Code Audits for Jetpack: Why We’re Auditing Every Update
As the WordPress community grapples with the recent fallout between Automattic, the parent company behind WordPress and Jetpack, and WP Engine, trust in Automattic has taken a significant hit. Allegations of unfair practices, trademark manipulation, and hostile business tactics have emerged, leaving many developers and users questioning the integrity of the platform we rely on daily.
In light of these concerns, I’ve taken it upon myself to audit each new release of Jetpack—starting with version 13.9.1—to ensure that Automattic isn’t introducing any questionable or unethical code. This blog post will summarize my findings and raise awareness about the potential issues we must be vigilant about going forward.
The Current Context: A Community in Crisis
Automattic, under CEO Matt Mullenweg, has been at the center of controversy for allegedly attempting to extract licensing fees from WP Engine, a prominent WordPress hosting provider. When WP Engine refused to comply with Mullenweg’s demands, tensions escalated into lawsuits, cease-and-desist letters, and, at one point, even blocking WP Engine’s customers from receiving essential updates via WordPress.org. This aggressive behavior has left many in the WordPress ecosystem questioning the motives of Automattic and whether their stewardship of open-source software is being compromised by profit-driven interests.
More troubling, 159 employees resigned from Automattic in response to these events, citing disagreements with the company’s tactics. This “incentivized exodus” has only further damaged the community’s trust in the leadership at Automattic, which now seems to be prioritizing corporate power plays over the values that made WordPress what it is today.
Jetpack 13.9.1: What We Found
Given this backdrop, it’s more important than ever to scrutinize the code changes in Automattic’s flagship products. After comparing Jetpack version 13.8.2 with the latest release (13.9.1), several concerning changes emerged.
1. Control Over Gutenberg Blocks
What Changed:
In Jetpack version 13.9.1, new logic was introduced to control the activation of Gutenberg blocks based on the status of Jetpack’s connection and the activity of the “Blocks” module.
Code Snippet:
File: class.jetpack-gutenberg.php
Lines: 433-436
if ( ! ( new Modules() )->is_active( 'blocks' ) ) {
$return = false;
}
Explanation:
This logic determines whether Gutenberg blocks are enabled or disabled, depending on the activation of the “Blocks” module. If the module is inactive, the blocks are disabled by default.
Potential Concerns:
This introduces a mechanism that allows Automattic to control which blocks are available to users, based on Jetpack’s status. While this may be intended to improve performance, it also gives Automattic more control over the editing experience, potentially leading to the introduction of promotional blocks or other changes without user consent.
2. Shift from XML-RPC to JSON API
What Changed:
In version 13.9.1, certain XML-RPC methods were deprecated in favor of using JSON-based API endpoints.
Code Snippet:
File: class-jetpack-xmlrpc-methods.php
Lines: 44-46
/**
* @deprecated 13.9
* @see Jetpack_Core_Json_Api_Endpoints::get_features_available()
*/
Explanation:
The features_available() method has been deprecated and now directs developers to use a JSON-based API endpoint instead. Similar changes were made to the features_enabled() method.
Potential Concerns:
This shift from XML-RPC to JSON API could allow for more extensive data collection, as JSON APIs are typically more flexible and modern. It’s crucial to monitor how these new endpoints are being used, especially when it comes to user data handling.
3. Removal of Akismet Branding Customizations
What Changed:
In the admin interface, the function that replaced the Akismet logo with a Jetpack-branded anti-spam logo was removed in version 13.9.1.
Code Snippet:
File: class.jetpack-admin.php
Lines: 95-106 (removed function)
/**
* Generate styles to replace Akismet logo for the Jetpack Akismet Anti-spam logo.
*/
public function akismet_logo_replacement_styles() {
// Removed in version 13.9.1
}
Explanation:
This function was responsible for customizing the anti-spam branding. Its removal may indicate a rebranding or restructuring of Jetpack’s anti-spam features.
Potential Concerns:
While this is a cosmetic change, it is part of a larger trend where Automattic is consolidating its services and branding. This could result in a more aggressive push of their services under the Jetpack banner, further limiting user choice.
4. Partner Coupon Hooks
What Changed:
The hooks related to Jetpack’s partner coupon system remain in place in version 13.9.1.
Code Snippet:
File: class.jetpack-admin.php
Lines: 106-108
Jetpack_Partner_Coupon::register_coupon_admin_hooks( 'jetpack', Jetpack::admin_url() );
Explanation:
These hooks allow Jetpack to display partner coupons and promotions in the WordPress admin area. While this feature is not new, its continued presence suggests that Automattic is maintaining (or even expanding) its affiliate-driven monetization strategies.
Potential Concerns:
These hooks could be used to push more aggressive promotions or advertisements, leveraging Jetpack’s significant presence in the WordPress ecosystem. It’s important to question how these partnerships are impacting the user experience.
Why This Audit Matters
The Jetpack plugin is deeply integrated into millions of WordPress sites, and as Automattic’s control over WordPress increases, the community must remain vigilant. With the ongoing legal battles and employee exodus, many in the community are concerned about Automattic’s ethical direction.
The changes I’ve outlined above, while not overtly unethical on their own, signal a trend towards greater control and monetization within the platform. The community must actively audit these updates to ensure that WordPress remains a free, open, and user-driven platform.
Conclusion: A Call for Continued Vigilance
These audits are part of an ongoing effort to hold Automattic accountable and ensure that WordPress remains aligned with its core values of openness and community collaboration. As Automattic continues to exert more control over the ecosystem, we must question every update, every feature, and every change.
Call to Action:
Stay informed, and join the conversation. If you’ve noticed any issues with recent Jetpack updates or have concerns about Automattic’s practices, share your experiences and insights. Together, we can ensure that WordPress remains a platform for everyone, not just for the interests of a few.