that. I believe that. I'm sure my lawyer believes that. I'm sure Matt's does, too. I'd prefer not to have to convince a judge or jury to see it our way. If I were in the author's shoes, I don't know if I'd expose my company to that much of a legal risk with someone who's been acting "interestingly" recently.
I'm not involved in any of this except as a spectator. I don't even use Wordpress. Just saying, I could see why someone might not want to split legal hairs with their leadership right now, even where it's very likely you'd win such an argument in court.
I wouldn't be so sure. He seems to have gone off the deep end. I know folks, including some successful ones, who legitimately believe that anything that commercially hurts them is illegal, and when a judge sides against them, it's due to bias and not the law.
(I don't know if this type of auto-victimisation has a name. You see it parodied by South Park in "The Worldwide Privacy Tour." And, less hilariously, by public figures complaining about their free speech on talk shows and at press conferences they called.)
>I know folks, including some successful ones, who legitimately believe that anything that commercially hurts them is illegal, and when a judge sides against them, it's due to bias and not the law.
Sounds exactly like one of the candidates running for POTUS!
All I know about the recent Matt and WordPress kerfuffle is what I've read here on HN. Based solely on what I've seen of his own comments here on these stories, I think you're right. What I meant in that sentence was "Matt's lawyers do, too", even if Matt might not think so.
One time a friend of mine was showing me a bunch of fancy camera gear he'd bought for his wife's ghost hunting business. I pulled him aside and asked him if he really believe in the spirits and apparitions she talked about. He replied, "oh, for tax purposes I completely believe this bullshit."
By analogy, even if Matt's lawyers privately agreed that a lawsuit over the meaning of "affiliation" is silly and doomed to lose, I can imagine them replying "oh, for billable hours I completely believe it."
The red flag I keep an eye out for is redemptive rejection: treating rejection of one's arguments, whether by a person or the evidence, as evidence for it.
Most commonly this comes in the form of false victimhood, e.g. look at how hard they are trying to shut me down. Other times it manifests like this. The problem is it's a logical attractor; whatever belief it first attaches to, it monotonically increases faith in.
As a JS/React dev, I had to do some WP work a few years back and the whole experience left a bad taste in my mouth. I found WP itself to be nice to work with but the ecosystem around it is just jarring.
In the JS ecosystem if you have an issue then you usually go look it up and someone either recommends a fix or a NPM package to get around the issue you are having. With WP when you tried to figure out an issue it was always endless blogspam with an upsell to a plugin or consulting services in the end.
I remember reading so many articles on really basic topics where the author would dance around the solution before finally going "well if you want the real answer, please hire my WP consulting firm and we can take a look".
And with plugins I found it very hard to find anything open source or free. Every plugin, no matter how small, always seemed to have it's core features locked behind a "premium" version. Now I get it, plugins take time to develop and people want to be paid for their work but it was just really jarring to go from a community where folks contribute to developing the best solution for something together versus everyone hacking it on their own because they wanted to sell a plugin.
I also only recently learned how much money is flowing in the WordPress "community".
You ran into all these commercial plugins and consulting services, because that's what most of the WordPress community is. People having their own company, hosting or maintaining sites for others and on the side developing commercial plugins.
To me this begs the question, whether making everything open source and available for free in your own free time or while working at some big corp as is the standard in the JavaScript world, is really the better alternative?
At least the WordPress community has found a way to sustain themselves, provide services to tens of thousands of small to big businesses, while the JavaScript community seems to be mostly dependent on big tech to keep the lights on for most services.
That's a good point, but there's probably a bit of nuance in there considering NPM serves a solution space to the entire spectrum of developers using a technology, and Wordpress to users in need of web content management features.
If you wanted to modify some plugins and host the source in GitHub, for example, you were essentially writing your own plugins that modify other plugins to be able to do that.
Former webdev, so don’t really understand the industry too well, but my sense is that Wordpress is the lowest hanging fruit if you need customer facing CMS, or e-commerce, or any number of other plug and play features.
Hugo might be easier as long as there’s no customer facing CMS, but as soon as you introduce that back into the mix it’s significantly worse. I heard if one shop using CraftCMS successfully but they weren’t really super content forward.
Thus, to cover the spectrum of needs, it just makes sense to have a Wordpress stack - one team of developers, on team of technologies.
Hugo is great, but I haven’t used it a ton. For a lone wolf dev maintaining a personal site, probably the way to go. I built some sites with Gatsby and having to do Node updates was actually way worse than Wordpress updates, and required a much higher skill level to accomplish.
With most static hosting services you can simply deploy a folder named /functions alongside your static files and that's pretty much all you need to run server-side JS.
Sure, but you don’t really have read/write capability. As an example, I set up an e-commerce store on Gatsby using server side JS, but I was reliant on the hosted Stripe product CMS API, which ultimately wasn’t a great user or development experience
“Extremely minor server-side functionality thing” is where SSGs fail miserably. All of a sudden you’re using SaaS forms or whatever else, or your self hosting some other tremendously inferior CMS and your margins go out the window.
Wordpress killer that accomplishes these things you mentioned would interest me. Statamic looks interesting in this context but it wasn’t super well formed 4 years ago when I dug deep into this ecosystem
20 years ago, CGI covered this use case pretty well. I wonder if anyone has tried to make a modern equivalent.
Maybe something along the line of a Cloudflare Worker (but using the open source stack) or possibly something minimal and flexible based on WASM or JS that could be invoked from different servers could work.
CGI / PHP is really not a bad way to work in 2024, even though I was traumatized by PHP in my early days. I’ve only experimented with it though, I think it would be hard to maintain at scale, and I’ve heard there are not insignificant security concerns. It’s a lot easier to hire somebody to maintain a Wordpress install than it is to mess with Apache or PHP.
When I figured out that Wordpress literally is executing every piece of PHP every time the site loads it was kind of a “woah” moment for me
A problem with Wordpress and with most CGI setups is that there is no privilege separation between the script and anything else on the site. It would be nice to let individual pieces of server side script be deployed such that they can only access their own resources.
I don’t think Cloudflare workers, as deployed by Cloudflare, really tick that box either. Some of the university “scripts” systems, with CGI backed by AFS, came kind of close.
> I don’t think Cloudflare workers, as deployed by Cloudflare, really tick that box either.
They mostly do. You can map different Workers to different paths in your site. A Worker can only access the resources it is explicitly bound to. E.g. if you create a KV namespace for storage, a worker can only access that namespace if you configure it with a "binding" (a capability in an environment variable) pointing at the KV namespace. Workers on your account without the binding cannot access the KV namespace at all. Some more on the philosophy in this blog post:
There are a couple of caveats that exist for legacy reasons, but that I'd like to fix, eventually:
* The HTTP cache is zone-scoped. Two workers running on the same zone (domain name) can poison each others' cache via the Cache API. TBH I want to rip out the whole Cache API and replace it with something entirely different, it is a bit of a mess (partly the spec's fault, partly our implementation's fault).
* Origin servers are also zone-scoped. All workers running on a zone are able to send requests directly to the zone's origin server (without going back through Cloudflare's security checks). We're working on introducing an "origin binding" instead, and creating a compat flag that forces `fetch()` to always go back to the "front door" even when fetching from the same zone.
Note that if you want to safely run code from third parties that could be outright malicious, you can use Workers for Platforms:
The worker binding system seems pretty great. I'm thinking more about the configuration / deployment mechanism.
In the old days, if I wanted to deploy a little script (on scripts.myuniversity.edu, for example), I would stick the file in an appropriate location (~username/cgi-bin, for example), and the scripts would appear (be routed, in modern parlance, but the route was entirely pre-determined) at a given URL, and they could access a certain set of paths (actually, anything that was configured appropriately via the AFS permission system). Notably, no interaction was needed between me and the actual administrator of scripts.myuniversity.edu, nor could my script do anything outside of what AFS let it do (and whatever the almost-certainly-leaky sandbox it ran in allowed by accident).
But Cloudflare has a fancy web UI [0], and it is 100% unclear that there's even a place in the UI (or the command-line API) where something like "the user survey team gets to install workers that are accessible at www.site.com/surveys and those workers may be bound to resources that are set up by the sane team" would fit. And reading the "role" docs:
does not inspire confidence that it's even possible to pull this off right now.
This kind of thing is a hard problem to solve. A nice textual config language like the worker binding system (as I understand it) or, say, the Tailscale ACL system, is nice in that a single person can see it, version it, change it, search-and-replace it, ask an LLM about it, etc. But it starts to get gnarly when the goal is to delegate partial authority in a clean way. Not that monstrosities like IAM or whatever Google calls their system are much better in that regard. [1]
[0] Which I utterly and completely despise, but that's another story. Cloudflare, Apple, and Microsoft should all share some drinks and tell stories of how their nonsense control panels evolved over time and never quite got fixed. At least MS has somewhat of an excuse in that their control panels are really quite old compared to the others.
[1] In the specific case of Google, which I have recently used and disliked, it's Really Really Fun to try to grant a fine-grained permission to, say, a service account. As far as I can tell, the docs for the command line are awful, and the UI kind-of-sort-of works but involves a step where you have to create a role and then wait, and wait, and wait, and wait, and maybe the UI actually notices that the role exists at some point. Thanks, Google. This is, of course, a nonstarter if one is delegating the ability to do something useful like create two resources and link them to each other without being able to see other resources.
1. If you have a relatively small number of users whom you want to permit to deploy stuff on parts of a Cloudflare account, you may need to wait for finer-grained RBAC controls to be fleshed out more. It's being worked on. I really hope it doesn't end up as hopelessly confusing as it is on every other cloud provider.
2. If you have a HUGE number of users who should be able to deploy stuff (like, all the students at a university), you probably want to build something on Workers for Platforms. You can offer your own completely separate UI/API for deploying things such that your users never have to know Cloudflare is involved (other than that their code is written in the style of a Cloudflare Worker).
Workers for Platforms looks pretty neat, and I hadn’t seen it before. I don’t think it’s targeted at the low-effort CGI-like little bit of script on an otherwise mostly static site market, though. But maybe someone could build that on top of it?
Heck, one could probably even build middleware to deploy regular workers for this type of use, where the owner of the worker has no Cloudflare credentials at all and only interacts with the middleware. (Other than the origin and cache API issues.)
Right, that's exactly the idea. You could build your own CGI-like hosting platform using WfP to run untrusted JavaScript.
To be clear the two caveats don't apply to WfP. The cache API is disabled there. The origin thing can be solved by installing an "outbound worker", which intercepts all outbound requests from the untrusted workers and so can block unwanted requests to origin.
I agree re simplicity of the old way of doing things. There's another benefit that most cgi-bin systems had: lack of build step or exotic runtime requirements.
Eg, you'd drop some html into public_html folder and an executable into cgi-bin dir. I would performance engineer some scripts into C++ binaries and just checkout the source & run make to produce binaries in-place. This approach made it easy to use local dev tooling to test/debug stuff instantly via oldschool emacs TRAMP/sshfs.
There is a system that replicates the simplicity of what we lost (while letting you use fancy modern JS frameworks): https://www.smallweb.run/. It also offers a path to cloudflare-like edge computing migration without any code change via deno deploy. With smallweb, one drops a bunch of files into own dir (eg, you could give a dir to each student), which results in https://<dir>.domain.name running stuff ondemand in that dir. No build step, no exotic runtime to transpile into, full ability to use local dev tooling to test/debug stuff instantly. It's still early days for smallweb, but it's specifically designed with the philosophy of "edit some files and stuff runs..while remaining compatible with standard deno way of doing things".
I love the concept of cloudflare workers[1], their fancy state management, bindings, etc, and the fact that they took inspiration from cgi-bin. However, the fact remains that it's an exotic system with weird restrictions (hello changing your apps around 500mb chunk limits ala https://github.com/cloudflare/serverless-registry). This limitation can make it difficult to work with libraries that aren't tested against the cloudflare runtime. 90% of code I write would run better with cloudflare than with deno (due to awesome cold startups), but dealing with these restrictions is too much engineering overhead upfront.
In contrast, with deno/smallweb, I just drop some files into a directory, don't need to bother with package.json, lockfiles, etc, but can gradually opt into those and then gradually switch to CI/CD mode of operation. You can't expect a student new to web development to deal with the exoticness of cloudflare's solution from day 0.
[1] Kenton, it's a fantastic design, I sang praises to it in https://taras.glek.net/posts/cloudflare-pages-kind-of-amazin.... But after trying equivalents in deno ecosystem like val.town and smallweb I would love for it to be less exotic(I know you guys have more node compat work happening).
Well you're gonna want CMS anyways right? Why not go full WordPress and give your non-technical users even more agency. It's pretty hard for them to cause harm in this scenario.
The thing is that websites often need to be accessible to more than developers. If your company has to get a developer involved every time whey want to change a word on the site (don’t expect the person who wants to change the website to know HTML or Markdown templates), progress gets slowed down quite a bit.
> I joined WP Engine in 2018 because it was the one company that really did seem to be honest about who they were. Like every other company they were in it to make money, but unlike every other company they didn’t hide that fact behind abusive language. They didn’t claim I was “family.” They didn’t claim their work was virtuous and therefore somehow “better” than non-WordPress orgs. No, they said they wanted to be the biggest host and went after that with the best pay I saw in the WordPress ecosystem and interesting work on top of it.
Well said. Our agency chose WP Engine over 8 years ago because they were hands-down the best managed WordPress hosting provider. It revolutionized our WordPress hosting offerings and allowed stable, mostly headache free growth. Without the WP Engine's platform, and their investments in making WordPress hosting modular and safe we'd still be in the stone ages of dedicated/vps hosting.
What kept us as a customer for these 8 years though, has been the quality of support. It can't really be measured, but I've found their support to be unmatched and highly competent over hundreds of interactions.
We've grown over 400% with WP Engine and this entire fiasco with Matt blindsided us. Begrudgingly, we're diversifying our hosting allocations to protect against this new threat but we'd be much happier continuing with just WP Engine.
> I’ve watched people pour their lives into giving back only to have it all tossed out because their important work isn’t what Matt wanted people to focus on.
It's sentiments like this that really undercut Mullenweg's arguments. "WP Engine didn't contribute to core" when Core was just the preapproved feature list that was important to Automattic. Even if WP Engine wanted to contribute, their work would have just lined Automattic's pockets (hence why he just asked for money in the shakedown).
Any others that people recommend? Will be looking for a basic website platform, blog is secondary, no e-commerce, minimal use of plugins, open source and hostable, where everything can be done in a Web UI with exception maybe of site templates. API would be nice to help with conversion from WordPress.
I also think Classicpress would make the transition smooth.
HTMLy also seems to be similar to what you describe. I've been trying it out with a couple of basic projects, and it seems to be a good option that I don't see many people mentioning.
If you would like to go back on using a CMS instead of static generators please take a look at the one I'm building https://vvveb.com it shares the same principles of design and architecture simplicity with the freedom of open source.
I've built over 700 WordPress websites and launch 4-5 each month. I expect to launch at least 30 in 2025. AMA and give me your example of something "better" and I'll gladly tell you why it's not. I've spent my career using these tools and deploying them for real people (not marketing departments creating throwaway sites).
This is preference. I just don't see why its anyone's preference. I will just build an admin dashboard that allows a site owner manage their content, however, I'm not building as many sites for other people, so you probably have a better perspective as someone who does it professionally for 3rd parties.
> I will just build an admin dashboard that allows a site owner manage their content
With WordPress, there are 5 different plugins already built that have more features than the dashboard you're planning to build, and the agency/person maintaining the site may already be familiar with them. WordPress and other PHP CMSes may not have the best architectures (Drupal was downright atrocious), but the ecosystem is thriving with pre-built, customizable tools for the 99% of customer needs.
Virtually all web hosts, including very cheap ones support PHP-cgi and MySQL, so deploying WordPress is frictionless. CMSes written in other languages have deployment more friction.
Yeah, this is what it comes down to. WordPress has an incredible following for a great reason: it works well for the people that know how to use it.
Designers and agencies are more than happy to continue to use it, and frankly they should -- it is their bread and butter. The WP drama is news for us web-devs but will affect their market in no way whatsoever.
It's not ironic, although I love irony. I created this throwaway because there's too many clues on my primary account that could lead back to IRL me and Matt is petty like that.
Your marketing folks know how to use it and you can configure it so they can manage a lot of stuff they’d have to bug you for otherwise, which neither you nor they will tolerate for long.
What better alternative is there as a webdev? Genuinely looking for answers from a production perspective.
Most successful shops I meet or talk to are all-in on Wordpress and I don’t think this drama has affected this calculation. Big Indian SEO + Wordpress firms with American sales teams rule this market.
I haven’t done freelance web work in a couple years, but I remember pouring a couple hundred hours into exploring static generators and alternative CMSs just to decide that yeah, Wordpress was probably the cheapest and most user friendly option to.
Drupal is seriously worth another look if you haven't used it in a while. It's really a mature CMS that was completely rewritten a number of years ago. There's also currently an initiative underway to make a new "distro" of Drupal that is more user friendly and less developer focused, which could be great for people coming from WordPress.
Drupal does have a learning curve, it doesn't have the robust marketplace of off the shelf themes that WP has, but I love it.
I struggled with Drupal when I used it. I was responsible for taking over a crowdfunding site which had been built in Drupal and as an intermediate Wordpress and Django developer, I found Drupal’s learning curve insane and it felt like the entire ecosystem was stagnating and dying. There are a lot of Reddit posts that go something like “I took a pay cut to work on a stack other than Drupal and I’ve never been happier”. It’s also the second most hated stack after salesforce.
I don’t know if any place where Drupal has been successfully used except for large corporate blogs, which I think it seems well suited for, but I’m happy to be corrected here.
It wasn’t for me but I’m glad you like it! If you’re well suited to it I think it’s a great career path.
Drupal is very popular in government and higher education. It's a very flexible and non-opinionated CMS, so it's easy for a developer to build something really crappy with it by not following best practices. When Drupal 8 first was released, there weren't a lot of off-the-shelf modules like there were with Drupal 7, which resulted in people building some pretty crappy sites in some unconventional ways.
The situation has really improved in recent years. Drupal 10 and 11 (the latest stable versions) are mature, the module ecosystem is robust, and there has been a renewed focus on usability.
It's not the right choice for every site of course, but I think people who have had a bad experience with it in the past should give it a second chance.
What are the advantages over something like Wordpress? What are the advantages over something like Laravel or Django?
My assessment of Drupal is that it really is only for enterprise blogs - it doesn’t offer the things a more robust framework would offer. So it makes sense if the scope of work is a blog for a large organization that has 100,000 to spend on a blog. It seems like most Drupal contracts are in that range, so it becomes more of a game of scoring those contracts than anything else.
I used to be all Drupal, and then the big rewrite broke so many upgrade paths, with some critical modules left abandoned. I waited for a whole year for that, and even invested time to see if I could do some work, but it’s just too much, and Drupals documenting is (was?) poor. It’s internal stack is or was also really opaque.
You really need a team for that. I switched to Wordpress for just that reason, it’s a lot easier to tinker with.
Isn't that pretty much just d7 without the d7 EoL? Better to migrate a d7 site to it (assuming a rebuild with current Drupal is too much work or doesn't have necessary modules) than run d7 despite EoL, but I'm not sure it makes sense to spin up a new site using it over current Drupal.
It started off as a fork of d7 (really very early d8) but it's since diverged into it's own thing. It still has a core that is d7 compatible, so migrating is very simple (you can import a d7 database and it just works), but the theming layer is different. It's placed an emphasis on usability and modernization.
It's definitely a good choice for migrating from d7, and could also be a great choice for a new site for someone who enjoys working on a classic drupal stack.
The people behind it are great, but the community right now is kind of small.
Drupal is really bad. Better off to use ProcessWire but that is showing its age. It was called the jQuery of CMSes at one time and they were growing in popularity but the creator didn’t want to be on a popular CMS ranking site because others were gaming the ranking system for other OSS and paid CMSes, so it became obscure.
In practice, there are a lot of non-technical users who can navigate the Wordpress backend. I’m not saying it’s particularly well designed, just that the large install base has led to a far larger number of experienced users.
With WordPress, I can stand up a unique, functional website in a day. With a robust UI. And even with some advanced eCommerce features. It's not the best CMS in the world but compared to Drupal it's like building with Legos. You can also let it run for years without needing to go in and update/fix anything.
There are not many other self-hosted services that really compete at the same level.
Trips me out people made an entire career with WP. My hat is off to them. WP is so hard for me to figure out. It is almost unbelievable that someone would commit their life to that insanity but I respect the hell out of them.
It’s not necessarily hard. But it’s cumbersome and just one of the worst codebases I ever had the pleasure of working with. Basically everything about it is legacy, bad design choices, hacks, workarounds and compatibility fixes. That’s what makes it complex. It needs a rewrite 10 years ago. But due to the deep integration of thousands of plugins that will never be possible.
From personal experience, the complexity comes from how ‘not obvious’, unexpected, or (outwith WordPress) unconventional much of WordPress is.
It is a fascinating code base that is a result of it evolving through end user needs, over years, rather than being a grand software architecture with developer ergonomics at the core. Last time I touched it, changing domain names and sync dbs all required plugins. Yet in page editing works like magic.
I assume no-one building Wordpress today would build it like it is build.
The whole community and ecosystem is full of shady dishonest businesses and practices it seems. Besides all the recent drama as an end user and plugin buyer I have had to ask for 2 separate refunds from major plugins for shady dark pattern re-bills or secret upsells. I used to not consider myself a mark but maybe I am 42 now so I am starting to miss the real opt out buttons (4 pages deep below the fold). Anyways I don't like being in any ecosystem that is full of this stuff and not worth my time to manage all of it.
If you really want to see the shady, dishonest side, try to have a discussion about nulling plugins. You'll get called every name in the book for adhering to the GPL.
People keep saying in this thread, there are better alternatives but i do not see any listed. i know of
- Statamic (php, Laravel)- https://statamic.com/
- Strapi (js) - https://strapi.io/
and then a bunch of SaaS platforms. what are the market leading open source CMS's?
I'm reading the WordPress docs right now as an experienced developer that hasn't used WordPress that much. It's kind of interesting. There's a whole REST API built into WordPress. And there's also a full on Node workflow that you can use to develop certain components.
At its core, Wordpress is not bad software, it’s just old and shows it’s age sometimes. I’ve worked with a lot of really talented engineers who built their careers on Wordpress. News organizations powering the top breaking stories online run on WP. It’s a competent, mature, and extensible platform for developers, even if the modern marketing is not catered to devs.
These days I’ve moved to Laravel but all of my friends in WP world are bummed that their livelihoods are being toyed with by the former BDFL now just DFL.
In a lot of ways it is not different from Rails or Django. Just approaching it from a non-technical market with a ton of plugins. You can in fact add an API and execute PHP or use it as an API Gateway.
Definitely been tempted to use it but as others have said to do anything useful requires a ton of plugins that integrate in weird ways and have to pay subscriptions for the useful features.
But still I think it is one of the best ways for non-technical people to creating websites quickly.
Yes, interesting comment. It also well predates Laravel (not sure about Rails) and that plus backwards compatibility all the way back to archaic PHP versions explains some of the cruft (but not all of the suboptimal design).
Isn't every community is like that after so long? Like, I don't like the way that Matt behaved recently, but regarding most of the complains in the post -- these exist in any community or organization which is big enough and has been around for long enough.
People who are serious about building community will put their trust in others. They will delegate. They will listen to advice. They will compromise. They will be imperfect; they will fail to do the best thing for the community from time to time. But when that happens, more often than not, they will listen and adapt to criticism. We may still call them BDFL. But they aren't truly a dictator.
People building petty fiefdoms will inevitably betray the community.
When I read about Mullenweg, something I'm struck by is his cry bullying. I see him responding to complaints like, "are you threatening me? I get a lot of death threats." I bet he does get death threats, and to be clear it's not okay that he and other public figures have their lives threatened.
But it's common for him to respond to people telling him to go to hell as if they were making an actionable threat. See [0]. I would be upset if someone hoped I "[died] a forever painful death involving a car covered in hammers that explodes more than a few times and hammers go flying everywhere." But I would know they were being hyperbolic and flipping me the bird, not making a threat. (Especially if I was familiar with Tumblr's culture and the texture of humor on the platform. Like you might expect from the CEO.)
And I certainly wouldn't respond by doxing them. And this is really important; doxing someone is actually putting them in jeopardy, with no hyperbole. Doxing someone is an actionable threat of harassment. This is a betrayal of the community's trust, and the exercise of power against the community's interests.
I've seen some other examples of him mischaracterizing insults (including milder ones than this) as threats, but I wasn't able to find them in my timebox. These were screenshots from Twitter and possibly Slack, presumably I could find them if I had accounts on those platforms.
You can also look at the recent controversy as an exercise in cry bullying. "WP Engine is so unfair to the community," he cries. "They deprive people of the essential feature of having more than 3 revisions without changing a setting." Then cuts a large subset of the community off from things that are actually critical, like logging in and updating plugins. He betrayed the community and exercised his leadership position to prosecute his personal quarrels at the community's expense.
I apologize if this was a rant, but here's the point. We should be thinking harder about open source governance, because there are no benevolent dictators. Positions of power corrupt, and they also attract the corrupt to them. When BBS operators were powerful in our community, they attracted (at least one) con artist(s) [1]; now we see a BDFL using our community to rule as a petty tyrant.
When we want to adopt an up and coming project, we should ask the BDFL what the plan is for turning over power to democratic mechanisms in the community. When a new project starts only 1 or few people are there to make decisions, so a BDFL is the natural state of things. But we should expect governance to become more sophisticated as a project becomes more important.
We should learn to recognize the rhetorical mechanism a petty tyrant uses to conflate their interests with the interests of the community. Be suspicious of them. Push back. Ultimately, there are two mechanisms to hold a petty tyrant accountable; forking and rewriting. We should be prepared to do that.
Maintainers reading this might say, "oh, great, not only are people going to open up spurious issues and feel entitled to my time, but you're asking them to be a peanut gallery trying to hold me accountable to democratic mechanisms. What a pain in the ass." This is a solid objection which I do not have a good response to.
Another objection I don't have an answer to is the very real issues projects like Redis and Elasticache have encountered, where platform giants capture the value without contributing back financially. That's a real problem I'm not smart enough to solve, and it does complicate what I'm suggesting.
> I've seen some other examples of him mischaracterizing insults (including milder ones than this) as threats, but I wasn't able to find them in my timebox. These were screenshots from Twitter and possibly Slack, presumably I could find them if I had accounts on those platforms.
> Maintainers reading this might say, "oh, great, not only are people going to open up spurious issues and feel entitled to my time, but you're asking them to be a peanut gallery trying to hold me accountable to democratic mechanisms. What a pain in the ass." This is a solid objection which I do not have a good response to.
As someone who's interested in community dynamics like these, I think pure drive-by democracy wouldn't work (I dislike bikeshedding [1]), but a system where people who've contributed either money or quantifiable effort over a recent period of time in exchange for voting rights to elect administrators might.
"A recent period of time" is important, as communities don't really appreciate some old founder-type who's not active in a project anymore trying to use their clout to feed their ego.
Yes true, but also it's about reviewing and qualifying the community before you decide on it.
As I've seen in other comments, the community seems to be a lot of plugin developers wanting to make money with their plugins. And the quality of the code seems to be patches on patches and have become quite a mess and not nice / easy to work with. Well it's PHP for starters so that's already not a great start in my opinion. That is why I moved away years ago from my first language PHP, to a in my view more mature and more professional community like Python and Django. And I really don't think stuff like this would happen there. Because people are more about working together and making something really nice instead of making money with plugins.
They were threatened with legal action from Matt so have essentially shut down and replaced it with that, from the sounds of it Matt tried to go directly to the domain registrar and isp to identify its owner (apparrently githubs still too hard for him to figure out).
Saying their names and getting all feely wont help them with their current, quite difficult, financial situation. It should have been launching a crowdsource campaign instead
That was troubling me too, so: from what I understand (someone feel free to correct me if you know better), Mister Wordpress hired people to take care of his ill mother who seems to also have serious mental issues (ref. all the crazy sex talk and racism). One of the caregivers got fed up of the abusive behavior (which wasn't part of the contract) and complained multiple times to Mister Wordpress about it, who then told his mom she should stop making up crazy shit about him and just be a nice person to the people who are trying to help her. Which seems to have made it worse because she's just stark raving mad. Whether there are actual Asian women involved at all remains to be seen (ah) and is beside the point.
You're also missing that the lawsuit alleges mullenweg lied to the employee about the nature of the job, and rather than being a personal assistant it was nearly 24/7 caretaking of his mother under constant abuse (including, but not limited to, having sleep disturbed by calls from the mother, being denied meal breaks, and being forced to work during thanksgiving without meals.)
Yup. A 400M net worth should be enough to hire multiple hardened caretakers. Or maybe, just maybe, professional psychiatric assistance? Seems like someone's in denial of their mother's condition.
He also changed law firms twice during these two lawsuits and, rather than fight it, only tried to do everything possible to get it to arbitration (on apparently completely false/fabricated grounds/documents) rather than a jury trial. Judge smacked that down and they go to a jury in 8 months.
The article began, "It’s true that I had largely been moving away from the WordPress project since at least 2017." Also, the author didn't say that he regretted contributing to WordPress.
Things change, and you move on. If someone got divorced, would you say that's a good lesson to never get married?
An estimated 40% of global websites use Wordpress in some way. It's hard to come up with a more generally applicable set of skills than "Wordpress" at least based on total users worldwide (I'm not here to defend WP, I've never liked it)
That said, I don't think the author's experience with Wordpress has poor transportability into other niches anyway.
Wordpress saga is spicy in itself but really this is also a wake up call for any programmer like me who is overly dependent on a single technology such as dotnet or java. However, what else can we do? There are only so many hours in a day. What reasonable alternative do I have?
Sightly different comparing a cms to an entire programming language. A more apt comparison would be your career being entirely focused on Umbraco or OpenCMS rather than dotnet or java.
Of course, my company does have an affiliation with WP Engine. We use their service to host our website. Therefore, nobody on my team can register for a WordPress.org account.
I wrote an open letter to Matt Mullenweg complaining about the requirement and stating that I believe it violates the Sherman Act and Section 3 of the Clayton Act by being an overly broad prohibition that is clearly anti-competitive and has no clear business justification (aside from limiting competition).
Matt and the rest of the people backing Automattic should take note: Moves like this that destroy your community will eventually usher in a replacement. WordPress is pretty neat, but it only got that way because thousands of people put millions of hours into building add-ons and hosting services to make it blossom into what it is today. If their efforts are redirected in another direction, WordPress will wither away to nothing in a few years.
https://www.linkedin.com/posts/ksimpson_open-letter-to-matt-...