WordPress.org has banned WP Engine from accessing its resources and stopped delivering plugin updates to websites hosted on the platform, urging impacted users to choose other hosting providers.
The open-source project claims that the move comes in response to WP Engine's alteration of a WordPress core feature for its own profit and its blocking of the dashboard's news widget on thousands of sites to prevent criticism of its actions from reaching users.
The move, which is the latest in a conflict that has erupted between the two entities, essentially leaves thousands of end-users without security updates and, by extension, millions of internet users exposed to potential hacks.
WP Engine's legal action is primarily against Automattic but it also involves issues related to how WordPress.org resources are allegedly used to harm the hoster's reputation.
The conflict is heading towards legal trouble, as Matt Mullenweg, WordPress co-founder and CEO of Automattic, said in the blog post that "pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org's resources."
WordPress in turmoil
The conflict between WP Engine, WordPress.org and Automattic, the owner of WordPress.com and WooCommerce, stems from disagreements over contributions to the WordPress open-source project, brand usage, and criticism from leaders within these entities.
WP Engine, a major WordPress hosting provider, sent a cease-and-desist letter to Automattic after Mullenweg's public criticism for allegedly profiting from WordPress without giving back sufficiently.
Mullenweg went as far as to describe WP Engine as a "cancer to WordPress" during a public event.
WP Engine responded by accusing Mullenweg of trying to coerce them into paying millions for trademark licensing and threatening them with a "scorched earth nuclear approach" if they didn't comply.
Automattic then hit back with its own cease-and-desist letter accusing WP Engine of infringing commercial uses of WordPress and WooCommerce trademarks and claiming to have built a business with $400 million in revenue through unauthorized use of the WordPress name.
Websites and users left exposed
Patchstack's Oliver Sild confirmed to BleepingComputer that sites hosted on WP Engine don't currently receive updates from WordPress.org, leaving end-users in a vulnerable position.
The security researcher commented that important security issues on WordPress themes and plugins are uncovered daily. When a fix is ready, WordPress can automatically apply the update with the patch, saving admins the trouble of checking for new versions and installing them.
Patchstack has decided to halt publishing new vulnerabilities until the problem is resolved, to prevent hackers from getting information they could leverage against unprotected websites hosted on WP Engine.
WordPress.org has placed the responsibility for solving the security issues solely upon WP Engine, advising users who have any functionality trouble with their sites to contact WP Engine's support.
"The reason WordPress sites don't get hacked as much anymore is we work with hosts to block vulnerabilities at the network layer, WP Engine will need to replicate that security research on their own," Mullenweg says in the WordPress.org announcement.
The situation appears complicated, so a prompt resolution is unlikely. At the same time, WP Engine forming an effective security team to respond to customer requirements soon enough also seems unrealistic.
All that said, WP Engine customers may consider urgent measures as they explore other hosting options for their websites.
Comments
lanickel - 1 month ago
The way Matt Mullenweg is handling this is awful on many levels. First, it doesn't look like he has a strong Trademark case. Second, WP Engine is free to use WordPress how they want (open source and all). Third, he's taking this out on users of WP Engine who probably chose WPE because it was the first result on Google. Now agencies, individuals, and anybody else who depends on WPE's hosting for their website's (and their) livelihoods are held hostage by Matt.
It's an ego and greed move. The Pressable site (owned by Matt) has a banner that says "Looking to switch from WP Engine?"
It's borderline antitrust.
Ashikur-Rahman - 1 month ago
they should have asked to stop using wp engine name in the first place. instead of 10 years later.
Ashikur-Rahman - 1 month ago
now they should just hug each other and resolve the problem for sake of users.
PeterAlexLondon - 1 month ago
That's probably the sweetest solution, peace
spacelizard - 1 month ago
This also affects sites that do not host their site on WP Engine, but use their plugins (we use Advanced Custom Fields). It seems to only affect the free version, as the pro version is not in the WP repository and must be downloaded directly from WP Engine's website.