Category Archives: WordPress

Dance to Calypso

One of the hardest things to do in technology is disrupt yourself.

But we’re trying our darndest, and have some cool news to introduce today. When I took on the responsibility of CEO of Automattic January of last year, we faced two huge problems: our growth was constrained by lack of capital, and the technological foundations of the past decade weren’t strong enough for the demands of next one.

The first has a relatively straightforward answer. We found some fantastic partners, agreed on a fair price, issued new equity in the company to raise $160M, and started investing in areas we felt were high potential, like this year’s WooCommerce acquisition. This “war chest” gives us a huge array of options, especially given our fairly flat burn rate — we don’t need to raise money again to keep the company going, and any capital we raise in the future will be purely discretionary. (Since last May when the round happened we’ve only spent $3M of the investment on opex.)

The second is much harder to address. The WordPress codebase is actually incredible in many ways — the result of many thousands of people collaborating over 13 years — but some of WordPress’ greatest strengths were also holding it back.

The WordPress codebase contains a sea of institutional knowledge and countless bug fixes. It handles hundreds of edge cases. Integrates constant security improvements. Is coded to scale. Development moves at a fast clip, with six major releases over the past two years and more around the corner. Its power and flexibility is undeniable: WordPress just passed a huge milestone, and now powers 25% of the web. You can run it on a $5-a-month web host, or scale it up to serve billions of pageviews on one of the largest sites on the web,

The interface, however, has been a struggle. Many of us attempted to give it a reboot with the MP6 project and the version 3.8 release, but what that release made clear to me is that an incremental approach wouldn’t give us the improvements we needed, and that two of the things that helped make WordPress the strong, stable, powerful tool it is — backward compatibility and working without JavaScript — were actually holding it back.

The basic paradigms of wp-admin are largely the same as they were five years ago. Working within them had become limiting. The time seemed ripe for something new, something big… but if you’re going to break back compat, it needs to be for a really good reason. A 20x improvement, not a 2x. Most open source projects fade away rather than make evolutionary jumps.

So we asked ourselves a big question. What would we build if we were starting from scratch today, knowing all we’ve learned over the past 13 years of building WordPress? At the beginning of last year, we decided to start experimenting and see.

Today we’re announcing something brand new, a new approach to WordPress, and open sourcing the code behind it. The project, codenamed Calypso, is the culmination of more than 20 months of work by dozens of the most talented engineers and designers I’ve had the pleasure of working with (127 contributors with over 26,000 commits!).


Calypso is…

  • Incredibly fast. It’ll charm you.
  • Written purely in JavaScript, leveraging libraries like Node and React.
  • 100% API-powered. Those APIs are open, and now available to every developer in the world.
  • A great place to read, allowing you to follow sites across the web (even if they’re not using WordPress).
  • Social, with stats, likes, and notifications baked in.
  • Fully responsive. Make it small and put it in your sidebar, or go full-screen.
  • Really fun to write in, especially the drag-and-drop image uploads.
  • Fully multi-site for advanced users, so you can manage hundreds of WordPresses from one place.
  • Able to manage plugins and themes on Jetpack sites, including auto-upgrading them!
  • 100% open source, with all future development happening in the open.
  • Available for anyone to adapt to make their own, including building custom interfaces, distributions, or working with web services besides

A lot of people thought we should keep this proprietary, but throughout my life I’ve learned that the more you give away, the more you get back. We still have a ton to figure out around plugins, extensibility, contributions, Windows and Linux releases, API speed, localization, and harmonizing the API and WP-API so it can work with core WordPress. Thousands more PHP developers will need to become fluent with JavaScript to recreate their admin interfaces in this fashion. I’m also really excited to revisit and redesign many more screens now that we have this first version out the door.

This is a beginning, not an ending. (1.0 is the loneliest.) Better things are yet to come, as all of you dig in. Check out these links to read more about Calypso from different perpsectives:

This was a huge bet, incredibly risky, and difficult to execute, but it paid off. Like any disruption it is uncomfortable, and I’m sure will be controversial in some circles. What the team has accomplished in such a short time is amazing, and I’m incredibly proud of everyone who has contributed and will contribute in the future. This is the most exciting project I’ve been involved with in my career.

With core WordPress on the server and Calypso as a client I think we have a good chance to bring another 25% of the web onto open source, making the web a more open place, and people’s lives more free.

If you’re curious more about the before and after, what’s changed, here’s a chart:



A Bank Website on WordPress

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

  1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
  2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s login system, or restrict logged-in users to a certain IP range (like behind a VPN).

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on VIP alongside some of the top sites in the world. If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

If you’ve developed a major bank site in WordPress leave a link in the comments.

State of the Word 2014

Yesterday I delivered the State of the Word address to the WordPress community, and the video is already up on

Here are the slides if you’d like to view them on their own:

If you just want the bullet points, here are the big things I discussed and announced:

  • There will be 81 WordCamps in 2014.
  • This was the 9th and final WordCamp San Francisco in its current form. We’ve maxed out the venue for years, so next year we’ll do a WordCamp US at a location and date to be determined.
  • Milestone: 2014 was the first year non-English downloads surpassed English downloads of WordPress.
  • 33k took our survey: 7,539 (25%) of survey participants make their living from WordPress. Over 90% of people build more than one site, and spend less than 200 hours building one.
  • We’ve done five major and seven minor releases since the last WCSF, and have had 785 contributors across them.
  • WordPress market share has risen from 19% in 2013 to 23% now.
  • We now have 34k plugins and 2.7k themes, and have enjoyed record activity on both — including plugins passing 1,000,000 commits.
  • 16 releases of our mobile apps, Android and iOS.
  • Code Reference launched.
  • 105 active meetup groups in 21 countries, with over 100 meetup and WordCamp organizers present at the event.
  • Internationalization will be a big focus of the coming year, including fully-localized plugin and theme directories on language sites and embedded on dashboard in version 4.1, which is coming out December 10th.
  • Better stats coming for plugin and theme authors.
  • Version fragmentation is a big challenge for WordPress, only a quarter of users are currently on the latest release.
  •  This is also a problem for PHP — we’ll be working with hosts to help with version fragmentation, as well as to get as many WordPress sites as possible running PHP 5.5 or better.
  • Showed off 2015 theme.
  • We will be testing a workflow for accepting pull requests on our official WordPress Github repository before the end of the year.
  • For the first time in 11 years we’re switching away from IRC as our primary communication method. We’ll be moving to Slack, which has helped us set up so that every member of can use it. (During the keynote address the number of people on Slack surpassed our IRC channels, and is currently over 800 people.) Sign up at
  • Five for the Future, with Gravity Forms and WPMU Dev committing to donate, and Automattic now at 14 full-time contributors to core and community.
  • We need to work hard to harmonize the REST API plugin and the REST API.
  • The mission of WordPress is to democratize publishing, which means access for everyone regardless of language, geography, gender, wealth, ability, religion, creed, or anything else people might be born with. To do that we need our community to be inclusive and welcoming. There is a sublime beauty in our differences, and they’re as important as the principles that bring us together, like the GPL.

Five for the Future

On Sunday at WordCamp Europe I got a question about how companies contribute back to WordPress, how they’re doing, and what companies should do more of.

First on the state of things: there are more companies genuinely and altruistically contributing to growing WordPress than ever before. In our ecosystem web hosts definitely make the most revenue and profits, and it’s been great to see them stepping up their game, but also the consultancies and agencies around WordPress have been pretty amazing about their people contributions, as demonstrated most recently by the fact the 4.0 and 4.1 release leads both hail from WP agencies (10up and Code for the People, respectively).

I think a good rule of thumb that will scale with the community as it continues to grow is that organizations that want to grow the WordPress pie (and not just their piece of it) should dedicate 5% of their people to working on something to do with core — be it development, documentation, security, support forums, theme reviews, training, testing, translation or whatever it might be that helps move WordPress mission forward.

Five percent doesn’t sound like much, but it adds up quickly. As of today Automattic is 277 people, which means we should have about 14 people contributing full-time. That’s a lot of people to not have on things that are more direct or obvious drivers of the business, and we’re not quite there today, but I’m working on it and hope Automattic can set a good example for this in the community. I think it’s just as hard for a 20-person organization to peel 1 person off.

It’s a big commitment, but I can’t think of a better long-term investment in the health of WordPress overall. I think it will look incredibly modest in hindsight. This ratio is probably the bare minimum for a sustainable ecosystem, avoiding the tragedy of the commons. I think the 5% rule is one that all open source projects and companies should follow, at least if they want to be vibrant a decade from now.

Further reading: There’s been a number of nice blog follow-ups. Post Status has a nice post on Contribution Culture. Ben Metcalf responded but I disagree with pretty much everything even though I’m glad he wrote it. Tony Perez wrote The Vision of Five and What it Means. Dries Buytaert, the founder of Drupal, pointed out his essay Scaling Open Source Communities which I think is really good.

WordPress & Techmeme 100

Whenever I visit a site I can usually tell whether it’s WordPress or not within an instant — there’s just something about a WordPress site that is distinctive. Super-clean permalinks are usually a dead giveaway. One thing I’ve been noticing a lot lately is on my guilty pleasure for tech news, Techmeme, it seems like almost every link I click is to a WordPress-powered site. Fortunately Techmeme provides a leaderboard showing both rank and % of space a site has taken up in headlines in the past thirty days.

The list changes almost every day but went ahead and took a snapshot of the top 100 as of January 16th and ran down the platform for each one, here’s how it ended up:


WordPress comes in at 43%, custom or bespoke systems at 42%, and then the others. When you take into effect Techmeme’s “presence” factor WP jumps to 48.8% of presence in the top 100 and all Blogsmith, Drupal, Blogspot, Tumblr, and Typepad combined are 8.4%. If you curious of the raw data, here’s the spreadsheet with the platforms.

This is just a snapshot, it’d be interesting to see how this evolves over time. It’s a small slice of the world of websites, but a very influential one. I’ve actually reached out to Gabe Rivera a few times to sponsor the leaderboard page, putting a W logo next to the ones that run WordPress in the table, but nothing has come of it yet.

Thanks to Krutal, Paolo, and MT for help with this.

3.6 and State of the Word

3.6 has been released and has a groovy video to go with it:

It’s been a busy week, WordCamp San Francisco 2013 went off without a hitch. Here’s the State of the Word presentation, which covered quite a bit of material and talks about the plans for WordPress 3.7 and 3.8:

And here’s the question and answer session:

There was a pretty good summary of the presentation in infographic form. A bit more about this next week, and some more announcements in store as well.