WordPress forces user conf organizers to share social media credentials, arousing suspicions
- Reference: 1730096827
- News link: https://www.theregister.co.uk/2024/10/28/wordcamp_password_sharing_requirement/
- Source link:
The order to share creds came from an employee of Automattic, the WordPress host whose CEO happens to be Matt Mullenweg, co-creator of WordPress. A letter sent to WordCamp organizers explains that the creds are needed due to "recurrent issues with new organizing teams losing access to the event's social media accounts."
So far, so sensible.
[1]
But the requirement to share creds comes in the middle of a nasty spat in the WordPress community, sparked by Mullenweg's efforts to have rival hosting biz WP Engine license the WordPress trademark or devote more staff to working on the open source content management system's code. Mullenweg argues that private-equity-controlled WP Engine is not acting the in spirit of open source by profiting from WordPress. WP Engine contends that it does plenty for the community.
[2]
[3]
One source of support for WP Engine was WordCamp Sydney, which recently [4]used its X account to argue that the hosting biz sponsoring its events was a valuable contribution to the WordPress community. "It's not just about contributing dev back to core," event organizers argued.
We'd link to the Xeet in which WordCamp Sydney made that observation, but another Automattic employee wrote to the event's organizers with a request to take it down – on grounds that it did not "align with the Community Team's view." The Community Team includes Automattic staffers who help with WordCamps.
[5]
"When posting from an official WordCamp account, your team is representing both the event and the Community Team," the letter asserts.
A source familiar with Sydney WordCamp's operations told The Register that volunteers saw the takedown request as a personal threat – as non-compliance with the request would have led to them being forced from the event's organizing team.
[6]Jetpack fixes 8-year-old flaw affecting millions of WordPress sites
[7]WordPress bans WP Engine from sponsoring or participating in user groups
[8]WordPress saga escalates as WP Engine plugin forcibly forked and legal letters fly
[9]159 Automattic staff take severance offer and walk out over WP Engine feud
The letter ordering sharing of social media creds, and the takedown request sent to WordCamp Sydney, were both [10]shared by Kellie Peterson, former head of domains at Automattic.
The Register has verified that the material she posted was sent to WordCamp organizers.
Peterson described the letters as "just the latest attempt by [Matt] Mullenweg to control anything said about WordPress or himself across the internet."
[11]
A person with knowledge of Sydney WordCamp's response to the letters requiring sharing of social media logon details is felt to regard them as "suspicious" and a "hostile takeover" rather than a genuine attempt to improve continuity of access. Our sources tell us that many WordCamps have used the same social handles for years, and Automattic has never before considered the matter important.
But Peterson told The Register she is aware of a "history of Automattic taking actions regarding organizers similar to this."
"At each turn it fractures the community in various ways. Whether that is being removed from an organizing role for refusing to comply with an arbitrary rule change, controlling the focus/content of a WordCamp, mandating the geographic naming of WordCamps, or refusing to list events on the WordCamp site. The negative outcomes and loss of community member engagement have clearly resulted in stagnation."
WordCamp Sydney, meanwhile, has experienced lower-than-hoped-for ticket sales, leaving organizers frustrated that their volunteer efforts to create an event have been damaged by a situation they did not create and cannot control. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zx9u24p0bT2mC0zlRIcIiQAAAEY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zx9u24p0bT2mC0zlRIcIiQAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zx9u24p0bT2mC0zlRIcIiQAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2024/10/15/wordpress_bans_wpengine_from_events/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zx9u24p0bT2mC0zlRIcIiQAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/
[7] https://www.theregister.com/2024/10/15/wordpress_bans_wpengine_from_events/
[8] https://www.theregister.com/2024/10/14/wordpress_forks_wpengine_plugin/
[9] https://www.theregister.com/2024/10/04/automattic_offers_dissident_employees_incentive/
[10] https://x.com/kellie/status/1850384027548827966
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zx9u24p0bT2mC0zlRIcIiQAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Re: Yes, this is hardly a surprise
My only slim hope is that all the complaining, combined with the level of scrutiny of the WPE case will help to force a change.
In leadership, not in Matt himeself - he is who he is, he's never going to change (and so shouldn't be in the position he's in).
But, the realist in me says nothing will change (apart from a few more people understanding why it's better to walk way from Wordpress)
The Community Team...
... is it just me, or does that sound rather sinister? A group of people who use the same commercial services is not really a community - and certainly not in community with their suppliers - and believing (and being encouraged to believe) they are is part of the problem.
i don't know exactly what stake the local organisers have in "their" conference, but presumably they could either just pull out or alternatively change the name and get their sponsorship elsewhere.
Re: The Community Team...
They can just call it the 'WordPress Users Sydney' conference, or something similar. Automattic can scream 'til they're blue in the face about their commercial rights to the trademark, but this would be a fairly clear-cut case of fair use, since there's no other way of referring to the primary subject-matter of the conference. So long as the name doesn't use the official 'WordCamp' brand, and so long as it doesn't use the WordPress logo or branding in any way that might imply it's directly affiliated with Automattic or the WordPress Foundation, it's fair game. Taking a stand is the only way Matt's going to be reined in here. Unfortunately I don't think most volunteer organisers would have the stomach for a fight like that, and I don't blame them.
Re: The Community Team...
Instead of WordPress Camp:
WordPress Tent - UK
WordPress Glamping - Australia
WordPress Trailerpark - Alabama
Re: The Community Team...
WordPress Trailerpark - Alabama
The event held next to the Mullenweg campervan? :)
All the the grace and poise of a trailerpark denizen evident in this spat.
Re: The Community Team...
Wordpress Trailerpark - I'm dying!!!!
So basically to use wordpress I have to give this guy my logins and PASSWORDS.
Probably also my mothers maiden name, the name of my first dog, DOB and place of birth too right?
Also for "security" I have to change my address with my bank to his house?
WTF is he on?
This is a man who puts his blog on the homepage of the dashboard of his product (and gets pissy if anyone ever removes it) and who embedded his own name into the name of his company. He's been an egotistical narcissist all along, but usually he's confined that to relatively harmless spats. This time, I guess he's just off his meds or something?
"When posting from an official WordCamp account..."
Not your personal ones
Imagine you run social media for a large corporation.
You have to give your social media login to this guy.
he suddenly decides YOUR corporate social media account is going on a death-to-the-west, hate the N-words, Death to the gays crusade..............
The Shitshow Goes On!
Time to buy shares in the popcorn industry...
Maybe I didn't read it right
But did they ask for your login details, or merely what your Social Media Handles are?
Either way it's just weird and should alert all and sundry to the type of BS you're wading through.
For the brief period of time I had or used Wordpress in any capacity, I had nothing but issues with scanning bots constantly trying to find vulnerabilities to exploit.
Really not worth the hassle, for me at least.
Re: Maybe I didn't read it right
Agree it is weird as is ElReg saying “ So far, so sensible.” to something that clearly isn’t.
Re: Maybe I didn't read it right
I _think_ that Automattic wants the login credentials for the accounts associated with the _events_. That is: not the organizer's personal deets, just a way to recover control of the event pages if the organizer goes dark.
The article could do a better job of explaining this, I think.
Now, it's an entirely separate issue why an organizer might have recently decided to have nothing to do with WordPress events...
Re: Maybe I didn't read it right
One of the reasons I ditched it in the end. The amount of time I was having to dedicate to keeping it up to date and secured wasn't proportionate to the utility of it. The killer was when I realised I didn't need a back-end dashboard, server-side rendering, the ability to log in, edit online or any of the other stuff PHP is used for, thanks to the maturity of modern frameworks like Gatsby and Astro.
Now I use front-end frameworks or fully hand-code my own sites, and it's way faster for me, as well as being only as hackable as my hosting provider. I'd hope they're way more on top of security than me, but it's hard to be sure with most providers - would be nice if providers were required to be more transparent around security, but I digress.
The point is, for commercial or tech-savvy users, there's really no reason to still be using WordPress today, and I'd argue there's solutions out there that are just as good or better for novices too. The disadvantages of sticking with WordPress already outweighed the advantages in my book, and that was before all this drama.
That's the whole point of WordPress
It's for the vast majority of people who do not have the ability to code their own website.
The click-and-drag components are easy to get a grip on, you don't need to learn everything to get a website up and running in an hour, and the people this is geared toward are the kind who don't want to waste an entire day on this.
And then you have social media, which is largely sufficient for many, many people as well. I'm talking FaceBook, obviously, but YouTube channels, Instagram, even TikTok are places where people can express what they want to say without thinking about the technical side of things.
But yes, if you want a website you control and isn't subject to vulnerabilities you never thought of including, then hand-coding is certainly the most powerful manner of getting there. You just have to be able to do that, and not everyone can.
WP Engine contends that it does plenty for the community.
Why? It doesn't have to do anything for the "community".
It should have replied with "Which part of Open Source don't you understand?"
Yes, this is hardly a surprise
> But Peterson told The Register she is aware of a "history of Automattic taking actions regarding organizers similar to this."
Yes, they have been customer hating arseholes for decades. When you do business with certain companies like Broadcom, Oracle, Automattic, Facebook, Twitter, anything the Angry Toddler went near, etc. you have to go in holding your nose and knowing they're out to screw you. Then while you're holding your nose your WordPress installation gets hacked again. :p
I do understand that you are upset that the devil you willingly got in bed with is now acting like a devil again and are speaking up about it because you hope it will change something, but no, Boris will repent and become an erudite, well educated scholar and gentleman before Automattic stop being thugs.
On re-reading, I apologize that the tone is so harsh, but I've seen so many 'Oh no, we crawled into the Pit of Endless Venomous Snakes and there were snakes! And they were venomous! And endless! Nobody could have known! One star!' stories lately. If you're holding a WordPress event, you know what they're like.