WordPress.org has taken a bold step by blocking WP Engine from accessing its resources and halting plugin updates for sites hosted on the platform, leaving thousands of websites vulnerable to security risks.
WordPress.org has urged users to switch hosting providers, citing WP Engine’s alteration of a core WordPress feature for its financial gain and its efforts to block a critical dashboard widget from reaching users.
The feud between the two organizations has escalated quickly, with WordPress.org accusing WP Engine of making these changes to control the user experience for profit. The move has left thousands of users without important updates, which exposes millions of internet users to potential security breaches. WordPress.org didn’t mince words, stating, “[If] WP Engine wants to control your WordPress experience, they need to run their own user login system, update servers, plugin directory, theme directory… Their servers can no longer access our servers for free.”
The legal battle primarily targets Automattic, the parent company of WordPress.com, but it also includes broader issues around how WP Engine has used WordPress.org resources in ways that have hurt its reputation. Matt Mullenweg, WordPress co-founder and CEO of Automattic, announced that due to pending legal claims and litigation, WP Engine will no longer have access to WordPress.org resources for free.
This conflict dates back to disagreements over contributions to the WordPress open-source project, trademark disputes, and growing tensions between the two companies. WP Engine, a leading WordPress hosting provider, fired off a cease-and-desist letter to Automattic after Mullenweg publicly criticized them for profiting off WordPress without adequately contributing back. Mullenweg even described WP Engine as a “cancer to WordPress” at a public event. WP Engine, in turn, accused him of trying to coerce them into paying millions in trademark licensing fees, threatening them with a “scorched earth nuclear approach” if they didn’t comply.
Automattic hit back with its own cease-and-desist, claiming WP Engine was infringing on WordPress and WooCommerce trademarks and had built a business worth $400 million by using the WordPress name without proper authorization.
The real concern now lies with the end-users. According to security expert Oliver Sild from Patchstack, websites hosted on WP Engine aren’t receiving updates from WordPress.org, leaving them highly vulnerable. Sild noted that new security vulnerabilities in WordPress themes and plugins are discovered regularly, and without updates, these sites are easy targets for hackers. In response, Patchstack has paused publishing new vulnerability reports until the situation is resolved to prevent bad actors from exploiting these weaknesses.
WordPress.org has shifted the responsibility for these security risks onto WP Engine, advising users to contact their support teams for help. Mullenweg added, “The reason WordPress sites don’t get hacked as much anymore is that we work with hosts to block vulnerabilities at the network layer. WP Engine will need to replicate that security research on their own.”
With no resolution in sight and WP Engine scrambling to build its own security infrastructure, users may need to start looking at other hosting providers to keep their sites safe. As this conflict unfolds, WP Engine customers are encouraged to take action and consider switching to avoid exposing their websites to potential security threats.
