WordPress Forces User Conf Organizers To Share Social Media Credentials, Arousing Suspicions

Simon Sharwood, reporting for The Register: Organisers of WordCamps, community-organized events for WordPress users, have been ordered to take down some social media posts and share their login credentials for social networks. The order to share creds came from an employee of Automattic, the WordPress host whose CEO happens to be Matt Mullenweg, co-creator of WordPress.

A letter sent to WordCamp organizers explains that the creds are needed due to "recurrent issues with new organizing teams losing access to the event's social media accounts." So far, so sensible. But the requirement to share creds comes in the middle of a nasty spat in the WordPress community, sparked by Mullenweg's efforts to have rival hosting biz WP Engine license the WordPress trademark or devote more staff to working on the open source content management system's code.

BDFL

[ldgeorge85]

Some people seem to focus more on the 'dictator' part and less on the 'benevolent' part of the "Benevolent Dictator for Life" role. *shrug*

Re:BDFL

[93 Escort Wagon]

In this case, the "benevolent" part definitely deserves a [citation needed].

Now if you'd chosen to use "pissy", "spiteful", or "pique-filled"... those are apparent, so no further clarification would've been required.

In my day, we had four digits, and we liked it!

[Pseudonymous Powers]

The only suspicions this is arousing in me are regarding whether Mullenweg is actually clinically insane. "Give me your passwords?" That's not a thing.

Re:

[Malay2bowman]

People can just "flip" one day, so to speak. Could be due to stress and/or not being able to handle authority ("mad with power"), or it could be an actual, physical condition in the brain.

  I'm leaning away from thinking that this guy is that stupid, and more tward that there is seriously something wrong with him, neurologically.

Re:

[nightflameauto]

People can just "flip" one day, so to speak. Could be due to stress and/or not being able to handle authority ("mad with power"), or it could be an actual, physical condition in the brain.

I'm leaning away from thinking that this guy is that stupid, and more tward that there is seriously something wrong with him, neurologically.

Probably just fell into his own idiocy. That happens for some "leaders." Especially those that really suck at leadership. They start to think micromanaging and dictatorial rule are the only ways forward, truly believing in their own superiority until they are smacked in the face by someone or something far superior to them. For some, that's death. For others, just a good solid prison sentence. Or crossing the wrong person at the precisely correct moment to merit a violent reaction.

At any rate, this public m

Re:

[mysidia]

At any rate, this public meltdown is bound to end is some spectacular fashion, one way or another.

Since WP is open source... Fork the project and the module repo. WP Engine could do this.

Make a new WP off the old WP and call it something like Word Plus, Word Post, Word Puncher, or whatever the heck phrase you can come up with that shortens to WP and contains Word in the name while Not implicating the Wordpress or Microsoft Word trademarks.

Wow

[Baron_Yam]

I've heard of burning it all down around you, but this guy brought nukes.

Re:

[Digital Avatar]

Nukes? Fuck, he brought cobalt-salted nukes and started chucking them like he was Oprah giving away cars.

Mishandled company accounts?

[mysidia]

If the organizers' accounts are company accounts, Then they need to be setup that way, as company-managed accounts.
Give the credentials to the corporate IT administrator only.

And grant the individual users post access instead of sharing credentials.

It's a violation of Terms of Service on just about any social media site for users to share Logins and Passwords.

Re:

[sconeu]

It's a violation of Terms of Service on just about any social media site for users to share Logins and Passwords.

Came here for this.

"Dear Automattic drone,

Just to be clear, you are specifically asking us to violate the [social-media-platform] Terms of Serivce?

Thank you,
[Conference Organizer]"

Re:

[zlives]

admins should be able to reset passwords anyways? why "share"

Re:Mishandled company accounts?

[93 Escort Wagon]

If the organizers' accounts are company accounts, ...

WordCamps are organized by local Wordpress user communities, not owned by Automattic. Heck, as far as I can tell, Automattic hasn't even provided sponsorship for any of them.

Re:

[mysidia]

WordCamps are organized by local Wordpress user communities, not owned by Automattic.

I see. The camps are organized by local communities, But it seems that Automattic believes they are the entity that decides who gets to do it, or at least the company who gets to control who gets to be listed as a "Wordcamp" and use the Wordcamp name and branding capital.

So, unless there is some argument about that; it does seem that whoever that company is would have ultimate control over the branded official acco

Re:

[KlomDark]

This one time, at WordCamp, I...

Re:

[KlomDark]

What in the hell? Go away weirdo.

Re:

[WankerWeasel]

While this is how it should be, it's not how even major companies do it, sadly. I directed the social media program for one of the largest computer companies in the world. I was given the login credentials to all their accounts. Not just social media but associated Google and other accounts too.

Too frequently folks aren't going to sit around waiting for IT to set up those accounts and properly provision things out to users. That bottleneck is what causes others to work around it.

Re:

[mysidia]

I directed the social media program for one of the largest computer companies in the world. I was given the login credentials to all their accounts.

I'd say it's equally valid to have only the director responsible for social media be given the logins and they can handle Account delegations for other social media users themself if that's their pleasure -- it just may be a distraction. I mean; if there is any one person to have the login it would be the person accountable for results and directing what ty

Re:

[WankerWeasel]

At the time I worked for an outside marketing agency. Giving those keys to the car to someone outside the organization would be a general no go. And this company had 14,000 employees certified in social media through their internal program, which included security training and posting on behalf of their company. Pretty wild.

Exit Stage Left...

[KlomDark]

Anyone still using WP needs to start heading for the door, now.

Re:

[93 Escort Wagon]

Not over this. Really, this is no different than if some specific Linux distro's maintainer went batsh*t crazy.

Now if you use Wordpress and your site is hosted on wordpress.org... it's definitely time to look for a new hosting provider.

Re:Exit Stage Left...

[Richard_at_work]

I hear that WPEngine is a pretty good alternative

Re:

[mysidia]

Does WP Engine have a solution for their customers regarding Autocrat-o-matic blocking them from their update servers?

Presumably they will eventually if they win in court, or at least temporarily if they win the temporary order. But it maybe makes them a problematic choice in the mean time. And it makes the choice to use Wordpress software in general a questionable choice in the longer term.

Re:

[93 Escort Wagon]

I was cc'ed on an email from WP Engine to one of our staff. It appears for the free version of their plugins, they're providing a patch that I assume re-points the plugin's update server to something WP Engine owns. It sounds like the paid ("pro") plugin users are already getting updates from WP Engine's own servers... so no patch was needed.

I might have the details wrong; I wasn't directly involved so I only gave it a cursory read - and only that because the drama has piqued my interest!

Passwords are like underwear.

[devslash0]

1. You should change them regularly.
2. You shouldn't leave them where other people can see them.
3. You should never loan them out to strangers.

Re:Passwords are like underwear.

[lsllll]

1. You should change them regularly.

I take issue with that. In my opinion, unless there's an indication that a password has been compromised, there should be no reason to change it. Changing passwords often leads to a) users writing the password down somewhere and b) using the same password with iterators at the end. On the other hand if someone tells me that a password needs to be changed because it was compromised, I'm less likely to use the same password with an incremental iterator at the end.

Re:

[FictionPimp]

NIST agrees with you:

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator." - https://pages.nist.gov/800-63-... [nist.gov]

Re:Passwords are like underwear.

[mysidia]

I'll see your "should not" and raise you a SHALL NOT [nist.gov] -- As that section was promoted from a suggestion to a mandatory requirement from the 2024 update 2nd public draft SP.800-63B-4 .2pd [nist.gov]:

Verifiers and CSPs SHALL NOT require users to change passwords periodically. 728 However, verifiers SHALL force a change if there is evidence of compromise of the 729 authenticator.

Re:

[FictionPimp]

Time to update my bookmarks.

Re:

[coofercat]

Perhaps reword to:

> Passwords are like underwear.
> 1. You should change them when they're dirty
> 2. You shouldn't leave them where other people can see them.
> 3. You should never loan them out to strangers.

That password changing thing really get my underwear in a bunch. My employer has a 3 month rotation policy, where the people we work for have a 6 month rotation policy. Both are crazy, but my employer especially is (in plenty more ways than this, I might add).

Re:

[awwshit]

Dont' use someone else's.

"So far, so sensible"

[devslash0]

No, it's not sensible in any way, shape or form. Sounds like Automattic are asking for passwords so that they can take unpopular or otherwise inconvenient social media posts themselves in case someone doesn't want to comply. This is potentially criminal - both asking for credentials and trying to make unauthorised changes.

Re:

[Matheus]

Ya... I don't care if you're my partner, my boss, a cop or a judge.. you can have my password when you claw if from my cold dead hands (or hack it the old fashioned way!)

Sure Mullenweg, here ya go

[Malay2bowman]

My creds-

Facebook

Username: lickmyballs
Password: gofuckaduck

Instagram

Username: gotohell
Password: youshiteatingcunt

X/Twitter

Username: yourmomisawhore
Password: yourdadisalsoawhore ...and so forth

Re:

[lsllll]

Once I was so pissed with a web site's password policy (not only combinations/length, but also "too similar to previously used password". How would they know unless they saved my plain-text passwords somewhere or enumerated my character usage in them?) I used "FuckYourMom@#$000". Unfortunately, eventually, I also has to screw their dad, lick their sister, and toss their aunt's salad.

Re:

[Dwedit]

You can test removing each character (and all possible truncations) and compare its hash to a previous password's hash. You don't need to store plain text for that.

Re:

[HiThere]

That won't identify "badPassword1" as a precursor to "badPassword2". Not unless you've saved "badPassword1".

Re:

[Anonymous Coward]

You can test removing each character (and all possible truncations) and compare its hash to a previous password's hash. You don't need to store plain text for that.

That won't identify "badPassword1" as a precursor to "badPassword2". Not unless you've saved "badPassword1".

It's trivial and near instantaneous to test a few hundred of possible combinations of
Remove X characters from the new_password end and test hash against current hash, starting with X=1 increasing to length(new_password)-1 ; if hash is the same, then passwords are too similar (user added some character[s] to the end)
Remove one character from the end and add one character to the end iteratively through the entire allowable unicode character list and test hash against current hash
Remove two characters from

Re:

[lsllll]

You first need to define what is "too similar". Is "bad12Password" similar to "bad34Password"? I would argue that it is, indeed. So that automatically invalidates changing just one character. Now you're up to changing two characters. They can be upper or lower case, numeric, special characters. So we're up to about 80. So that's 6400 iterations for each position in a password. For a password with a length of 12, you're talking about 70000 iterations. Is that really reasonable and workable?

Re:

[JBeretta]

Not a valid strategy if you're salting passwords, like you should...

Buh-bye Wordpress.

[drinkypoo]

Migrating from WordPress to Drupal [reddit.com]

Migrating from other CMS to Drupal: A Step-by-Step Guide for 2024 [optasy.com]

Re:Buh-bye Wordpress.

[wimg]

How is that an improvement ?

Re:

[echo123]

How is that an improvement ?

Drupal is a real open-source community, with a real security team, established Best Practices, and easy installation (and updating) of a zillion GPLd contributed modules hosted on GitLab.

Re:

[wimg]

Right, the Wordpress stuff could never happen to Drupal.
Except... at the bottom of drupal.org : "Drupal is a registered trademark of Dries Buytaert".
Except... a few years back someone was kicked out of the Drupal community by Dries for having an alternative lifestyle.
Except... you get where I'm going...

Re:

[drinkypoo]

a few years back someone was kicked out of the Drupal community by Dries for having an alternative lifestyle

False

Re:

[drinkypoo]

Fuck, botched the link, that's what I get for not using preview

https://www.drupal.org/associa... [drupal.org]

Re: Buh-bye Wordpress.

[wimg]

Read the comments on that link.

And this doesn't answer the trademark issue, which is worse than Wordpress...

Re:

[drinkypoo]

Trademark, who cares.

Already read the comments on the link, and several other stories on the subject, at the time and now.

Parts of the story are still opaque and the transparent parts don't change my mind.

Someone should probably let you know that gor remains controversial even in many BDSM communities.

Re:

[wimg]

You've obviously missed the whole point of the Wordpress nonsense going on... it all started about the trademark.

Instead of just replying to a Wordpress post by saying "Oh Drupal is better"... read, digest, learn.

No Way - Violates all security principles

[ixus2600]

Just stop using it now. That goes against all security principles. What were they thinking?

WordCamps sounds scary

[toxonix]

Are these Wordpress re-education camps?
Censorship/anti-competitive practices/coercion. What's next? The purges?
It's just a CMS. Calm down.

That would be a hard NO!

[sjames]

Never mind that it's less than bright to give others the ability to put words in your mouth, it may be a violation of the TOS on the media account to share credentials. Even if you are an organization and it's a role account, sharing is generally restricted to employees and contractors who are bound by agreements on how the account is to be used.

Ridiculous

[Dagmar d'Surreal]

These people, if anyone, should understand that their users cannot legally hand over their social media credentials because it's almost universally a violation of everyone's terms of service for a user to share login credentials with anyone else. Additionally, since the user can't legally authorize someone else to use their account, if the credentials were actually used it would pretty much become a felony on the spot--quite literally unauthorized access.

Whoever decided to ask for these needs to be fired.