Open source takes on enterprise risk management

WordPress’ market success tracks closely with enterprise acceptance. How will risk management organizations view the messiness of the ecosystem?

Open source takes on enterprise risk management
Photo by Loic Leray / Unsplash

The wild saga continues...

Over the weekend, Automattic publicly tweeted about a "responsibly disclosed" security issue in WP Engine's ACF product. Automattic's tweet read:

Automattic's security team has responsibly disclosed a vulnerability in @wp_acf to @wpengine. As is standard, they have 30 days to issue a fix before public disclosure. We have reserved this CVE for the issue: https://www.cve.org/CVERecord?id=CVE-2024-9529

The tweet was quickly deleted after significant pushback from the community, but the perceptual damage from this action actually feeds directly into today's topic.

Before that, I have to issue my very first correction.

In Investments in the WordPress ecosystem, I wrote about a handful of investments that have been actively discussed, or revealed publicly, during the Matt Mullenweg and WP Engine saga. About BlackRock, I specifically noted the following:

According to that document, as of March 31, 2024, BlackRock holds 94,117 shares of Automattic, at an original valuation of $7,999,945 (let's call it a cool $8 million even), but a present value of $4,127,030, or ~51% of their original value. The valuation is based on BlackRock's internal estimates, and not necessarily representative of the value these shares would have on the open market. Extrapolating a bit, we can guesstimate that Automattic had a valuation of ~$1.3 billion when BlackRock acquired its shares in 2021, while BlackRock now values Automattic at ~$690 million.

That document references a Consolidated Schedule of Investments, from the BlackRock Science and Technology Trust (BST). However, there is an additional document that shows a much larger monetary investment in Automattic.

Specifically, a semi-annual report from June 30, 2024 includes a separate Consolidated Schedule of Investments that lists BlackRock's investment in Automattic within its BlackRock Science and Technology Term Trust (BSTZ) as 400,000 shares. As I am not a high-wealth post-economic individual, I am not clear on the differences between the BST and BSTZ trusts, but it's safe to assume that BlackRock's monetary stake is higher than I previously reported. And, it's entirely possible there are additional trusts in which BlackRock is holding Automattic shares.

In writing this correction, I thought it beneficial to re-calculate Automattic's valuation, both in 2021 when BlackRock first invested, and today, after its write down. However, on Twitter on October 3, Mullenweg noted the following (emphasis mine, spelling his):

Silver Lake controls WP Engine and owns 50%+ of the company. Blackrock owns 0.8% of Automattic and has no voting rights.

The problem is that this is contrary to what Mullenweg previously mentioned on Twitter on September 26—and what I used in my previous post—that BlackRock owns 0.6% of Automattic.

Which is correct and accurate? It's unclear. Is it possible that BlackRock's stake increased by 33% in a matter of days? That seems unlikely, but possible, if one or more large investors divested from their shares in Automattic.

Using his most recent statement, that BlackRock owns 0.8% of Automattic, and assuming, for the sake of argument, BlackRock owns a combined 494,117 shares across its two investment vehicles, this works out to a 2021 valuation of ~$5.25 billion. To be clear, this more recent report still notes a ~51% write down of the value of the BSTZ shares, from $34,000,000 to $16,668,000, as of June 30, 2024.

Either way, I did not get this correct the first time around, and it still may not encompass all of BlackRock's stake. I've added a note to the original post, referencing this correction. Hat tip: Ivan for flagging the additional BlackRock shares to me.

Anyway, onward and upward...


In spite of comparisons to glaciers and molasses, enterprise organizations around the world are constantly looking for the next big thing—the next way to engage their users and increase revenue, but also the next way to reduce costs and optimize team performance.

It's a bit counterintuitive. Even as digital leaders at large organizations implement tried and true technology, they experiment on wild ideas that may never pan out, embracing new technology to reach new audiences. Their mandate, as corporate leaders of for-profit companies, is to be as profitable as possible, which in turn necessitates efficiency of operations, effectiveness of staff, and expansion into new markets. Each of these areas requires new, and improved, technology and practices.

Mind you, this does not challenge the technology adoption lifecycle. Enterprises frequently fall in the later stages of Rogers' innovation adoption curve, representing the Late Majority or even Laggards. But, it's not unheard of for large organizations to embrace new technology.

In particular, as the internet took root and social media flourished, enterprise organizations hesitated, then jumped off the cliff of new media and new technology... at least when it came to external marketing. Internally, however, these organizations are complex ecosystems, filled with procurement, change management, compliance, and risk mitigation. Do enterprise leaders want this level of bureaucracy? Yes and no.

This is the push and pull between innovation and stability. Enterprise organizations need innovation to increase growth and reduce costs through new efficiencies, all in the interest of higher gross margin and profits. In turn, steering a massive ship requires thoughtfulness and consideration, lest you desire Titanic comparisons. Stability is key and risk management comes into play, with entire divisions devoted to reducing risk, even as leaders pine for new innovations and technology, unproven though they are.

An enterprise leader dreams of being an Early Adopter, implementing a new technology ahead of the rest, and being later hailed as a visionary in their market. They want a proven thing, yes, but they want it as fast as possible, the quickest go-to-market conceivable, while also balancing the safety, security, and stability mandated in their fiduciary responsibilities.

And this brings us to WordPress.

Over the past decade, a transformation has been playing out within the CMS market. While many new media publishers jumped aboard the WordPress train in its early years (some as early as 2005), enterprise organizations remained hesitant—only a handful started experimenting with WordPress. But, that changed. First slowly, then rapidly.

In its early years, enterprise avoidance of WordPress was unsurprising given the unknown technology, benefits, and risks. But a few, a handful at time, pushed it through the hurdles of enterprise bureaucracy. Massive businesses formed around scaling WordPress, not only WordPress-as-software, but WordPress-as-risk, meeting regulatory, compliance, and procurement demands. WordPress VIP, Pantheon, SiteGround, and yes, WP Engine, formed not only to develop the infrastructure needed for WordPress-as-software at scale, but to provide the structure and support risk management teams needed to approve the software.

And once one enterprise organization approved, it became that much easier for the next, and the next. The editorial experience, even pre-Block Editor—as compared to contemporary competitors—was loved by marketing and content creation teams, who further pushed for WordPress, as leaders moved between companies. The snowball of WordPress rolled down the hill of enterprise. This boosted mid-market growth as well—the thinking went: if it's good for the Mercks, Blackstones, and Standard Chartereds of the world, it's good for everyone. WordPress, once known only for its blogging prowess, became known for flexibility, extensibility, and even security, long its Achilles' heel.

(Arguably, the wave of bespoke CMSes that formed rapidly over the past decade is due to WordPress—a hundred flowers blooming as organizations grew more intelligent about their digital presence, and better able to articulate their evolving needs.)

The reason 43.5% of websites run WordPress isn't because millions of bloggers rose through the ranks of the internet, but rather, because enterprise organizations have embraced it, leading to growth at all ends of the market. Put another way, success in the enterprise market begat success across the web.

But, all of this success stands on back of mundane terms like procurement and risk management. If enterprise organizations start to see uncertainty, the risk-reward ratio shifts—why use WordPress if another product is less risky in the long run.

Which finally... leads us to the Matt Mullenweg and WP Engine saga.

In case it wasn't abundantly clear, enterprise organizations hate risk. Abhor it, even. The legal actions—both cease and desist orders, and now a lawsuit in federal court—are, by definition, risk.

As risk management teams analyze WordPress-as-software, the legal actions challenging WordPress' intellectual property (IP) will, rightfully, get flagged. And, despite the trademark dispute explicitly avoiding the GPL licence, the door has been opened—what will be challenged next, and how will that affect our business?

In evaluating WordPress-as-risk, the flag has been raised. Regulatory, compliance, and support structures only help so much, when legal threats are in the air. How far will Mullenweg go in his war to protect the WordPress trademark?

It's all too... messy. The entire IP situation with WordPress is messier than closed source solutions like AEM, messier than even Drupal and Sanity. While most everyone loves watching messy, no one likes being messy.

Perhaps more concerning, this is a bell that can't be un-rung. Words have been said, on the record, with no apparent softening over the past few weeks. If anything, positions have been hardened, strengthened as dissenters within Automattic left the company.

And the escalation was rapid, from an enterprise standpoint—in March 2023, just 18 short months ago, Mullenweg applauded WP Engine publicly, only to go "scorched earth" in September 2024. If the switch can be so fast, so sudden, no amount of reassurance, direct or indirect, will assuage enterprise concerns or alleviate the perceived risk.

Ultimately, this very public legal fight—whatever the original motivation—irreparably damages the WordPress brand in ways that are incalculable. Whatever power WordPress-as-software holds, with its numerous benefits, the legal battle has thrown up a red flag for risk management teams around the world. It's near impossible to overstate the effect this has on trust in the WordPress brand and product, though the effect is certainly greater than any alleged actions (or lack their of) from WP Engine or Silver Lake.

But, again, enterprise moves slowly. It may take years before the damage to enterprise adoption is visible to outsiders. However, managed hosts and agencies will certainly feel pressure much sooner, as enterprise organizations begin to inquire about "options." In the end, it's anyone's guess what the extent of the damage will be, though the actions from Automattic this weekend can only add to the uncertainty about WordPress.

Subscribe to The Delta

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe