Mullenweg’s Grip On WordPress Challenged In New Court Filing via @sejournal, @martinibuster

A Motion to Intervene has been filed in the WP Engine lawsuit against Automattic and Matt Mullenweg, alleging fifteen claims and seeking monetary awards along with changes to WordPress.org’s governance structure.

A motion to intervene is a legal request by a third party that seeks to join an ongoing lawsuit, the success of which hinges on proving that they have a significant interest in the outcome of a case.

Legal Filing Seeks To Take Control Of WordPress

Among  the requests made in the legal filing is one that compels Matt Mullenweg to create a WordPress Oversight Board to oversee the governance of the WordPress Foundation, WordPress.org and other related entities.

“D. Order Defendant Matt Mullenweg to establish a Governance Oversight Board as defined in the Proposed Order For Contempt filed by Michael Willman;”

Moderator Of WPDrama Subreddit

The person filing the court motion is a WordPress web developer and a moderator of the r/WPDrama subreddit named Michael Willman, CEO of Redev, a WordPress development and SEO company, who alleges that Mullenweg banned him, which caused him to lose two clients and a significant amount of earnings because of those losses.

Michael explained what happened in a message to Search Engine Journal:

“Near the start of this dispute, I lost a large ($14,500) contract as a direct result of being banned by Matt along with everyone else loosely associated. We had just closed the contract mere days before and the client is just seeing all these stories, and they back out. Losing that revenue would eventually make us unable to serve our largest client at the time, and we lost them too.

I took this all personally, and I tried to take to his #ranting channel on Slack to respond to his inane blog posts and share how his actions had damaged me and got me to the point of being ready to sue him as well.

He then banned me in retaliation for that and afterwards claimed a message saying I was going to go to Houston to file other legal documents was a “physical threat.”

He has a long history of inconsistent application of the Code of Conduct and I don’t think he can show that his actions here were justified, my own reading of the Code of Conduct implies that some type of warning in private is the first step. “

That last part about the allegedly false claim that he made a physical threat against Matt Mullenweg is now a part of the new motion.

Post On Reddit

Mr. Willman posted about his motion on Reddit, saying that he will donate 5% of any monetary awards to WordPress.

Members of the Reddit WordPress community were supportive, with one member named JonOlds posting:

“A client backing out of a signed contract ($14,500) because you being banned created a significant change is the most clear-cut example of harm from the WPE bans that I’ve seen so far. Fuck MM, and I really hope this is granted.”

Another person wrote:

“Dude you’re my hero ❤

And I’m sorry for all this stuff that’s happened to you, it’s awful. I genuinely admire how well you’ve handled all this, while moderating this sub too.”

Claims For Relief

Section D of the filing lists fifteen claims, among them he cites that Mullenweg’s retaliatory actions disrupted existing client contracts and the ability to cultivate new clients. It also describes attempted extortion, libel and trade libel among the many other claims.

Three of the claims made in the motion:

“1. Intentional Interference with Contractual Relations
Defendant Matt Mullenweg’s actions, including banning Michael Willman from the Make.WordPress.org Slack workspace and retaliating against him, disrupted existing contractual relationships. Some specific examples are the $14,500 website development contract that was canceled due to Michael Willman being banned from WordPress.org, the remainder of another contract with Trellis that was lost valued at $5,526.35, and an ongoing relationship with Trellis that included active retainers valued at $4,700 per month in addition to regular ad-hoc work, the combination of which generated $77,638.65 in invoices in 2024.

2. Intentional Interference with Prospective Economic Relations
By targeting and banning Michael Willman from essential WordPress platforms, Defendants interfered with potential business opportunities. The absence of new website development projects, loss of existing relationships and the unease expressed by clients about the WordPress ecosystem are direct results of these retaliatory actions.

4. Attempted Extortion
During discussions, Matt Mullenweg offered to refer clients to Michael Willman’s business on the condition that he cease working with WP Engine and join Automattic’s affiliate program. This constitutes coercive conduct aimed at disrupting Michael Willman’s business relationships.

6. Libel
Matt Mullenweg publicly claimed that Michael Willman made threats of physical violence, a statement that is objectively false and defamatory. This damaged Michael Willman’s reputation within the WordPress community and beyond.

7. Trade Libel
Public statements by Matt Mullenweg disparaged Michael Willman’s professional services and integrity, causing harm to his business relationships and reputation.”

Possible Outcome Of New Court Motion

The motion to intervene contains serious allegations of abuse of authority by the single most influential person in the open-source WordPress project, a worldwide ecosystem of developers, business users, publishers, plugin and theme developers and thousands of volunteers around the world who contribute to the development of the WordPress content management software.

The filing not only seeks restitution, it also asks the court for changes to the WordPress governance to remove Matt Mullenweg from his position of power at WordPress.

Read The Reddit Post And Legal Document

A link to the legal document is posted on a Reddit discussion about the filing:

Motion to Intervene & Motion for Contempt Filed in WPEngine, Inc. v. Automattic Inc.

Featured Image by Shutterstock/Rose Tamani

Automattic Turns Against WordPress Community Itself via @sejournal, @martinibuster

Automattic announced it is minimizing support for the WordPress.org CMS project, using words and phrases that present the withdrawal of support as a positive change to make WordPress stronger, while casting blame on WP Engine for its decision to minimize contributions.

The entire statement uses double-speak, pretextual statements and passive-aggressive language to portray itself as a victim of WP Engine and framing the withdrawal of support as the unavoidable consequences of WPE’s lawsuit against Automattic, saying:

“Additionally, we’re having to spend significant time and money to defend ourselves against the legal attacks started by WP Engine and funded by Silver Lake, a large private equity firm.

…We’ve made the decision to reallocate resources due to the lawsuits from WP Engine.

…This legal action diverts significant time and energy that could otherwise be directed toward supporting WordPress’s growth and health.

…We remain hopeful that WP Engine will reconsider this legal attack, allowing us to refocus our efforts on contributions that benefit the broader WordPress ecosystem.”

At no point in the statement does Automattic acknowledge its role in creating the conflict, instead portraying itself as forced to go down the path of Mullenweg’s self-described “nuclear” war with WP Engine when in fact there has always been time to engage in constructive dialogue.

Automattic Turns Against The WordPress Community Itself

A stunning feature of Automattic’s statement is that this is the first time that it points a finger at the WordPress community itself as part of the reason for pulling back resources. It wraps the word “community” in quotation marks in a manner that seems to undermine the legitimacy of the critics, which has the subtext of portraying the critics as not true members of the WordPress community.

There is an undertone of contempt for the criticisms against Mullenweg, which to be fair started out as timid expressions of hope that things would work themselves out then gradually increased to outright calls for new a new governance structure that reflects the diversity of the entire WordPress community and a move away from the so-called “benevolent dictatorship” of Matt Mullenweg.

Automattic’s statements targeted the WordPress community itself:

“We’ve also faced intense criticism and even personal attacks against a number of Automatticians from members of the ‘community’ who want Matt and others to step away from the project.

…Automatticians who contributed to core will instead focus on for-profit projects within Automattic, such as WordPress.com, Pressable, WPVIP, Jetpack, and WooCommerce. Members of the ‘community’ have said that working on these sorts of things should count as a contribution to WordPress.”

Use Of Doublespeak

Lastly, Automattic’s statement uses language that seems to cross the line into doublespeak. Doublespeak is the use of language in a way that is deceptive and manipulative as opposed to a rhetorical approach that seeks to persuade. Doublespeak obscures and distorts reality and masks the real meaning and intent of a statement.

Example of doublespeak:

“To recalibrate and ensure our efforts are as impactful as possible, Automattic will reduce its sponsored contributions to the WordPress project. This is not a step we take lightly. It is a moment to regroup, rethink, and strategically plan how Automatticians can continue contributing in ways that secure the future of WordPress for generations to come. “

The portrayal of the withdrawal of support as a way of securing “the future of WordPress for generations to come” is manipulative and hides the reality that those actions have the opposite effect.

It also claims:

“This realignment is not an end, but a new beginning—one that will ultimately strengthen the foundation of WordPress.”

That’s an example of how Automattic’s statement portrays the actual weakening WordPress.org as a way to strengthen it.

There are many other examples of how the statement portrays Automattic as the victim, WP Engine as the aggressor and the WordPress community itself as complicit in undermining itself.

Read the statement here:

Aligning Automattic’s Sponsored Contributions to WordPress

Featured image by Shutterstock/Wirestock Creators

WordPress.com Launches Studio Sync Local Development via @sejournal, @martinibuster

WordPress.com, the Automattic web hosting platform, just announced that the free and open source Sync local development app can now integrate directly with WordPress.com hosting. The new synchronization feature streamlines the process of developing a website on the desktop then pushing it live when it’s ready for deployment.

WordPress.com Hosting

WordPress.com is a WordPress web hosting and publishing platform that offers a free and paid tier, plus bargain-priced domain name registrations. WordPress.com is a for-profit company that’s owned by Automattic. Their slogan is “Everything you need to build and grow any website—all in one place” and with this new feature that slogan has never been more true.

The new feature is available to WordPress.com users on the paid Business plan level or higher.

According to the announcement, the new features bring the following benefits to users:

• “Push and Pull with Ease: You can keep your local Studio sites connected to your WordPress.com site, so pushing or pulling will be as easy as clicking a button.
• Flexible Syncing: Having complete freedom, you can connect a WordPress.com site to multiple Studio sites.
• Team Collaboration: Multiple developers can connect a local Studio site to a shared WordPress.com site, making it easy to push and pull changes as a team.
• Sync To and From Staging: If using staging sites are part of your development workflow, you can now easily push from your local Studio site to your WordPress.com staging site.
• One-Click Bliss: No need to worry yourself with database dumps, manually syncing files over SFTP, or performing other monotonous manual steps. Synchronize your local and hosted sites at any time with just one click.”

Studio is available for both the Mac and Windows desktop environments.

Read the announcement:

Build Locally, Deploy Globally: Meet Studio Sync for WordPress.com

Featured Image by Shutterstock/Fauzi Muda

Mullenweg Criticizes WP Engine For Something He Also Does via @sejournal, @martinibuster

Matt Mullenweg cited a Reddit thread on X to promote the idea that WP Engine makes it difficult to cancel accounts. Turns out that his own hosting company does the exact same thing.

“Money Grab” Post By Redditor

Someone posted that they cancelled a WP Engine account on Friday December 6th. They subsequently learned that WP Engine has a 30 day advance notice cancellation policy so they called customer service and was assured they wouldn’t be charged, despite not giving 30 days advance notice.

They wrote:

“On Dec 6th, I cancelled my WPEngine service that I’ve had since 2015. …That’s when I discovered that WPEngine requires 30 days notice to cancel. An obvious money-grab. A user should be able to cancel a single-site hosting environment instantly with one click of a button. In fact, this will be the law soon, created because of unscrupulous cancellation tactics like this.

WPEngine support informed me that my site would be cancelled on Jan 3rd. …Surprise, surprise… it’s Jan 5th. My account hasn’t been cancelled, and I was charged $300 today for another year of service.”

Hours after starting the Reddit post to complain about WP Engine they updated it to say that WP Engine had refunded their money.

They posted:

“UPDATE: WP Engine support got back to me, cancelled the account today, and initiated a refund that’ll take up to 10 business days.”

Mullenweg Dumps On WP Engine

Mullenweg posted on X to compare WP Engine to an unscrupulous gym, accompanying his post with a screenshot of the Reddit post:

“One way @wpengine juices its profits at the expense of its customers is by making it hard to export or cancel your plan, like one of those bad gyms.”

He followed that up with another post touting that WordPress.com has a flexible cancellation policy:

“The WordPress philosophy is to make it easy for people to leave, so they’re more likely to stay. Give freedom and choice.”

But the reality is that WordPress.com’s cancellation policy also requires 30 day advanced notice:

“You must cancel at least one month before the scheduled end date of any annual subscription…”

What’s Going On?

WP Engine’s contract is clear that they require 30 days notice to cancel a service. But it’s not like once you pay you’re committed to a whole year of hosting. The contract enables customers to cancel their yearly hosting plan at any time (with 30 days notice) and the difference for any remaining months will be refunded.

The Redditor cancelled their account with less than 30 days notice (on a Friday), got charged 24 days later and then refunded on a Sunday, before the weekend was over.

Response On Reddit

While many Redditors were supportive of the person who started the discussion, others pointed out the obvious that it’s a weekend and they failed to give adequate notice.

A Redditor named ThePresidentOfStraya posted:

“Not affiliated with WPEngine. Downvoted. This is a boring billing issue, you’re not being oppressed. Annoying sure. But just call them Monday mate.”

Another Redditor downplayed the events:

“Meh, crap happens. It’s not at all abnormal to have a 30 day opt-out prior to renewal.”

Another Redditor put the original posters situation into perspective, commenting:

“Money grab? You know the rules…

Inform yourself. You should have cancelled sooner. Now be polite and ask them for a solution instead of ranting about it online.”

Read the original Reddit post:

UPDATE: WPEngine didn’t follow through on cancelling my account on Jan 3rd and I was charged for another year of service

Featured Image by Shutterstock/Nicoleta Ionescu

WordPress Popular Posts Plugin Vulnerability Affects 100k+ Sites via @sejournal, @martinibuster

An advisory has been issued about a high-severity WordPress vulnerability that makes it possible for attackers to inject arbitrary shortcodes into sites using the WordPress Popular Posts plugin. Attackers do not need a user account to launch an attack.

WordPress Popular Posts is installed in over 100,000 websites enables websites to display the most popular posts within any given time period and has been translated into sixteen different languages to extend its use around the world. It comes with caching features to improve performance and an admin console that allows website administrators to view popularity statistics.

WordPress Shortcode Vulnerability

Shortcodes is a feature that allows users to insert functionalities within a web page by inserting a predefined snippet within brackets that automatically inserts a script that performs a function, like adding a contact form with a shortcode that looks like this: [add_contact_form].

WordPress is gradually evolving away from the use of shortcodes in favor of blocks with specific functionalities. The official WordPress developer site encourages plugin and theme developers to discontinue using shortcodes in favor of dedicated blocks, with the main reason being that it’s a smoother workflow for a user to select and insert a block rather than configure a shortcode within a plugin then manually inserting the shortcode into a webpage.

WordPress advises:

“We would recommend people eventually upgrade their shortcodes to be blocks.”

The vulnerability discovered in the WordPress Popular Posts plugin is due to the implementation of the shortcode functionality, specifically a part called do_shortcode(), which is a WordPress function for processing and executing shortcodes that requires input sanitization and other standard WordPress plugin and theme security practices.

According to an advisory published by Wordfence:

“The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.”

That part about “validating a value” generally means checking to ensure that what the user inputs (the “value”), such as the content of a shortcode, is validated to confirm that it’s safe and conforms to expected inputs before being passed along for use by the website.

Official Plugin Changelog

A changelog is the documentation of what’s being updated, which for users of the plugin provides them an opportunity to understand what is being updated and to make decisions about whether to update their installation or not, thus transparency is important.

The WordPress Popular Posts plugin is responsibly transparent in their documentation of the update.

The plugin changelog advises:

“Fixes a security issue that allows unintended arbitrary shortcode execution (props to mikemyers and the Wordfence team!)”

Recommended Actions

All versions of the WordPress Popular Posts plugin up to and including version 7.1.0 are vulnerable. Wordfence recommends updating to the latest version of the plugin, 7.2.0.

Read the official Wordfence advisory:

WordPress Popular Posts <= 7.1.0 – Unauthenticated Arbitrary Shortcode Execution

Featured Image by Shutterstock/GrandeDuc

WordPress Backup Plugin Vulnerability Affects 3+ Million Sites via @sejournal, @martinibuster

A high severity vulnerability in a popular WordPress backup plugin allows unauthenticated attackers to exploit the flaw. The vulnerability is rated 8.8 on a scale of 0.0 to 10.

UpdraftPlus: WP Backup & Migration Plugin

The vulnerability affects the popular Updraft Plus WordPress plugin, installed in over 3 million websites. Updraft Plus comes in a free and paid version that allows users to upload backups to a user’s cloud storage or to email the files. The plugin allows users to manually backup the website or schedule it for automatic backups. It offers a tremendous amount of flexibility of what can be backed up and can make a huge difference for recovering from a catastrophic server issue and is also useful for migrating to a different server altogether.

Wordfence explains the vulnerability:

“The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.24.11 via deserialization of untrusted input in the ‘recursive_unserialized_replace’ function. This makes it possible for unauthenticated attackers to inject a PHP Object.

No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit.”

The Updraft Plus changelog seems to minimize the vulnerability, it doesn’t even call the update a security patch, it’s labeled as a “tweak.”

From the official Updraft Plus WordPress plugin changelog:

“TWEAK: Complete the review and removal of calls to the unserialize() PHP function allowing class instantiation begun in 1.24.7. (The final removal involved a theoretical security defect, if your development site allowed an attacker to post content to it which you migrated to another site, and which contained customised code that could perform destructive actions which the attacker knew about, prior to you then cloning the site. The result of this removal is that some search-replaces, highly unlikely to be encountered in practice, will be skipped).”

Updraft Plus Vulnerability Patched

Users are recommended to consider updating their installations of Updraft Plus to the latest version, 1.24.12. All versions prior to the latest version are vulnerable.

Read the Wordfence advisory:

UpdraftPlus: WP Backup & Migration Plugin <= 1.24.11 – Unauthenticated PHP Object Injection

Featured Image by Shutterstock/Tithi Luadthong

WordPress Developer Publishes Code To Block Mullenweg’s Web Hosting Clients via @sejournal, @martinibuster

A prolific WordPress plugin publisher who has created over three dozen free plugins has released code that other plugin and theme publishers can use to block client’s of Matt Mullenweg’s WordPress.com commercial web hosting platform from using them.

What The Plugin & Theme Code Does

The plugin was created so that other plugin and theme makers can prevent websites hosted on WordPress.com from activating or using them. The code detects whether it is being used within the WordPress.com environment and if discovers that it is then plugin will display a message to the users advising them that the functionality is blocked. The developer who created the code explains exactly how it works and walks plugins and theme makers through the code.

It does three main things:

1. Environment Detection
2. Plugin Deactivation
3. Admin Context Only (deactivates it on the admin side)

Reason For Creating The Code

Robert DeVore, the developer who created the code, explained in a tweet that it’s a way to flip the bird at Matt, a way to send a statement to Matt Mullenweg expressing disapproval for his actions, specifically the leadership “overreach.”

He wrote:

“Take a Stand for the Community
This script isn’t just about restricting your plugin.

It’s a statement against the centralization and overreach demonstrated by WordPress.com and Automattic’s (lack of) leadership.

WordPress® developers deserve a level playing field – free from monopolistic B.S. that stifles innovation and community growth.”

The code is available on his website here:

How to Stop Your Plugins & Themes from Being Used on WordPress.com Hosting

Featured Image by Shutterstock/Anatoliy Cherkas

Matt Mullenweg: What Drama Can I Create In 2025? via @sejournal, @martinibuster

Matt Mullenweg started a Reddit discussion in the r/WPDrama subreddit asking what kind of drama he can create in 2025, sparking an avalanche of responses that subsequently generated a spinoff discussion about one of his responses to another Redditor.

The public r/WPDrama subreddit was created in October 2024 as a place to discuss the fallout from Mullenweg’s conflict with WP Engine. It currently has over 1,300 members.

Mullenweg And Drama

Matt Mullenweg, co-founder of the WordPress CMS (Content Management System), was involved in a self-described “nuclear” war with WP Engine in the latter half of 2024. The conflict has generally caused a negative backlash against Mullenweg and has led to a call for a restructuring of the governance of the open source WordPress project by Joost de Valk (co-founder of the Yoast SEO Plugin).

So it was somewhat surprising that he showed up on Reddit asking what further drama could he stir up in 2025. The post was provocatively titled: What drama should I create in 2025?

His intent for the post was not about creating actual drama but rather it was about what changes could be made to WordPress. The post title appeared to be a tongue in cheek but provocative choice for the Reddit discussion.

Mullenweg posted:

“I’m very open to suggestions. Should we stop naming releases after jazz musicians and name them after Drake lyrics? Eliminate all dashboard notices? Take over any plugins into core? Change from blue to purple?

I think we can brainstorm together and come up with way better things than I could on my own. ☺️ Also, Merry Christmas!”

His discussion starter generated nearly 600 responses, seemingly all of them negative.

The moderator of the subreddit pinned their response to the top of the discussion, which partially reads:

“I have a fantastic idea for some drama we can get up to. Why don’t we create a charitable foundation governing our open source software product, instead of our for-profit company. Why don’t we also operate our main website as its own separate entity, with employees and volunteers provided by yet another entity. Then, why dont we have all of these entities take action against one of our competitors and their entire customer base, refusing to do business with any customers until they stop working with our competitor. Why don’t we ban ALL of those people from our services, and try to compel them to use our service instead?”

That pretty much set the tone for the entire discussion.

ryanduff answered Matt’s question with:

“You should log off and find a good therapist”

Matt Mullenweg responded:

“Hi Ryan, freelance WordPress developer. I’m glad that WordPress and WooCommerce have been tools that have provided you some utility and economic benefit in the past, and hopefully again in the future. Your profile notes your strong religious belief, I’d ask before you post something like this again you ask: WWJD?”

WWJD is an acronym for “What Would Jesus Do?” Redditors responded with riffs on that comment.

His response received 85 downvotes, representing the displeasure and unpopularity of his post with other Redditors. One of the responses to his WWJD post referenced the federal judge who granted WP Engine’s request for a preliminary injunction.

They posted:

“What would Judge (Araceli Martínez-Olguín) do? We’ll see.”

Another Redditor responded:

“Maybe you should ask yourself WWJD (What Would Joost Do)”

That branch of the discussion went completely off the rails with various suggestions of what Mullenweg should do and spawned a standalone discussion titled, “Is Matt low-key threatening or attempting to intimidate this r/WPDrama user?”

That spinoff discussion spawned responses such as this one:

“He either thinks it’s funny, likes the attention, or is so far gone psychologically it doesn’t event register in his mind that your / our views matter at all. I’d guess it’s a combination of all of the above.

The best thing we can all do is break from WP completely and withdraw all volunteering, all financial interactions, cut using it, stop recommending it, and use something else for clients, or use a fork.

He was enjoying being a bully before he picked on WP Engine and now is losing the plot as they say and hopefully Joost can start his own fork that will finally be supported and marketed well enough to get going or can arrange some kind of ouster of spoiled baby MM.”

Matt Mullenweg’s Response To The Negativity

The response to his discussion was overwhelmingly negative. Nevertheless Mullenweg ended his participation by wishing everyone a Merry Christmas.

He posted:

“I’m signing off for the night, it’s time for family movie time. Thank you for the conversation everyone. 🙂 I really do enjoy talking with people on the internet, even if we don’t always agree, and I appreciate everyone taking the time to share their perspective. Forums like this is how I got my start as a teenager. If you think Reddit is spicy, you should have seen Usenet and IRC back in the day! I hope you all have an amazing Christmas and very happy new year.”

That relatively upbeat post received seven down votes.

Read the entire discussion here:

What drama should I create in 2025?

Featured Image by Shutterstock/STILLFX