Over the last couple years, I posted a lot of stories about the crazy things I saw as the Plugin Rep on WordPress.org. A great number of those situations ended with someone being banned, but those aren’t the only stories out there.
Still, with the recent situation on WordPress.org, I felt it was appropriate to break down my views on banning, and when it’s the right thing to do.
Bans are about Safety First
The number one reason to ban anyone is the physical safety of the community.
With the recent announcement of a “Jubilee” and how people who were banned between August 2024 and now are being reviewed and (in some part) unbanned, I made a fairly vocal statement on Mastodon and BlueSky that this was a dangerous thing.
So #Wordpress (org) is really unbanning EVERYONE who’s ever been banned. This was confirmed by Matt on Twitter (screenshot attached).
I’m going to have to cold-stop any and all contributions because it’s demonstrably UNSAFE for me to be a part of the community.
Stalkers. Harassers. DEATH THREATS.
It’s NOT safe for me to be there.
Until someone SANE comes up with limits, guidelines, and restrictions for this ‘all bans,’ it is NOT SAFE for me to be on WordPress.org.
I repeat: THIS IS NOT A SAFE COMMUNITY FOR ME OR ANY OF THE THOUSANDS OF VOLUNTEERS WHO HAVE WORKED HARD TO ENFORCE GUIDELINES EQUITABLY FOR OVER A DECADE.
I will note, I posted that before any clarifications as to who was being unbanned.
While I have had one credible death threat (and a half dozen others that were laughably stupid, including threats to have various Gods wreak vengeance on me), I am aware via my friendships with Automattic employees that there are a significant number of legit threats out there.
Those people can and should be banned, and must remain banned. Period.
Safety isn’t Just Physical
The number two reason to ban anyone is the ephemeral safety of the community.
By ‘ephemeral’ I generally mean code. That is, if someone is putting backdoors in their plugin, we need to kick them out and ban them because they are an abject danger to the sites the plugins are installed on.
But this also means things like extortion, harassment, name calling, bullying, and so on. If someone demonstrates, through their repeated actions, that they can only communicate in a hostile manner, then they need to leave the community.
There’s a saying, once a single Nazi is allowed into a bar, it has become the Nazi Bar. All communities need to stringently protect the safety of their users. If leadership is okay with a couple people mistreating their community members, then they have just demonstrated they are not going to protect the more vulnerable members.
This protection is bidirectional, by the way. I’ve banned as many users for harassing developers as I have developers for harassing users!
The Community is More than Users and Developers
The number three reason to ban anyone is the legal safety of the community.
Any community of a decent size is one that faces legal matters. It can be a fan-club, an open-source development community, or a writing group. You have to be aware of the legalities of what you’re doing.
You have no idea how many times I’ve had to explain the basics of copyright and trademark law to developers, who just want to have a plugin for Facebook. I totally get it, Facebook is delulu about how they enforce their trademark — you can’t even use the word ‘Facebook’ or ‘FB’ in any of your plugin names, meaning no ‘Integration of Blah with Facebook’. But that’s how it is, and you have to obey the law.
For example, if a plugin is closed for something like that and the dev complain but make the change, that’s good. But if they make the change back when the plugin team isn’t looking, because they happen to know the team doesn’t review every change, then what happens is the plugin team gets a very nasty legal doc that threatens the entire repository. They plugin gets closed a second time.
You can see how this would escalate. Especially when the dev starts complaining ‘but someone else got away with it!’ See what really happens when they do that is the team goes and looks at the other person and closes their plugin. No one wins. The legal team from Facebook gets angrier and angrier, and the legal mess gets worse and worse.
If someone is the cause of putting the entire repository (or worse, the project) in legal jeopardy, they’re going to get banned and should be. They’re reckless and a danger to all.
Fake Content Hurts the Community
The number four reason to ban anyone is spam, auto-generated content, and lying.
I’m sure someone is confused that I’ve lumped them together, but they’re all worthless content.
Spam, no one would argue is ‘good.’ I know you get that one. Lying? Again, pretty obvious why you’d get banned for lying over and over again. If you can’t be trusted, then your contributions can’t be trusted.
But auto-generated content? I almost called it ‘low quality content’ because that’s what it is. People who post copies of AI generated ‘answers’ wholesale are posting low quality content. Since we know that AI has issues with hallucinations (read ‘it just gets things wrong sometimes’), you have to verify it. If you’re doing that, you’re going to end up changing some of what it says.
When someone doesn’t change anything it said, they’re not adding anything of value. It’s like dropping a ‘Let me google that for you’ link. They’re wasting everyone’s time and aren’t educating someone on how to help themself in the future. This is especially true on support forums.
Community should help itself. If someone wants to look things up with AI, more power to them, but if they come to a place to ask for help, they deserve to be treated as a human, not a bot.
Protect the Community From Yourself
The number five reason to ban anyone is they’re actually acting harmfully to the community, not just you.
This is sort of a backwards thing. It’s more ‘the number one reason NOT to ban…’ but it works anyway.
I have never once banned a single person because they annoyed me, or hurt my feelings, or even threatened me.
I’m pretty sure there are some people out there who are scoffing.
As hard as that may be for some of you to believe, it’s the truth. I have only banned people for guideline violations. Pretty much all the threats I’ve received happened after I banned people, first of all, but more to the point, everyone who devolves to threats tends to have a violation first.
There are some rare exceptions. I remember a few plugin reviews that had the sole reply of “fuck you” (or similar eloquence) and those were pre-emptively banned. Not because they swore at me, but because they clearly were incapable of following the guidelines. I didn’t want people thinking it was okay to talk like that to the community.
Not me.
The community.
Call me whatever you want, I don’t care, but when you do that I sure as hell judge you.
The Community Must Come First
You may sense a theme here.
Every single reason you ban someone is to help the community. Sometimes you’re protecting the community from itself, sometimes you’re doing things because there’s a grumpy lawyer standing over your shoulder (metaphorically), but at the end of the day you ban people who are actively harmful to the community.
There will always be people who cannot be unbanned because of the danger they represent. Those people, the people who hurt the community, must stay out.
Something I knew would come up after I posted about my ongoing harassment is the question “How do we fix this?”
Now, the cause of all this actually can be boiled down to two things:
A systemic failure of social services to help those in need
The overall lack of awareness of how tools are abused
I can’t really fix the first one. The world is broken on many levels and the fact that people in pain and anger have no help, and thus lash out in anger at me, at you, at people who write code, at people just trying to help … That’s all of us. We need health care (physical and mental). We need fair and equal pay. We need a living wage, not a minimum one where companies literally pay you that because they don’t have to treat you like a human.
That one is huge.
But the other problem? That’s why I posted.
How Can Code Be (Ab)Used?
When we write code, and this is pretty much all of us, we’re trying to solve a specific problem. Sometimes that problem is huge, with multiple layers and facets and complexities that make us look like a scene from “A Beautiful Mind.” If we’re lucky. Usually we look like this guy”
Regardless of how twisty-turney our code is, though, at the end of the day the question many of us forgot to ask is “What’s the worst thing someone can do with our code?”
Let me give you an example.
“What’s a bad thing someone can do with Akismet?”
Right? It’s an anti-spam plugin that checks via a closed-API (meaning, I have no idea how it works) so it’s not easy at all to abuse, you might think. Well, without any forethought, the very first thing that comes to mind is I could write a bunch of clearly spam comments, spin up my VPN, and use someone else’s email address to leave spam comments on a hundred or a thousand blogs. That would get the email flagged and they’d probably have to constantly struggle until they figured out why, if they ever could. All they’d know is their comments never show up. Give me a couple hours and I could automate that, set it out into the world, and reap the joy of annoying someone.
I’m fairly certain I just screwed up someone’s day with that, by the way. Sorry/Not Sorry friends over at Akismet. Because that’s my point. If Akismet has not already sat down and made a list of all the shitty, terrible, vile things someone could do with their product, they’ve failed to fully protect its users.
Disruption Makes Harassment
When we build to ‘disrupt’ we do so with the knowledge we’re breaking the system. Sometimes we’re breaking it stupidly, like “Uber is disrupting taxis!” really is “Uber figured out that people would rather know what they’re going to pay, and wanted an easy way to hail a gosh darn taxi in the first place! Let’s go!” And yes, I have a low opinion on the ideas to ‘revolutionize’ the bus system (spoilers? invest in public transportation, not privatization).
The thing is, we continue to attack a single, specific problem. Big, large, whatever, we’re solving a thing.
But the problem with this is our disruptions create opportunities for harassment.
Did you get a delivery from Instacart or DoorDash? They know where you live and what you eat. Those are all known risks of course. Could someone roofie my food or tamper with it? Sure! Now the solving of that falls onto the people who package the delivery. Restaurants will tamper-proof seal their deliveries, but that’s on them. What did DoorDash do? Nothing I can find. Instacart? Most of their stuff is pre-packaged, but if you get fresh fruits etc, gosh they could. It’s like those stupid Halloween rumours we heard growing up. None were true, but …
Uber received 235 reports of a rape occurring during a ride in the United States in 2018. Those are the numbers of reported cases, provided by Uber. Remember, rape is wildly underreported in the US (probably everywhere). Now think about all the information an Uber driver has on you? They know where they picked you up, they know where they dropped you off, and they know your name. And they can get your phone number.
All those great innovations? Actually yes. They’re really helpful to people! Calling a car to your door that’s more reliable than a Taxi? Hell yes! But they are incredibly easy to use to harass someone. Of course they require you to be in the same general location, but still. What are they doing to make us safer? What about the drivers? Someone I know quit driving because the guy wanted her to drop him off inside a super suspect parking lot. She dropped him off outside. He called her a four letter word that starts with a C.
Social Media Makes Monsters
I’m sure I don’t have to list out the problems with social media. If someone harasses me, I block them, but they can make a new account and a new account and a new account. They can get a VPN and a fake email, and we’re always and forever behind the 8 ball catching and stopping.
Why do Facebook moderators have PTSD? Why do content moderators on YouTube have to sign a waiver agreeing that they know their job may case mental breakdowns, and it’s not YouTube’s fault?
And the answer here is because our solutions are HUMANS.
We disrupted communication, but we opened the door for harassment because there was little to no forethought put into how to protect anyone. In fact, I bet I know how the conversation went (spoilers? I had this conversation with someone):
“Hey, someone could make a hundred fake accounts all to call someone a jackass.” “Yep. No point trying to stop that. We block ’em they’ll just make new accounts.” “Yeah, good point. Okay, next item on the agenda? Bots!”
Oh yeah, Bots totally extended from that problem. I used to use something called Block Together to catch and block bots and spammers and harassers, but the fact that it shut down and Twitter never made anything better is … well it tells a story, doesn’t it? Can anyone tell me what Twitter’s done?
Well they, and Facebook, claim to be using machine learning to find and track abuse, but here’s the funny thing. I have a friend who has been permabanned from Twitter for telling someone to jump in a volcano. The claim was she was violent and sent a legitimate and plausible threat. About a volcano. Which she does not own. I mean, do any of us? it’s not even that it was a bad joke about suicide, it was flagged as a violent threat.
Want to know how that happens? It’s easy. She tells a man to shove it, he and his friends mob-report her, Twitter’s AI decides “Gosh, if all these people flagged her, it’s real!” and ban her. No appeals. Done. And this story is repeated over and over, that the AI caught something (people talking about black and white chess pieces was pretty recent), banned someone, and that’s the end of it.
All this is not to mention the ongoing racist and sexist biases of AIs, like how Asian people can’t use FaceID, or how Google’s AI labelled black people as gorillas? All of those things come down to the problem of people with biases (which is a systemic issue related to the failure of social services) building AIs and not thinking about the abuse therein (which is … an us problem).
To put this a different way, we’ve been fighting spam in email since email was born, and everyone still gets some in their inbox. If we can’t win with that? We’re never going to win with an AI and abuse.
Democratizing Abuse
Now, I’m going to say something controversial.
WordPress democratized abuse.
I’m not talking about WordPress.org and the forums and plugins and themes. I’m talking about your blog. If you have comments open, what’s to stop someone from leaving comments pretending to be you? Heck, if you have comments open, what’s to stop someone from leaving comments pretending to be ME? How do you ban someone from your site? How do you ban them from a network? How do you stop them from making an account or email one after another and using your contact form to be a jerk?
I have 10+ rather insane messages from a contact form that tells you that even for me, someone who is pretty much awesome at WordPress code, this is not easy. For a long time, you couldn’t filter contact form messages to block spammers on Jetpack. How long? Well I opened the ticket in 2014, so it was a long time until 2020, when someone else made a new ticket about.
Is all this WordPress’ fault? Absolutely not! I don’t have to have comments on most of the time, or a contact form. You’ll notice I have neither on most posts on this site, and it’s for a reason. Abuse and harassment. In fact, WordPress gives me the agency to both harass people via my blog (if I wanted to) and protect myself from the harassment by others. That’s a fun one when you say it out loud, ain’t it?
WordPress is a weapon, like all websites. When wielded by the good and just, it’s a weapon for good and justice. When it’s not? Let me just point out that there are a lot of ‘revenge porn’ type sites out there, powered by WordPress. And again, none of that is WordPress’ fault.
We built WordPress to make it easier to publish whatever we want, whenever we want. We build features and plugins and themes to share stories. Not all of those stories are good. Some of them are abusive. And while there are already laws out there about it, technology is a massive whole of lawlessness where the laws can’t be applied.
We’ve all heard “Guns don’t kill people, people kill people.” Some of you even know the common retort “Guns make it a heck of a lot easier, though.”
WordPress isn’t the harasser, but gosh it makes things easier. And if that doesn’t give you chills and nausea, you’re not paying attention to the world. It sure scares the snot out of me.
The Open Consequences Net
I have to preface this bit with the fact that I don’t believe in ‘Cancel Culture’ but I do believe in consequence culture. Do I think you should be ‘canceled’ for telling a single off-colour joke 5 or 10 years ago? Hell no. But do I think you should be canceled for telling multiple jokes, being a defensive jerk when called out on them, and showing your literal penis to people? Hell yes.
Actions have consequences. Or at least they should. And the problem we’re facing is that by making an Open Internet, which I’m in full support of, we failed to put in any way to enforce consequences. Everything is silo’d so I can ban you from site A or B, but not C or D. Worse, because you can make another email or get a new IP, I cannot permanently ban you forever, just from each account.
Basically? We built something so wild and free and open, we cannot contain or control it anymore.
Can We Fix It?
This is the part where I tell you how much I hated making this post.
See, I have no idea. Seriously.
Even if we make the internet ‘invite only’ (as if that was possible), it’ll still be abused. But I don’t think that means we should do nothing. I think we’re not doing enough to make it difficult and hard for abusers and harassers to get a foot in the door. We’re making it so the only way people can protect themselves is to simply not be social online. Given the pandemic, I suspect you can all see why that’s a flawed prospect.
Everything we need to do needs to be balanced. For example, it’s easy (and probably right) to say we need to begin to disrupt ‘anonymity’ but… What about people who can’t say who they are for fear of retribution? I immediately think of all those kids out there who are terrified for their ultra conservative, homo-hatin’ family members to find out they’re queer? They should be allowed to be anonymous and learn that there’s a world out there who loves them.
I do like to bag on Twitter and Facebook for their lack of nuance when it comes to handling harassment and abuse, but I am also a realist. At their scale? How the hell do you tackle things? The only answer is really to throw more humans at it which would make more jobs, but it’s some of the most soul destroying work you’re ever going to do. And they don’t see it as a beneficial investment, so they’re not going to pay the people who do this a solid wage, with great health care, rotating them in and out so they don’t flame out.
WangGuard worked in two different ways: as an algorithm that I had been refining for 7 years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content, could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site. The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.
This human component is what I have been doing for 7 years, and also what has led me to close WangGuard (along with other considerations that are not relevant).
And I have to agree with Jose, doing that job eats at your soul. The ‘fix’ is to change the world, and that’s just exhausting.
What Can We Do?
When you make a product, ask yourself “How can this be abused?” If you can’t think of anything, look around the room of the people you’re working with. Are they all from the same ethnic or socioeconomic background as you? Get people who aren’t. Get minorities in the room. Get PoC, get women, get queers, get kids. Get people who didn’t go to college, those who did, those with and without children, those from other nations. Get them and ask them “Hey, what’s the worst thing you could do to someone else with this?” Ask them “Do you see any flaws?”
And then? Listen to them. If women tell you “That’s going to make it impossible to stop people from sending us dick-picks” take it seriously. But for the love of Pete the Plug, take them seriously.
This means we are all going to have to accept when we’re wrong, when our ideas have flaws, and learn from those moments. It’s hard! We don’t want to hear our great idea is screwed up, but sometimes it is.
We’ll never change the world for the better if we cannot change ourselves.
We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic. We also share information about your use of our site with our social media, advertising, and analytics partners.
