Keep on Blogging in a Free World

by Katherine Druckman

Unless you've been living under a rock for a few years, you most certainly have heard of WordPress, one of the most popular blogging platforms around that also happens to be 100% open source. There are a few iterations of WordPress that power personal and corporate blogs as well as collections of blogs for large institutions, like Harvard University. And, WordPress.com brings blogging to anyone with just a few clicks.

WordPress has a tremendous community both in terms of size and enthusiasm, and many people make their living implementing and using it. Since its first release in 2003, the community has grown with the application, and WordPress' commitment to open source is as strong as ever. I have a WordPress blog, and a lot of my friends have WordPress blogs, so I was thrilled to have the opportunity to ask founding developer, Matt Mullenweg, some questions about his project.

KD: For those (few) not familiar with WordPress, what features or qualities set WordPress apart from other blogging platforms and content management systems?

MM: WordPress aspires to be invisible, if we do our job, you completely forget it's there and just focus on what matters to you and your users—your writing.

WordPress was created as a blogging tool, but more and more savvy developers are discovering it shines as a general CMS as well, and its user-friendly interface works well with people of any experience level.

KD: I believe it is safe to say that since WordPress' inception, blogging as a medium has evolved by leaps and bounds. In what ways has this evolution met or exceeded your expectations? Any surprises?

MM: The biggest surprise to me is that when WordPress started, the common assumption was that blogging had peaked or would soon, and that the software market for it was already saturated. That turned out not to be the case.

I also didn't expect the embrace of rich media that has transformed blogging over the past several years. I mean, we called it WordPress, not PhotoPress or VideoPress. The written word is still the heart of what we do, but people's imaginations have been captured by podcasting, videocasting and photoblogs.

KD: What advice do you have for those of us trying to scale our WordPress sites? Are there any other open-source tools you would suggest in this arena?

MM: Ninety percent of scaling happens before a person ever reaches WordPress. You need a server that's configured to serve static files efficiently, perhaps with a reverse proxy. You need a database tuned to handle the size of your dataset well. (Most blogs are only a few megs of data.) Finally, where core WordPress is very scalable (we served more than 140 million uniques using it last month on WordPress.com), there are some plugins that can slow your site down, so be watchful of performance after turning on a new plugin.

KD: Speaking of gargantuan sites, there are some pretty popular sites out there using WordPress—icanhascheezburger.com comes to mind. Are there any other popular or otherwise noteworthy sites that have impressed you with their implementation?

MM: Cheez is one of my favs. I subscribe to more than 300 blogs, so it's tough to name favorites.

Implementation-wise, I've been impressed with:

Content-wise, I enjoy:

And so many more! But I'll stop now.

KD: There has been some controversy recently, which erupted from some dialogue with Six Apart regarding competition from Movable Type, another blogging platform that has multiple licenses. You responded by being something of a crusader for open source. Is that a fair assessment? How do you feel your team's contributions to open source affect your place in the emerging blogosphere?

MM: I consider myself a strong proponent of open source. I would like to think the fierce competition and success WordPress has shown in the market was a factor in Six Apart's effort to remain relevant and put Movable Type under an open-source license.

I think before, when we were open source and they were proprietary, people sometimes chose WordPress because of its license and freedom, but growth hasn't slowed since they switched, so now I suppose people are more influenced by functionality and our broad community in their decision to use WordPress over other software.

KD: You frequently have reiterated your commitment to open-source ideals and GPL licensing. How has this commitment factored into the development of your company, Automattic? How do you use open-source technology to achieve your goals?

MM: When I set out to create Automattic, it was an interesting dilemma—in our society, it seemed the best way to have an impact on the world was working within a for-profit framework, but at the same time, I'd seen multiple examples of “open-source companies” suffocating the communities they grew from.

I came across an interesting hack though—by keeping WordPress.org a separate entity from Automattic and basing our business entirely on GPL code, you create a balance that aligns the fiduciary responsibilities of the corporation with the interests of the community at large. In the long term—10, 20 years from now—it still will be in the best interest of Automattic to support the broader community as much as possible, because its own business succeeds when they do.

I didn't want WordPress to be a one-company project, so by separating out the nonprofit and for-profit sides and making some explicit decisions about businesses Automattic would never enter, we created a lot of room for other companies to embrace, support and build on top of WordPress. Hopefully, we also set a good example of how to contribute back to the community.

It was the best way I could think of to ensure that the principles I believe in would endure beyond my personal involvement or control of either organization. (But I still look both ways when crossing the street.)

KD: I noticed WordPress is licensed under GPL v.2. What are your thoughts on GPL v.3?

MM: I haven't researched it enough to have a strong opinion yet, but I am generally supportive of the efforts of the Free Software Foundation and donate to them regularly.

KD: Spam plagues us all in the world that is Web, and your Akismet Project has been a very popular weapon. Akismet is closed source, but has an open-source plugin, and there has been criticism for that. How did you arrive at your current approach with Akismet in particular?

MM: That was a tough one. Basically, what it came down to is I had been creating antispam plugins for a long time, and every iteration would work for a shorter and shorter period of time until it was literally a matter of hours before spammers would download my plugin, see what it did and circumvent it.

Akismet was created to break this cycle, to provide a long-term solution to spam, and the best way I could see to do that was a centralized service that could adapt to spammers' tactics as fast as they were changing them. At the time, the decision was weighing the good to the world of the Akismet algorithms and code being open source vs. the good to the world of solving people's spam problems.

So, we made the decision at the time to err on the side of stopping spammers, and the community was very supportive. It's entirely within the realm of possibilities that the more generally useful parts of it will be open-sourced in the future.

KD: There was an announcement in February about a security issue that needed immediate attention—how do you and your team address the security of WordPress? How do you balance the desire to add features with the security risks related to change?

MM: Well, security is always a priority over new development, for obvious reasons. It's not about an audit or single event though. It's a mindset that has to pervade everything you do. I'm a very trusting guy, so early on it was difficult for me to think about how bad actors could exploit a system—for example, when I co-created the open ping service Ping-O-Matic, which is the update ping equivalent of an open relay. It still runs today, but it's attacked by spammers constantly.

I think the most important thing with regards to security is that you're transparent and responsive. When a legitimate problem comes in, we'll get a fix into the hands of users as fast as we can. As WordPress has grown in popularity, there have been many eyes on it, and over time, the nature of new vulnerabilities has become more benign. Until DJB writes blog software, I think we'll be one of the best out there with regard to security, not because we have a perfect history, but because we've learned from many mistakes. When you dig in to WordPress, you'll find a lot of security foundations with nonces, header-splitting protection, HTML sanitation, encrypted cookies, salted passwords and so on.

KD: WordPress is going on five years as an application. Are there any technical decisions you made in the beginning that you regret today? Are there dark corners you would love to clean up but never get around to it?

MM: Absolutely! Tons of stuff. But I've seen the mistake of starting from scratch one too many times. Some projects survive it, like Mozilla/Phoenix/Firefox emerged from the ashes, but more often than not, the engineer-led ground-up rewrite is a good time to call the peak of a product.

Our approach is more iterative. If you compare 1.0 to 2.5, they are like night and day, but the transformation happened bit by bit, release by release. We maintain as much backward-compatibility in the process as we can.

KD: How is development on WordPress organized? Who decides when it is time to call it 2.5?

MM: It's very ad hoc. My role is BDFL, there are four committers, and then dozens and dozens of developers who contribute patches large and small. Shipping is the hardest part. It's so easy to fall into an extended development cycle where you just endlessly noodle and perfect every little thing.

That's actually what happened between 2.0 and 2.1. Now we have more of an Ubuntu approach to releases, where they're more time-based. The discipline has been good for the project. The releases are just as stable as before, we just get cool new features into the hands of users three times a year instead of only once.

Of course, there's nothing quite like working on a Web service like WordPress.com or Akismet. It's so nice to be able to deploy updates 20 times a day to a completely homogeneous environment where you control all the variables. It spoils you.

KD: WordPress supports plugins—some are minor, and others bend WordPress in new directions. Any favorites, or ideas for a plugin you wish you could download right now?

MM: It's cheating a little bit, but things I like as plugins often end up getting built in to the product. I think the main two I have on my site are Akismet and WordPress.com Stats, both of which are from Automattic.

In terms of what I want, I'd love to see something that allowed blog readers to suggest tags or categories, and then those could go into a queue for moderation by the blog author. I'd also love to be able to point the uploader to a local directory on the server or a URL and let it slurp up the images from there, much like Gallery does it.

I bet both of those exist already, with so many thousands of plugins, sometimes the hardest thing is just finding what's already out there.

KD: You just released 2.5 in March—do you already have ideas about what you'll be working toward in 2.6 or 3.0?

MM: The best ideas come right before a release, because you're in “ship” mode, and you have a thousand great ideas that if you just could slip this one great thing in...but you know you can't, because then you'd have to start the testing cycle over again. I have a list (15–20) things long of features and improvements I'd love to see happen in 2.6, and I'm sure the other developers do as well. We also have all the great ideas that the community proposes and votes for in our Ideas forum. Pretty soon, we'll do an IRC meetup and hash out a rough outline and get cracking, and thus, the cycle begins again.

WordPress is the Content Manager System winner in the 2008 LJ Readers' Choice Awards. See our June issue for more details.

Katherine Druckman is an HTML-flinging, PHP-hacking LJ Webmistress by day, and a refined connoisseur of classic architecture and fine Chinese ceramics by night. She usually can be found surrounded by the charm of aging Texas buildings from the pioneer days or appreciating ceramics of the Song and Qing dynasties. Well, either that or sitting in a comfy chair with a laptop. Yeah, probably the laptop thing.

Load Disqus comments