Who owns WordPress, really?

There is a lot of upheaval in the WordPress community right now. There is talk of forks, and community repositories for packages, and lots of different ways that the community can establish independence from the status quo.

But who really owns WordPress? I’m not talking about the licensing here – I’m talking about ownership in the sense of who owns the copyright? Who has authority over the code? For every open source project there are essentially three things that need to be understood:

1. Who owns the trademark to the name? (Hopefully it’s a foundation who makes it available to all who use it consistent with a set of well-known guidelines)
2. How is it licensed? The license dictates how end users can use the code and what restrictions (if any) are placed on that usage.
3. Who owns the copyright?

It’s that last point that has got me thinking, because (to my knowledge) WordPress doesn’t have and has never had a Contributor Licensing Agreement (CLA) that gives the project or it’s sponsoring company rights over the code from a copyright perspective.

I think that will ultimately be a mistake, and a big problem.

First things first

Before we dive too deeply into my analysis and thought process, I want to make something abundantly clear:

I am not a lawyer. I am not barred in any state or jurisdiction. I don’t have any formal legal training. And I do not represent you, or anyone else, in a legal capacity. What I’m about to say isn’t legal advice, and shouldn’t be taken as such. You need to consult your own counsel before taking any action based on what I’m about to say. And you can’t come back here and complain if I’m wrong, because again, I am not a lawyer.

License versus Copyright

The fact that WordPress is licensed under the GPL is a well-known fact. In fact, it’s been a source of controversy over the years, with Matt Mullenweg (and to a lesser extent, Automattic) asserting that plugins, themes and extensions of WordPress are effectively derivative works that must also be licensed under the GPL.

Their argument holds some merit: if you’re interfacing (linking) with WordPress components, you’re likely creating a derivative work in the legal sense. And the license spells out specifically what you must do in terms of working with a code base licensed under the GPL.

But licensing code under a particular license neither eliminates the author’s copyright nor does it speak to how that copyright is enforced.

Copyright is a different animal. When you write something (like I wrote this blog post), copyright naturally attaches. You do not need to file a copyright in order to have one; your rights to enforce copyright are different based on whether you HAVE filed one, but a copyright attaches to anything you write, just the same.

And there’s where things get tricky. Because the license file for WordPress specifically states that (as of writing) the copyright is “copyright 2011-2024 by the contributors“.

Who are “the contributors”?

The license references an amorphous group of “contributors” as owners of the copyright for WordPress. It is not clear what that means.

In theory, that could be any number of people: it could be the specific individuals who are named in the commits to SVN or Git. It could be the companies that paid those people, asserting that they made works for hire. It could be defined as a mix of corporations and individual real persons. We really don’t know.

That’s likely a real problem. If I write and contribute a single line of code to WordPress, I theoretically have claim to that line of code as a contributor. I own it, I’ve licensed it under the GPL, and I’m publishing it to the world on those terms.

Many unclear owners makes the license an enforcement nightmare

Here’s the rub though: because there are so many contributors, and because so many individuals or companies own their individual copyrights, it muddies the waters of who has an enforceable claim for copyright infringement if the license is violated.

Courts in the United States, at the Federal level, are required to do two things: first, they must verify that there is an actual issue for them to decide (a “case or controversy”). Second, they must decide if the person bringing the case is the person that has been harmed by the actions of the person they are claiming against. It’s called standing and it’s basically to ensure that the person who files isn’t being malicious or capricious.

There are a number of complex rules, laws and regulations that decide what constitutes a case or controversy, and similar for standing (for example, third party standing, which might apply). Since this isn’t legal advice and I’m not a lawyer, let’s talk about the basics here.

Imagine that someone were to take WordPress, add a bunch of new features under a different license from the GPL (or even a proprietary one), and release it. Because they didn’t license under the original license (as required by the GPL) they are likely in violation of the GPL.

But knowing they’re wrong, and enforcing that they’re wrong, are different things.

Who has standing to enforce the license agreement? Possibly the contributors whose copyright was misappropriated, no one else. For everyone else, they don’t own the code (aside from the parts they wrote). And they can’t enforce a copyright they don’t own against someone. They likely lack standing.

Side note: there is a concept of “third-party standing” which I referenced above, that might apply, and allow an entity that is harmed economically along with the copyright holders to protect the copyright. Standing is a complicated issue that still flummoxes courts around the United States, and often is decided by the Supreme Court. 

In other words, short of a group of contributors getting together to enforce the copyright OR a class action lawsuit (which would be expensive and time-consuming), and barring a claim under third-party standing by the project itself, enforcing the GPL in WordPress would probably be pretty difficult.

This is a common problem in open source!

I want to be clear that I am not advocating anyone to violate the GPL or to intentionally hurt the WordPress community. The goal of this post is to expose a glaring flaw in WordPress (and in addition, in many open source communities that rely on contributors). Copyright, unless directly licensed or assigned, stays with the contributor who wrote the code, document, issue, task, or roadmap. it doesn’t convey to the project just because you contributed it and agreed that the code itself was licensed under a particular open source license.

Other open source projects suffer from the same fatal flaw. Joomla, licensed under the GPL, assert a copyright to Open Source Matters, Inc. and has 795 contributors on GitHub. Mezzio asserts copyright in 2020 to “Laminas Project a Series of LF Projects, LLC” and lists 100 contributors. Perhaps most alarmingly, the laravel/laravel GitHub project lists 665 conributors, asserts no explicit ownership of the codebase at all (there is no LICENSE file), and doesn’t contain anything asserting who owns the code.

Solutions

Open source projects need to think about, care about, and prepare for intellectual property concerns at the forefront. Being open source does not automatically eviscerate an individual’s right to their code or their contribution. When I started AspirePress, I was explicit in the contributor agreement regarding licensing the code, which states that “if you contribute to this project, you grant an exclusive, royalty-free, global, irrevocable license to AspirePress…” I’ve taken some flack for this, but it matters, because otherwise, we’re not free to do what the project needs to do with the code.

Open source projects need to think about the long-term. They need to prepare for a day when a contributor attempts to revoke, relicense, or assert a claim against code they contributed. Without receiving a license that cannot be revoked or modified, the project is at risk for violations of that individual (or company) copyright.

Open source maintainers need to speak with a lawyer about their code, licensing and contributor schemes. This post, focused on one legal system (the United States), isn’t even scratching the surface of what an attorney would consider when determining what schemes and requirements a project should have for contributions.

Conclusion

Intellectual property rights are a contentious issue and one that’s really hot right now in the WordPress community. If something good comes out of the debacle, I hope it’s a clearer understanding of what is, and isn’t permissible under fair use and the licenses we depend upon.

Open source is a key aspect of the world. Slapping a license on something and accepting pull requests isn’t enough to allow people to use the code; projects need to ensure that permission can’t be revoked, too.

Relevant and interesting articles

• Keith Casey wrote two articles regarding his work with the web2project relicensing, focusing on the reasons why the relicensing was necessary, and the challenges of releasing a new license for a previously GPL’ed project with limited records.
• The United States Patent and Trademark Office (USPTO) has a good primer on copyright basics.
• The Berkley Technology Law Journal wrote about The Consequences of Violating Open Source Licenses, including commenting on the Oracle and other cases.