As the WordPress saga continues, CIOs need to figure out what it might mean for all open source

While lawyers argue in the WP Engine versus Automattic litigation whether the hyperbole should be believed, the continuing battle of words, almost all nasty ones, is starting to raise doubts how much an enterprise should rely on open source. And even if open source can be avoided at all in late 2024.

The latest legal documents came from Automattic, which argued that its people did nothing wrong and that the blame lies solely with WP Engine. This arrived after months of a wide range of heated comments from both sides.

One key point of disagreement involves WP Engine being denied access to WordPress.org. WP Engine has argued that the denial blocked it from getting work done, but Automattic (which controls both WordPress.org and WordPress.com) argues the move didn’t meaningfully hurt WP Engine.

“It is apparent that WP Engine itself is fully capable of providing the services it purports to need from [Automattic]. WP Engine has never lost the ability to access the WordPress software and plugins on the Website. These are accessible without any login. Rather, WP Engine has only been denied access to various developer resources that are provided through the Website, which allow it to manage the back end of the versions of its plugins hosted on the Website,” the Automattic filing said. “Within days of losing such access, WP Engine was able to recreate much of the functionality it claims it lost and re-establish a connection to its plugins within days by hosting all of its plugins on its own website. And while WP Engine spends much of its Motion quantifying the damage it supposedly has suffered, including in the form of lost customers, it fails to acknowledge that much of the evidence it submits to support this purported damage demonstrates that those customers left because of WP Engine’s own poor service and not because of any action by [Automattic]”.

Another key argument on both sides is whether various aggressively phrased public comments from Automattic CEO Matt Mullenweg were legally defensible. 

“Emblematic are WP Engine’s claims based on Matt’s statement during a live streaming interview that despite being a ‘half-billion dollar business,’ WP Engine had not ‘given anything back.’ No reasonable listener would parse this statement, as WP Engine wrongfully attempts to do, as a factual assertion that WP Engine had given literally nothing back to the WordPress community. That is because, as the Complaint concedes, Matt immediately went on to reference the ‘40 hours per week’ WP Engine had contributed to the ‘Five for the Future’ program dedicated to maintaining WordPress, and the roughly ‘100 grand per year’ at which he valued those hours,” the filing said. “The plain meaning of Matt’s commentary, then, based on the entire context of the statements in question, was that WP Engine’s contributions were insufficient. Reasonable people can disagree as to whether WP Engine’s contributions were or were not sufficient, and WP Engine is not obliged to agree with Matt’s views. But WP Engine has no basis under the law for seeking to stifle those opinions via litigation.”

The papers that Automattic filed on Wednesday said that the company’s negotiating position with WP Engine was that WP Engine could “either execute a license for the Foundation’s WordPress trademarks or dedicate eight percent of its revenue to the further development of the open source WordPress software.” That eight percent was, at the time, worth $32 million.

Mullenweg, in an interview Thursday with CIO, lamented that WP Engine “could have avoided all of this for $32 million. This should have been very easy,” and he then accused WP Engine of having engaged in “18 months of gaslighting” and said, “that’s why I got so crazy.”

“I would love to go back to the negotiating table,” Mullenweg said, adding that the terms would now be a lot less attractive than they were months ago. “They have caused a lot of trauma since then. If we were to negotiate a deal today, it would not be as nice as the ones we offered in June or September. It would need to reflect the updated business realities.”

Asked what updated business realities he meant, Mullenweg clarified. “Now they are distressed and they are losing customers” and “they have attacked me and WordPress.org,” and he added that, with such a revised settlement, “we would essentially be saving them. I think our negotiating position is getting stronger every day.”

WP Engine did not respond to a request for comment.

A source familiar with the WordPress space, who asked that their name not be used, offered a financial reason why WP Engine might have resisted agreeing to licensing or other payments.

“I think they were shopping to sell WP Engine to another private equity firm. They were unable to,” partially because they were seeking a $2 billion acquisition price, the source said. “They had great metrics, but no IP [intellectual property]” because they didn’t own the WordPress code. “They were trying to keep their free cashflow as high as possible to try and flip it. They didn’t want to take the haircut.”

Melody Brue, a VP/principal analyst for Moor Insights & Strategy, said she sees the nasty battle between these two entities as a heads-up to CIOs, and a good reason to carefully rethink their open source strategies.

“For CIOs, they need to seriously assess their reliance on open source platforms, to evaluate their situation, given these sorts of complaints,” Brue said. “CIOs need to monitor the stability of open source ecosystems. Otherwise, they will be continually subject to the whims of business leaders who choose to act like petulant children.”

Brue argued that CIOs need to think through all open source implications. “There actually will be, and should be, a new focus on understanding the real costs and the risk of open source resources,” Brue said. 

One European open source executive, understandably, took the opposite position. 

Tomas Gustavsson, the chief PKI officer for Keyfactor in Sweden, argued that the enterprise software risks are just as fragile and tenuous with even the largest proprietary software firms. 

“Any of your vendors might go bankrupt” or get acquired, he said, and the answer to all of these problems is to focus on proper vendor vetting, looking especially hard at their supply chains. 

Even if an enterprise wanted to avoid open source, Gustavsson said, it is simply no longer possible, given how deeply embedded open source code is in everything from commercial vendors, including Microsoft, Google, Amazon, or IBM. “That train has passed a long time ago,” he said. 

As for the WordPress battle, Gustavsson said it is nothing new. “This is not the first time something like this has happened, and it will not be the last. The core of the controversy was put down in writing decades ago, using the phrase ‘free as in free speech, not as in free beer.’ There is a built in tension between open source ideals and profiting off it,” he said. “Talking about software in general, there is always a risk building dependency on software controlled by a single entity, nothing specific to open source. What may be specific to open source is that organizations have made assumptions that the software will always be there, free and supported by someone — an assumption no-one would make when using proprietary software.”

Gustavsson added, “this has led to some high profile license changes where open source founders and companies have felt unfairly treated by another organization that uses their software gaining more profit. This is a result of the open source license itself that allows such dynamics. On the other hand, there is nothing that prevents the copyright holder from changing the license.”

Another open source expert, Michael Sonier, general manager at ButterCMS, argued that some of these headaches can be addressed simply by writing better contracts.

The WordPress battle “happened because there was no well structured or governed agreement/contract between WP, WPEngine or the ‘community.’ There was a crack in the model, or too much reliance on an ‘ethos’, making it a ticking time bomb,” Sonier said. “Open source is not just an ‘ethos’ and does not mean wild west. When it is only that, it runs the risk of devolving into complex legal battles, and then the outcome will have little to do with what is right for the parties, the community, the customers, or innovation, it will have to do with the strength of theoretical legal arguments.”