WP Engine Banned from WordPress.org Leaving Users Exposed to Security Risks

WordPress.org has banned WP Engine, one of the largest WordPress hosting providers, from accessing its resources. The announcement was shared through WordPress.org channels, advising WP Engine customers to reach out directly to the company for any site-related issues.

WordPress.org explained that WP Engine’s actions to disable and lock down a WordPress core feature without community input was aimed at extracting profit from customers. Furthermore, due to WP Engine’s ongoing litigation against WordPress.org, the platform has decided to cut off WP Engine's free access to its servers and resources.

According to the statement, WordPress.org accuses WP Engine of attempting to control the WordPress experience for its customers, restricting their ability to use WordPress features freely. As a result, WordPress.org argues that if WP Engine wishes to maintain its modified WordPress experience, it must set up its own ecosystem for logins, plugins, themes, updates, and security management. The announcement was also careful to differentiate the experience that WordPress users will have on WP Engine versus any other hosting provider, implying that the integrity of the WordPress experience could be compromised by WP Engine’s customizations.

Legal claims and background of the rift

The recent ban is rooted in a deeper legal conflict. WP Engine has sent a cease-and-desist letter to Automattic, the company behind WordPress.com and WooCommerce, accusing CEO Matt Mullenweg of extortion and coercive threats​. WP Engine claims that Mullenweg attempted to force WP Engine into a licensing deal by demanding “tens of millions of dollars” to avoid a “scorched earth nuclear approach” against WP Engine within the WordPress community. When WP Engine refused to comply, Mullenweg allegedly disparaged WP Engine publicly in his WordCamp US keynote speech and through social media and other WordPress.org platforms.

WP Engine's letter asserts that these public accusations are false and damaging. It further argues that WP Engine has supported the WordPress community significantly, through sponsorships, educational content, and contributions to open-source projects, and that its use of WordPress trademarks like “WP” is fully compliant with the WordPress Foundation’s trademark policy.

Today WP Engine sent what is called a “cease and desist” letter to Automattic demanding that Automattic and its CEO Matt Mullenweg stop making and retract false, harmful and disparaging statements against WP Engine. In response to misinformation he has disseminated about the…

— WP Engine (@wpengine) September 23, 2024

On the other side of the conflict, Automattic claims that WP Engine has improperly used WordPress and WooCommerce trademarks without a licensing agreement, misleading users about their affiliation and damaging Automattic’s brand reputation​. Automattic asserts that WP Engine has profited from these unlicensed uses, with their marketing implying a closer association with WordPress and WooCommerce than what is permitted. As part of its demands, Automattic insists that WP Engine cease all use of these trademarks, destroy marketing materials that misuse them, and account for any profits made from their unlicensed use.

Security implications for WP Engine users

With WP Engine now denied access to WordPress.org’s resources, customers using WP Engine for their WordPress hosting could experience significant implications. The ban prevents WP Engine servers from accessing WordPress.org’s update servers, plugin and theme directories, translation services, and other core features. This forces WP Engine to replicate the functionality provided by WordPress.org independently within a tight time frame.

WordPress.org noted that its platform works closely with hosting providers to identify and block vulnerabilities at the network layer, but this perk is now gone for WP Engine customers. Now, WP Engine must undertake this security research and management on its own, which could introduce gaps in timely vulnerability detection and patching.

PSA ‼️ – Due to plugin updates not being available to large amounts of WordPress websites hosted at @wpengine – we are temporarily halting the publishing of new (not yet public) high and medium severity CVEs and security vulnerabilities.

— Patchstack (@patchstackapp) September 26, 2024

Without access to the full scope of WordPress.org’s updates and security measures, and considering the steady supply of WordPress vulnerabilities that are disclosed daily, WP Engine users may face heightened risks, such as delayed security patches and lack of any protection against newly discovered flaws.

For customers relying on WP Engine:

• Reach out to WP Engine support for site management issues. With the disconnection from WordPress.org, any disruptions or technical problems must be resolved directly through WP Engine.
• Be vigilant about security updates. Users may need to monitor for updates or patches directly from WP Engine and confirm that their sites remain secure.
• Consider hosting alternatives. If critical WordPress.org resources and a seamless WordPress experience are necessary for your site’s performance and security, it may be wise to explore other hosting providers who maintain full access to WordPress.org’s ecosystem.