See updates to this story here

Mullenweg further doubled down in a blog post the next day, saying, “[WP Engine is] a cancer to WordPress, and it’s important to remember that unchecked, cancer will spread.” Complicating matters is that Mullenweg is also the founder and CEO of Automattic, the operator of WordPress.com, Jetpack, WooCommerce, Pressable, Tumblr, and an early investor in WP Engine. In his combination of roles, he leads the direction of the WordPress software available on WordPress.org, serves as a director of the 501(c)3 WordPress Foundation, and runs a roughly $500 million/year for-profit entity that generates almost all of this revenue through the WordPress economy. Over the years, there have been many conversations in the WordPress community about the outsized influence one man has on 43% of websites. Still, until now, those concerns have always been dismissed and often felt like a conspiracy theory waiting to spread. It’s no longer a potential conspiracy, and it’s no longer a fear, it has happened.

Mullenweg began this war during his keynote and escalated it days later by cutting off over 1.5 million websites from being able to receive notifications of security and stability updates and forcing website admins to update sites over FTP, Git, proxying a website behind Cloudflare, or a local to production push.

WP Engine is an Austin, Texas-based hosting company that specializes in optimized hosting for websites using WordPress software. It was founded in 2010 by Jason Cohen, also the founder of SmartBear, to address a perceived need in the space for a hosting provider dedicated to the largest content management system. Their customers range from mom-and-pops to a who’s who of household brand names. At 4:58 PM CDT on September 25, 2024, WP Engine’s network was blocked from accessing the servers of WordPress.org, the open-source software’s most common mechanism of distributing security and stability updates to websites.

Mullenweg’s attack on WP Engine appears to have started days before his keynote address. While his keynote would claim that his umbrage towards WP Engine was a lack of contributions to the WordPress community, the legal documents tell a different story. According to the cease-and-desist letter sent by attorneys for WP Engine to Automattic’s Chief Legal Officer, several C-suite executives for Automattic were in contact with board members and executives at WP Engine, threatening that Automattic was going to “go to war” or as Mullenweg called it “a scorched earth nuclear approach.” According to the cease-and-desist letters from both WP Engine to Automattic and Automattic to WP Engine, this feud is around WP Engine’s use of phrases like “We power the freedom to create on WordPress” and “Host your WordPress site with the WordPress experts” on their website and other marketing materials.

The WordPress trademark is owned by the WordPress Foundation, and their policy states, “WordPress-related businesses or projects can use the WordPress name and logo to refer to and explain their services” and “The abbreviation “WP” is not covered by the WordPress trademarks.” This policy appears to grant WP Engine permission to do exactly what they are doing, using WP in their business name and using WordPress to explain their hosting service offer. But Automattic was granted a license by the Matt Mullenweg-chaired foundation to create WordPress.com, one of the key drivers of their roughly $500 million/year revenue. Because of this commercial use license, Automattic began pressuring WP Engine for a royalty fee in order to use WordPress. In Automattic’s cease-and-desist letter, their attorneys mention an 8% royalty or over $32 million/year for “unfair competition.” One can only assume Automattic (or more likely Mullenweg) considers it unfair that anyone else provides hosting for “their” (or just his) open-source software. Will Mullenweg stop at trying to extort royalties from hosting companies providing a needed service to users of WordPress, or will he extend his campaign to any business that uses a WordPress website for commercial use?

After texting the CEO and Chairwoman of WP Engine a photo of the keynote audience and offering to “make it just a Q&A about WP” ostensibly in exchange for an agreement on the licensing fee. Not getting an answer, Mullenweg began this war during his keynote and escalated it days later by cutting off over 1.5 million websites from being able to receive notifications of security and stability updates and forcing website admins to update sites over FTP, Git, proxying a website behind Cloudflare, or a local to production push. This lack of access to WordPress.org has also caused websites to begin 502’ing as API calls are hanging. The assumption of the WordPress software is that it will always be able to reach WordPress.org, and by blocking that access, Mullenweg has caused it to “not be WordPress” and to expose millions of sites to potential hacks and ransomware attacks.

Beyond the massive security implications of this block, an even graver issue that this has exposed is that the entire project and, by extension, almost half of all websites on Earth are at the whim of one person. While WP Engine has drawn his ire today, what is to stop him from waking up tomorrow and blocking servers from Pantheon, AWS, or Google? When asked about this scenario on X, he said, “Nope! None of them have publicly attacked me.” Are we to simply grant Mullenweg carte blanche to say and act as he pleases so that we can avoid his wrath and exile from security updates?

But it turns out that his power extends even further. Back in 2015, there was a significant security vulnerability disclosed in the Yoast SEO plugin. Because of the nature of the vulnerability and the install base of the plugin, the WordPress.org team pushed a forced automatic update of the plugin. This update happened regardless of preferences set by the website owner to disable automatic updates. It happened without any advanced warning or way of testing that the update wouldn’t break production websites. Overall, was it a good idea for WordPress.org to force this update? Probably. If they hadn’t, tens of millions of websites would likely have continued running outdated software with a publicly disclosed vulnerability. But this ability to force an update raises concern over what Mullenweg could do with his apparent dictator level of control over WordPress.org. It’s not outside the realm of possibility that he could decide he wanted every WordPress website to only have content related to jazz. With a few lines of code and his committer authority to the project, he could force an update that replaces all of a website’s content. While this is a far-fetched scenario, it is technically possible and probably no more far-fetched than attacking a company at a conference where they contributed $75,000 in sponsorship fees.

Where does this end? Honestly, anyone’s guess is as good as another. 6 days after his keynote attack, Mullenweg is still devoting countless bytes of digital ink to raging against WP Engine. Is it possible that we are seeing the beginning march of the WordPress project down the path to obsolescence? A path that so many other projects have walked due to community disputes. It may be time to rethink our trust in open-source projects, and WordPress in particular, where “community-run” really means a community run by one.

Updates to this story:

Update 10/2/24:
The inevitable lawsuit was filed by WP Engine against Automattic and Mullenweg. Over the 61-page complaint, WP Engine begins presenting their case that Mullenweg and Automattic have seriously harmed both their business and the greater WordPress community. 

WP Engine, Inc. vs Automattic, Inc. and Matthew Charles Mullenweg https://wpengine.com/wp-content/uploads/2024/10/Complaint-WP-Engine-v-Automattic-et-al-with-Exhibit.pdf

Update 10/3/24:
Josepha Haden Chomphosy, the executive director of the WordPress project and an employee of Automattic, announced that she was leaving both roles effective immediately. As the executive director, Chomphosy was responsible for coordinating and guiding volunteer efforts throughout the WordPress project and the community. Her departure comes after news that Mullenweg had told employees that if they didn’t agree with his actions, they needed to resign by October 3rd.

Josepha Haden Chomphosy on X, confirming her departure https://x.com/JosephaHaden/status/1841793834931397070

WordPress Website Tracker
This is the number of websites that have left WP Engine and found a new home since Sep 21, 2024.