The WPForms plugin for WordPress exposes websites to a vulnerability that allows attackers to update subscriptions and issue refunds. This flaw enables attackers to modify data they normally should not have access to.
Missing Capability Check
The vulnerability is due to a missing capability check in a function within the plugin called wpforms_is_admin_page, which means that the plugin doesn’t check for appropriate permissions of the user attempting to make a change with this function. That means that the plugin allows data to be modified by attackers lacking sufficient privileges.
Attackers need to acquire at least subscriber level permissions in order to launch an attack. Normally this kind of attack doesn’t attain this high of a severity rating. But it may be because sites that have users that pay for a subscription are likely to have subscriber level users. This may be why the severity level of this authenticated attack is higher than general.
The Wordfence announcement explains it like this:
“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
It’s recommended that users of versions WPForms plugin users from versions 1.8.4 up to an including 1.9.2.1 update their plugins.
The HTTP Archive published its report on the state of accessibility on the web, based on scores generated with the Lighthouse Accessibility Audit, a feature of Google’s Lighthouse website auditing tool that also measures website performance, best practices, and SEO. The report compared traditional content management systems with website building platforms, with WordPress scoring surprisingly well.
Lighthouse is a feature available through Chrome DevTools built into every Chrome-based browser and as one of the audits on the standalone PageSpeed Insights tool.
HTTP Archive
The research was conducted by the HTTP Archive, a community driven open source project that tracks data about how how sites are built and perform. They offer a configurable report of how different content management platforms perform that is updated monthly.
The accessibility report was done using data collected by the The WebAim Million study which is based on the top one million website home pages. WebAim Million uses data from the Tranco list which itself is based on six different sources to come up with the list of million sites, a list that is designed to be resistant to manipulation.
“Researchers in web security or Internet measurements often use rankings of popular websites. However, in our paper we showed that these rankings disagree on which domains are most popular, can change significantly on a daily basis and can be manipulated (by malicious actors).
As the research community still benefits from regularly updated lists of popular domains, we provide Tranco, a ranking that improves upon the shortcomings of current lists. We also emphasize the reproducibility of these rankings and the studies using them by providing permanent citable references.
We currently use the lists from five providers: Cisco Umbrella (available free of charge), and Majestic (available under a CC BY 3.0 license), Farsight (only for the default list), the Chrome User Experience Report (CrUX) (available under a CC BY-SA 4.0 license), and Cloudflare Radar (available under a CC BY-NC 4.0 license). Tranco is not affiliated with any of these providers.”
Top CMS Accessibility Performance
HTTP Archive performed it’s research to identify the best performing platforms and shortcomings of each.
Accessibility: Traditional CMS
Adobe Experience Manager and Contentful were the top traditional content management systems when it came to accessibility, tied with a score of 87%, followed by Sitecore and WordPress in second place. An interesting fact about the top ranked CMSs is that, except for WordPress, three of the four top ranked CMSs were closed source, Adobe Experience Manager (AEM), Contentful and Sitecore .
Accessibility Scores By CMS:
Adobe Experience Manager 87%
Contentful 87%
Sitecore 85%
WordPress 85%
Craft CMS 84%
Contao 84%
Drupal 84%
Liferay 83%
TYPO3 CMS 83%
DNN 82%
What’s going on with the CMS scores? HTTP Archive explains:
“When most folks think about CMS, they think about the ones that you can download and install yourself. This is predominantly made up of open source tools, but not exclusively. Adobe Experience Manager (AEM), Contentful and Sitecore were the most accessible three in this list of top 10. A possible explanation for this is that closed-source software like AEM is more likely to be used by larger corporations, which have more resources to address accessibility issues. Additionally, open-source software gives website owners a lot of freedom, which in some cases can lead to worse accessibility.”
Accessibility: Website Platforms
This comparison is by website building platform, comparing platforms like Wix, Duda, and Squarespace. The accessibility scores for the platforms were higher than the scores for traditional CMSs, reflecting how private platforms are better able to control variables as opposed to an open source CMS that offers users a more open ended experience.
Accessibility Scores By Website Platform
Wix 94%
Squarespace 92%
Google Sites 90%
Duda 87%
Hubspot CMS Hub 87%
Pixnet 87%
Weebly 86%
GoDaddy Website Builder 85%
Webnode 84%
Tilda 83%
Wix Beats Out All CMS & Platforms
What’s notable about these scores is that sites built with Wix score higher for accessibility than all other sites built on any other CMS or website building platform. Ninety four percent of sites built with Wix have a That’s a reflection of Wix’s well-known effort to create a product that is strong in performance, SEO and accessibility.
Here is the list arranged in descending order by percentage:
SEOs are understandably motivated by best practices for ranking better. For example, many didn’t prioritize site performance until it became a ranking factor, even though website performance improves sales and advertising performance and may have indirect impact on rankings.
Accessibility also has indirect advantages for improved search performance. For example, about .5% of the female population and 8% of males are color blind. Why would anyone who cares about their rankings alienate, frustrate and exclude approximately 4.5% of website visitors?
Wix and Squarespace are prioritizing accessibility. Everyone else should as well, because it’s both ethical and a sound business practice.
It’s a cornerstone of your business’s online success that impacts everything from site speed and uptime to customer trust and overall branding.
Yet, many businesses stick with subpar hosting providers, often unaware of how much it’s costing them in time, money, and lost opportunities.
The reality is that bad hosting doesn’t just frustrate you. It frustrates your customers, hurts conversions, and can even damage your brand reputation.
The good news?
Choosing the right host can turn hosting into an investment that works for you, not against you.
Let’s explore how hosting affects your bottom line, identify common problems, and discuss what features you should look for to maximize your return on investment.
1. Start By Auditing Your Website’s Hosting Provider
The wrong hosting provider can quickly eat away at your time & efficiency.
In fact, time is the biggest cost of an insufficient hosting provider.
To start out, ask yourself:
Is Your Bounce Rate High?
Are Customers Not Converting?
Is Revenue Down?
If you answered yes to any of those questions, and no amount of on-page optimization seems to make a difference, it may be time to audit your website host.
Why Audit Your Web Host?
Frequent downtime, poor support, and slow server response times can disrupt workflows and create frustration for both your team and your visitors.
From an SEO & marketing perspective, a sluggish website often leads to:
Increased bounce rates.
Missed customer opportunities.
Wasted time troubleshooting technical issues.
Could you find workarounds for some of these problems? Sure. But they take time and money, too.
The more dashboards and tools you use, the more time you spend managing it all, and the more opportunities you’ll miss out on.
Bluehost’s integrated domain services simplify website management by bringing all your hosting and domain tools into one intuitive platform.
2. Check If Your Hosting Provider Is Causing Slow Site Load Speeds
Your website is often the first interaction a customer has with your brand.
A fast, reliable website reflects professionalism and trustworthiness.
Customers associate smooth experiences with strong brands, while frequent glitches or outages send a message that you’re not dependable.
Your hosting provider should enhance your brand’s reputation, not detract from it.
How To Identify & Measure Slow Page Load Speeds
Identifying and measuring slow site and page loading speeds starts with using tools designed to analyze performance, such as Google PageSpeed Insights, GTmetrix, or Lighthouse.
These tools provide metrics like First Contentful Paint (FCP) and Largest Contentful Paint (LCP), which help you see how quickly key elements of your page load.
Pay attention to your site’s Time to First Byte (TTFB), a critical indicator of how fast your server responds to requests.
Regularly test your site’s performance across different devices, browsers, and internet connections to identify bottlenecks. High bounce rates or short average session durations in analytics reports can also hint at speed issues.
Bandwidth limitations can create bottlenecks for growing websites, especially during traffic spikes.
How To Find A Fast Hosting Provider
Opt for hosting providers that offer unmetered or scalable bandwidth to ensure seamless performance even during periods of high demand.
Cloud hosting is designed to deliver exceptional site and page load speeds, ensuring a seamless experience for your visitors and boosting your site’s SEO.
With advanced caching technology and optimized server configurations, Bluehost Cloud accelerates content delivery to provide fast, reliable performance even during high-traffic periods.
Its scalable infrastructure ensures your website maintains consistent speeds as your business grows, while a global Content Delivery Network (CDN) helps reduce latency for users around the world.
With Bluehost Cloud, you can trust that your site will load quickly and keep your audience engaged.
3. Check If Your Site Has Frequent Or Prolonged Downtime
Measuring and identifying downtime starts with having the right tools and a clear understanding of your site’s performance.
Tools like uptime monitoring services can track when your site is accessible and alert you to outages in real time.
You should also look at patterns.
Frequent interruptions or prolonged periods of unavailability are red flags. Check your server logs for error codes and timestamps that indicate when the site was down.
Tracking how quickly your hosting provider responds and resolves issues is also helpful, as slow resolutions can compound the problem.
Remember, even a few minutes of downtime during peak traffic hours can lead to lost revenue and customer trust, so understanding and monitoring downtime is critical for keeping your site reliable.
No matter how feature-packed your hosting provider is, unreliable uptime or poor support can undermine its value. These two factors are critical for ensuring a high-performing, efficient website.
What Your Hosting Server Should Have For Guaranteed Uptime
A Service Level Agreement (SLA) guarantees uptime, response time, and resolution time, ensuring that your site remains online and functional. Look for hosting providers that back their promises with a 100% uptime SLA.
Bluehost Cloud offers a 100% uptime SLA and 24/7 priority support, giving you peace of mind that your website will remain operational and any issues will be addressed promptly.
Our team of WordPress experts ensures quick resolutions to technical challenges, reducing downtime and optimizing your hosting ROI.
4. Check Your Host For Security Efficacy
Strong security measures protect your customers and show them you value their privacy and trust.
A single security breach can ruin your brand’s image, especially if customer data is compromised.
Hosts that lack built-in security features like SSL certificates, malware scanning, and regular backups leave your site vulnerable.
How Hosting Impacts Security
Security breaches don’t just affect your website. They affect your customers.
Whether it’s stolen data, phishing attacks, or malware, these breaches can erode trust and cause long-term damage to your business.
Recovering from a security breach is expensive and time-consuming. It often involves hiring specialists, paying fines, and repairing the damage to your reputation.
Is Your Hosting Provider Lacking Proactive Security Measures?
Assessing and measuring security vulnerabilities or a lack of proactive protection measures begins with a thorough evaluation of your hosting provider’s features and practices.
Review Included Security Tools
Start by reviewing whether your provider includes essential security tools such as SSL certificates, malware scanning, firewalls, and automated backups in their standard offerings.
If these are missing or come as costly add-ons, your site may already be at risk.
Leverage Brute Force Tools To Check For Vulnerabilities
Next, use website vulnerability scanning tools like Sucuri, Qualys SSL Labs, or SiteLock to identify potential weaknesses, such as outdated software, unpatched plugins, or misconfigured settings.
These tools can flag issues like weak encryption, exposed directories, or malware infections.
Monitor your site for unusual activity, such as unexpected traffic spikes or changes to critical files, which could signal a breach.
Make Sure The Host Also Routinely Scans For & Eliminates Threats
It’s also crucial to evaluate how your hosting provider handles updates and threat prevention.
Do they offer automatic updates to patch vulnerabilities?
Do they monitor for emerging threats and take steps to block them proactively?
A good hosting provider takes a proactive approach to security, offering built-in protections that reduce your risks.
Look for hosting providers that include automatic SSL encryption, regular malware scans, and daily backups. These features not only protect your site but also give you peace of mind.
Bluehost offers robust security tools as part of its standard WordPress hosting package, ensuring your site stays protected without extra costs. With built-in SSL certificates and daily backups, Bluehost Cloud keeps your site secure and your customers’ trust intact.
5. Audit Your WordPress Hosting Provider’s Customer Support
Is your host delivering limited or inconsistent customer support?
Limited or inconsistent customer support can turn minor issues into major roadblocks. When hosting providers fail to offer timely, knowledgeable assistance, you’re left scrambling to resolve problems that could have been easily fixed.
Delayed responses or unhelpful support can lead to prolonged downtime, slower page speeds, and unresolved security concerns, all of which impact your business and reputation.
Reliable hosting providers should offer 24/7 priority support through multiple channels, such as chat and phone, so you can get expert help whenever you need it.
Consistent, high-quality support is essential for keeping your website running smoothly and minimizing disruptions.
Bluehost takes customer service to the next level with 24/7 priority support available via phone, chat, and email. Our team of knowledgeable experts specializes in WordPress, providing quick and effective solutions to keep your site running smoothly.
Whether you’re troubleshooting an issue, setting up your site, or optimizing performance, Bluehost’s dedicated support ensures you’re never left navigating challenges alone.
Bonus: Check Your Host For Hidden Costs For Essential Hosting Features
Hidden costs for essential hosting features like:
Backups.
SSL certificates.
Additional bandwidth can quickly erode the value of a seemingly affordable hosting plan.
What Does This Look Like?
For example, daily backups, which are vital for recovery after data loss or cyberattacks, may come with an unexpected monthly fee.
Similarly, SSL certificates, which are essential for encrypting data and maintaining trust with visitors, are often sold as expensive add-ons.
If your site experiences traffic spikes, additional bandwidth charges can catch you off guard, adding to your monthly costs.
Many providers, as you likely have seen, lure customers in with low entry prices, only to charge extra for services that are critical to your website’s functionality and security.
These hidden expenses not only strain your budget but also create unnecessary complexity in managing your site.
A reliable hosting provider includes these features as part of their standard offering, ensuring you have the tools you need without the surprise bills.
Which Hosting Provider Does Not Charge For Essential Features?
Bluehost is a great option, as their pricing is upfront.
Bluehost includes crucial tools like daily automated backups, SSL certificates, and unmetered bandwidth in their standard plans.
This means you won’t face surprise fees for the basic functionalities your website needs to operate securely and effectively.
Whether you’re safeguarding your site from potential data loss or ensuring encrypted, trustworthy connections for your visitors, or need unmetered bandwidth to ensure your site can handle traffic surges without penalty, you’ll gain the flexibility to scale without worrying about extra charges.
We even give WordPress users the option to bundle premium plugins together to help you save even more.
By including these features upfront, Bluehost simplifies your WordPress hosting experience and helps you maintain a predictable budget, freeing you to focus on growing your business instead of worrying about unexpected hosting costs.
Transitioning To A Better Hosting Solution: What To Consider
Switching hosting providers might seem daunting, but the right provider can make the process simple and cost-effective. Here are key considerations for transitioning to a better hosting solution:
Migration Challenges
Migrating your site to a new host can involve technical hurdles, including transferring content, preserving configurations, and minimizing downtime. A hosting provider with dedicated migration support can make this process seamless.
Cost of Switching Providers
Many businesses hesitate to switch hosts due to the cost of ending a contract early. To offset these expenses, search for hosting providers that offer migration incentives, such as contract buyouts or credit for remaining fees.
Why Bluehost Cloud Stands Out
Bluehost Cloud provides comprehensive migration support, handling every detail of the transfer to ensure a smooth transition.
Plus, our migration promotion includes $0 switching costs and credit for remaining contracts, making the move to Bluehost not only hassle-free but also financially advantageous.
Your hosting provider plays a pivotal role in the success of your WordPress site. By addressing performance issues, integrating essential features, and offering reliable support, you can maximize your hosting ROI and create a foundation for long-term success.
If your current hosting provider is falling short, it’s time to evaluate your options. Bluehost Cloud delivers performance-focused features, 100% uptime, premium support, and cost-effective migration services, ensuring your WordPress site runs smoothly and efficiently.
In addition, Bluehost has been a trusted partner of WordPress since 2005, working closely to create a hosting platform tailored to the unique needs of WordPress websites.
Beyond hosting, Bluehost empowers users through education, offering webinars, masterclasses, and resources like the WordPress Academy to help you maximize your WordPress experience and build successful websites.
Take control of your website’s performance and ROI. Visit the Bluehost Migration Page to learn how Bluehost Cloud can elevate your hosting experience.
This article has been sponsored by Bluehost, and the views presented herein represent the sponsor’s perspective.
Automattic quietly updated the WP Engine Tracker website with an activity log showing a continuously updated list of domains that have switched away from managed WordPress host, WP Engine. This update is part of Mullenweg’s self-described “nuclear war” against WP Engine, with the Tracker site actively promoting competitors by offering links to their hosting promotions.
WP Engine Tracker
Automattic created a website for the purpose of tracking how many sites have abandoned WP Engine six September 21st, 2024, the date that Matt Mullenweg started went “nuclear” on WP Engine after they rebuffed his request for $32 million dollars. The website promotes deals with other web hosts for moving away from WP Engine, and a CSV spreadsheet with the domain names of the sites that have left WP Engine.
At some point after launching the website was updated with a list of the top web hosts that WP Engine customers have migrated to and a constantly updated list of sites that have recently moved.
WP Engine Tracker “Activity Log Today”
Automattic escalated what the WP Engine Tracker website does by adding an additional feature that shows a continually updated running list of domains that have migrated away from WP Engine and the destination host.
Screenshot Of Activity Log Today Feature
WP Engine Lawsuit
The WP Engine Tracker website, created by Automattic and Matt Mullenweg to publicly monitor and offer links to promotions to other web hosts, was cited in a preliminary injunction filed by WP Engine as evidence of Mullenweg’s purposeful “attack on WPE” as part of his “nuclear war” against the managed WordPress host.
The preliminary injunction filed by WP Engine explains:
“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.
September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”
But available transcripts of the preliminary injunction hearing of November 26th do not show that it was mentioned. The judge at that hearing asked the plaintiff and defendants to return to court on Monday December 2nd with an agreement on a narrow and specific scope for a preliminary injunction, having said that the original request was too vague and consequently unenforceable.
A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites. Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity determined by security researchers.
Screenshot Of CleanTalk Vulnerability Severity Rating
A highly rated anti-spam firewall with over 200,000 installations was found to have an authentication bypass vulnerability that enables attackers to gain full access to websites without providing a username or password. The flaw lets attackers upload and install any plugin, including malware, granting them full control of the site.
The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing. DNS is the system that turns an IP address to a domain name. Reverse DNS spoofing is where an attacker manipulates the system to show that it’s coming from a different IP address or domain name. In this case the attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn’t have a check for that the attackers gain unauthorized access.
This vulnerability is categorized as: Missing Authorization. The Common Weakness Enumeration (CWE) website defines that as:
“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”
Wordfence explains it like this:
“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.”
Recommendation
Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
WP Engine had their day in court, but it didn’t go entirely in their favor, as Judge Araceli Martínez-Olguín ruled the request for a preliminary injunction was too vague. However, the judge said they were “inclined to grant some sort of injunction.”
“That’s How You Set A Ransom”
The attorney for plaintiff offered new details about what happened behind the scenes on the day that Matt Mullenweg went “nuclear” on WP Engine at WordCamp USA. She first explained that Mullenweg’s demand for trademark license was a sham. Then showed how Mullenweg failed to enforce his trademark claim for fifteen years.
Among the new details was that Mullenweg’s demand for $32 million dollars was communicated in a one-page letter and that the agreement was for a seven year period that automatically renews “essentially forever.” She then revealed new details of how Mullenweg decided on the $32 million dollars, explaining that it was just “a number” that Mullenweg felt WP Engine was able to pay.
The point of this part of the plaintiff’s argument was to show that the royalty rate that Mullenweg was asking for was not based on any value of the mark but rather the rate was a figure that Mullenweg felt he was able to squeeze out of WP Engine, saying that the rate was “set in an extortionate manner.”
WP Engine’s attorney offered this narrative of events:
“We know that defendants had no right to offer that, quote unquote, service because it is a pretext. It is a sham. …You look at the record. We see that for 15 years, WP Engine was making nominative fair use of the WordPress mark as the entire community did for 15 years without so much as a shoulder tap. ‘Excuse me.’ ‘Here’s an email.’ ‘Here’s a text.’ ‘Here’s a cease and desist letter.’ Nothing.
Nothing whatsoever, until the morning of September 20th when we receive this one page bizarre trademark license agreement. That’s not how trademark owners operate. That is not how you protect and enforce your mark. You don’t wait 15 years and then drop a demand for thirty two million dollars on the recipient.
We also know from the price set, …this one page license listed a price of eight percent of WP Engines gross revenues, which happens to amount to thirty two million dollars. And it set that price for a seven year period to automatically renew essentially forever.
And when asked, how did you set that price? Mr. Mullenweg, defendant Matthew Mullenweg, acknowledged, “it’s what I thought they could pay. We did an analysis to figure out what the free cash flow was. That’s how we set that number.” That’s not how you calculate a royalty. That’s how you set a ransom.”
Judge Questioned WP Engine’s Attorneys
There was a point in the proceedings where the Judge Araceli Martínez-Olguín asked WP Engine’s attorneys what right to continued acces did they have without paying any kind of license.
WP Engine’s attorney answered:
“So there’s just simply no connection there, your Honor, whatsoever. The test is not: does WP Engine have a right to be free from a trademark license?”
The attorney also pointed out that free access to WordPress.org was the “status quo” for fifteen years, which changed on September 20th when Mullenweg initiated his dispute with WP Engine.
Automattic’s Defense Tactic
The attorney for Automattic and Mullenweg argued several technical points as to why the judge should not grant an injunction. One key point was that WP Engine’s extortion claim, under California law, fails because California courts do not recognize a private cause of action for attempted extortion under the California Penal Code.
They then point out that the case law WP Engine’s attorney is relying on (Tran v. Winn) concerns a different legal concept (duress and rescission) rather than extortion. They said that the plaintiff’s legal theory doesn’t match extortion claims and involves different legal principles.
Automattic’s attorney then follows that up by stating that even if WP Engine could use the Tran v. Winn case law, the plaintiff’s argument still fails under the other case law they are citing to base their claims on (Levitt case). They argue that the plaintiff cannot meet the legal standard for economic extortion because they are unable to show that the defendant had no right to demand payment for the services in question.
An argument made by Automattic’s attorney about the trademark license demand is that the plaintiffs omit a second option in the license, which was to provide volunteer hours equivalent to the payment. Shaw also pointed out that Mullenweg had made a reference to negotiating the terms the following week, but WP Engine never responded to his message.
The attorney said:
“…there is a text from Mr. Mullenweg in which he says, or he makes reference to even negotiating the terms the following week. They just never responded to Mr. Mullenweg’s response.”
What The Judge Said
Judge Araceli Martínez-Olguín had a lot to untangle, with perhaps the main thing being that WP Engine’s injunction was too vague.
The judge gave an indication of what direction she was leaning but also explained that the request was a “non-starter.”
“Having reviewed everything, I am inclined to grant some sort of injunction. Here’s the problem that I have with your proposed injunction, though. This is a nonstarter because it is exceedingly vague.”
The judge then encouraged the parties to work together to narrow down the preliminary injunction to something that isn’t vague and failing that they could submit “dueling submissions.” There was some back and forth about what date to return to court with, with WP Engine asking for a Friday date and eventually agreeing to return on Tuesday, December 3rd.
Reaction To Preliminary Injunction Hearing
A lawyer live blogging the proceedings on Bluesky wrote up their take on what happened:
“I knew that WPE was in very good shape when the opening question was “tell me about your one best shot” because that’s not generally a question you’d ask if you thought nothing had any merit.
I thought that tortious interference was the best shot. I’m pretty sure WordPress’s lawyers did too.”
“I was reasonably sure that this was leaning toward a grant on the PI. I think that Automattic was close to getting their alternative, but Mack may have saved things with his tech walk through.”
He offered a good opinion about the judge, saying that she appears to recognize that some of the technical issues are outside of her area of expertise and that she expressed a willingness to ask questions to better understand.
“It’s clear that the Judge isn’t overly technical in her background, but is aware of that and is willing to listen attentively – this is very good, and not a universal federal judge trait.
It will be interesting to see what we get on Monday.
Almost certainly, dueling proposals.”
This summary of what happened in court is based on a live blog and a post on Bluesky by a lawyer of the proceedings over Zoom.
Automattic cloned WP Engine’s paid ACF Premium plugin and is distributing it for free. Many in the WordPress community disapprove of this action, expressing concerns that it undermines the plugin and theme ecosystem.
Advanced Custom Fields Plugin
Advanced Custom Fields (ACF) is a WordPress plugin that’s popular with WordPress website developers because it enables them to create custom fields that WordPress publishers and authors can use.
Custom fields allows developers to take full control of the editing screens to add things like a form for building structured data specific for a kind of WordPress page like Schema.org markup for ecommerce, news, legal or medical context. A custom field can be used to give article authors a place to enter the author name or a featured quote.
Website developers and use ACF to enable authors to add author bios, featured quotes, or article metadata like publication date, modification data or links to sources. For example, a field for a featured quote can be used so that authors can input what the featured quote says and it’ll appear in the article using all the predefined styling. All the author needs to do is fill in the form and hit the submit button.
ACF was developed by a company named Delicious Brains which was acquired by WP Engine in 2022 which assumed responsibility for developing and updating the free and premium versions.
WordPress Freemium Ecosystem
ACF is popular because it built trust and authoritativeness as a solid plugin through the use of the freemium WordPress business model. Plugin and theme developers use the freemium business model to offer a free version of their software and a premium version that offers additional functionality. Offering a highly functional and useful free version increases the popularity and goodwill of a plugin or theme with basic users and the more advanced users are able to try the functionality of the free version then choose the premium version for the additional features. It can take years to build that goodwill, trust and authoritativeness with users.
The developers of plugins like Yoast and Wordfence spend thousands of hours developing and promoting their free plugins, which are then installed on millions of websites. They put all that effort into the free versions to upsell their premium products.
Timeline: Automattic Forks ACF
In the context of WordPress plugins and themes, the term “forking” refers to the creation of an independent version of an existing WordPress plugin or theme using the source code of the original version to create a different version. Forking is made possible with open source licenses. All plugins and themes that are derivatives of WordPress must be developed with an open source license.
Forking of a theme or plugin sometimes happens when a developer abandons their project and an interested party decides to continue developing their version of the software, a “forked” version of the original.
October 3, 2024 Automattic Releases Independent Updates
Automattic locked ACF plugin out of the WordPress.org servers, preventing ACF customers from updating their versions of the plugin directly from WordPress.org servers, forcing WP Engine to create a workaround on October 3rd.
WP Engine announced:
“On October 3, we released new versions of our widely used plugins, featuring independent update capabilities and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and don’t need to take any action, community members are encouraged to download these versions of our free, open-source plugins and updates directly from the ACF and NitroPack websites to ensure they receive updates directly from us.
If you’re running v6.3.2 or earlier of ACF, or have been forcibly switched to “Secure Custom Fields” without your consent, you can install ACF 6.3.8 directly from the ACF website, or follow these instructions to fix the issue.
These efforts support our customers and plugin users and seek to protect the community at large.”
Screenshot Of ACF Plugin Changelog Showing Lockout Workaround
On October 5th Automattic notified WP Engine of a vulnerability in the ACF plugin and announced it on a now deleted post on X (formerly Twitter).
Screenshot Of Post On X By Automattic
October 7th: WP Engine Fixes ACF Vulnerability
On October 7th, WP Engine fixed the plugin vulnerability, as noted in their changelog.
Screenshot Of ACF Changelog About Security Patch
October 12, 2024: Automattic Forks ACF
But then, on October 12th, Automattic forked WP Engine’s ACF plugin, renaming it Secure Custom Forms (SCF) and replaced the ACF plugin in the official WordPress plugin respository with their fork, using the same URL formerly used by the ACF plugin. Matt Mullenweg posted an announcement on WordPress.org citing security concerns as the reason for forking ACF but later in the announcement also citing WP Engine’s lawsuit seeking relief from Mullenweg’s actions.
“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
…This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
Automattic Forks Premium Version Of ACF
Social media was buzzing over the weekend because it was noticed that a new version of ACF was published on WordPress.org using a new URL (/secure-custom-fields/), marked as a beta version. David McCan of WebTNG downloaded the plugin, took a look at the code and confirmed that the new version is a fork of the paid version of ACF. He notes that the WP Engine copyright information was removed, remarking that may be a problem. He also noted that the code that checks for whether the software is paid for and licensed has also been removed.
Viewing the code, he says:
“We go to the version for secure custom fields. You see the file name is still the same ACF dot PHP, But this one. The header information says secure custom fields. It says the author is wordpress.org. There is no copyright notice in here of WP engines code, which is probably a problem.
So by removing the license check and update from WP engine, this seems like a classic case of an old plugin which is now being hosted in the WordPress plugin directory. So I’m wondering if this is even a legal fork. I’m not an expert in software licensing law, but my understanding is you need to preserve the original copyright notices when you fork a plug in. It’s one of the requirements.”
Developer Response In Facebook Group
Whether or not whether making the pro version of the plugin freely available for download is legal is something for the courts to decide. What Automattic may not have considered is that there is an impact to competitors like Meta Box Pro, who offer a similar functionality to ACF. Current users of Meta Box Pro may be incentivized to not renew their current license because they can now get similar premium features for free from WordPress.org.
Someone posted this concern in the private Dynamic WordPress group (posted here, group membership required to view), writing that they had purchased a lifetime license ($699) for Meta Box prior to Mullenweg’s dispute with WP Engine. They wrote that they feel like they made a mistake for purchasing a license for Meta Box, noting that they don’t agree with “stealing” ACF and expressed that this will cause Meta Box to lose users. A yearly subscription to Meta Box starts at $149/year.
One of the Facebook group members remarked that no, they didn’t make a bad decision by purchasing a license for Meta Box, saying that Matt Mullenweg was the one that made the poor decision. Another group member expressed that he regarded Mullenweg as an unreliable steward of the ACF fork and wouldn’t trust his fork, ACF, on any of the websites he develops.
Other developers agreed that SCF is not trustworthy enough for use on a live website, noting that many sites are having issues with the Secure Custom Fields. Someone else noted that this may end poorly for Meta Box within a year from now as SCF becomes more stable. Some members said they’re glad to have Meta Box and are glad to be uninvolved with the WordPress versus WP Engine drama.
Response On WordPress Subreddit
The response from the WordPress community on Reddit was similarly disapproving.
Members of the WordPress subreddit expressed disapproval, nobody was celebrating Mullenweg’s move.
“It’s crazy because they literally are suing someone else for hosting nulled plugins, and that guy had his bank accounts frozen. They are doing the same thing now over at WordPress.”
“Oh wow, so this is actually Matt putting the premium/pro version of ACF with all of it’s features that are normally behind their paywall, up for people to download and use for free on wordpress.org while calling it Secure Custom Forms Pro or whatever, completely out of spite?
This is worse than I thought it was from just seeing the title of this thread, much worse.”
Another post that’s representative of how people feel about WordPress.org distributing a premium plugin for free:
“If he wanted to shoot WordPress in the other foot, this was the perfect move.”
Whether this move will impact ACF’s competitors and the greater premium WordPress ecosystem remains to be seen. One thing is certain: most people on social media appear to disapprove of Matt Mullenweg forking a premium WordPress plugin, and, legal or not, it’s perceived as crossing a line typically associated with software piracy.
Here are seven essential features to look for in an SEO-friendly WordPress host that will help you:
1. Reliable Uptime & Speed for Consistent Performance
A website’s uptime and speed can significantly influence your site’s rankings and the success of your SEO strategies.
Users don’t like sites that suffer from significant downtime or sluggish load speeds. Not only are these sites inconvenient, but they also reflect negatively on the brand and their products and services, making them appear less trustworthy and of lower quality.
For these reasons, Google values websites that load quickly and reliably. So, if your site suffers from significant downtime or sluggish load times, it can negatively affect your site’s position in search results as well as frustrate users.
Reliable hosting with minimal downtime and fast server response times helps ensure that both users and search engines can access your content seamlessly.
Performance-focused infrastructure, optimized for fast server responses, is essential for delivering a smooth and engaging user experience.
When evaluating hosting providers, look for high uptime guarantees through a robust Service Level Agreement (SLA), which assures site availability and speed.
Bluehost Cloud, for instance, offers a 100% SLA for uptime, response time, and resolution time.
Built specifically with WordPress users in mind, Bluehost Cloud leverages an infrastructure optimized to deliver the speed and reliability that WordPress sites require, enhancing both SEO performance and user satisfaction. This guarantee provides you with peace of mind.
Your site will remain accessible and perform optimally around the clock, and you’ll spend less time troubleshooting and dealing with your host’s support team trying to get your site back online.
2. Data Center Locations & CDN Options For Global Reach
Fast load times are crucial not only for providing a better user experience but also for reducing bounce rates and boosting SEO rankings.
Since Google prioritizes websites that load quickly for users everywhere, having data centers in multiple locations and Content Delivery Network (CDN) integration is essential for WordPress sites with a global audience.
To ensure your site loads quickly for all users, no matter where they are, choose a WordPress host with a distributed network of data centers and CDN support. Consider whether it offers CDN options and data center locations that align with your audience’s geographic distribution
This setup allows your content to reach users swiftly across different regions, enhancing both user satisfaction and search engine performance.
Bluehost Cloud integrates with a CDN to accelerate content delivery across the globe. This means that whether your visitors are in North America, Europe, or Asia, they’ll experience faster load times.
By leveraging global data centers and a CDN, Bluehost Cloud ensures your site’s SEO remains strong, delivering a consistent experience for users around the world.
3. Built-In Security Features To Protect From SEO-Damaging Attacks
Security is essential for your brand, your SEO, and overall site health.
Websites that experience security breaches, malware, or frequent hacking attempts can be penalized by search engines, potentially suffering from ranking drops or even removal from search indexes.
Therefore, it’s critical to select a host that offers strong built-in security features to safeguard your website and its SEO performance.
When evaluating hosting providers, look for options that include additional security features.
Bluehost Cloud, for example, offers comprehensive security features designed to protect WordPress sites, including free SSL certificates to encrypt data, automated daily backups, and regular malware scans.
These features help maintain a secure environment, preventing security issues from impacting your potential customers, your site’s SEO, and ultimately, your bottom line.
With Bluehost Cloud, your site’s visitors, data, and search engine rankings remain secure, providing you with peace of mind and a safe foundation for SEO success.
4. Optimized Database & File Management For Fast Site Performance
A poorly managed database can slow down site performance, which affects load times and visitor experience. Therefore, efficient data handling and optimized file management are essential for fast site performance.
Choose a host with advanced database and file management tools, as well as caching solutions that enhance site speed. Bluehost Cloud supports WordPress sites with advanced database optimization, ensuring quick, efficient data handling even as your site grows.
With features like server-level caching and optimized databases, Bluehost Cloud is built to handle WordPress’ unique requirements, enabling your site to perform smoothly without additional plugins or manual adjustments.
Bluehost Cloud contributes to a better user experience and a stronger SEO foundation by keeping your WordPress site fast and efficient.
5. SEO-Friendly, Scalable Bandwidth For Growing Sites
As your site’s popularity grows, so does its bandwidth requirements. Scalable or unmetered bandwidth is vital to handle traffic spikes without slowing down your site and impacting your SERP performance.
High-growth websites, in particular, benefit from hosting providers that offer flexible bandwidth options, ensuring consistent speed and availability even during peak traffic.
To avoid disaster, select a hosting provider that offers scalable or unmetered bandwidth as part of their package. Bluehost Cloud’s unmetered bandwidth, for instance, is designed to accommodate high-traffic sites without affecting load times or user experience.
This ensures that your site remains responsive and accessible during high-traffic periods, supporting your growth and helping you maintain your SEO rankings.
For websites anticipating growth, unmetered bandwidth with Bluehost Cloud provides a reliable, flexible solution to ensure long-term performance.
6. WordPress-Specific Support & SEO Optimization Tools
WordPress has unique needs when it comes to SEO, making specialized hosting support essential.
Hosts that cater specifically to WordPress provide an added advantage by offering tools and configurations such as staging environments and one-click installations specifically for WordPress.
WordPress-specific hosting providers also have an entire team of knowledgeable support and technical experts who can help you significantly improve your WordPress site’s performance.
Bluehost Cloud is a WordPress-focused hosting solution that offers priority, 24/7 support from WordPress experts, ensuring any issue you encounter is dealt with effectively.
Additionally, Bluehost’s staging environments enable you to test changes and updates before going live, reducing the risk of SEO-impacting errors.
Switching to Bluehost is easy, affordable, and stress-free, too.
Bluehost offers a seamless migration service designed to make switching hosts simple and stress-free. Our dedicated migration support team handles the entire transfer process, ensuring your WordPress site’s content, settings, and configurations are moved safely and accurately.
Currently, Bluehost also covers all migration costs, so you can make the switch with zero out-of-pocket expenses. We’ll credit the remaining cost of your existing contract, making the transition financially advantageous.
You can actually save money or even gain credit by switching
7. Integrated Domain & Site Management For Simplified SEO Administration
SEO often involves managing domain settings, redirects, DNS configurations, and SSL updates, which can become complicated without centralized management.
An integrated hosting provider that allows you to manage your domain and hosting in one place simplifies these SEO tasks and makes it easier to maintain a strong SEO foundation.
When selecting a host, look for providers that integrate domain management with hosting. Bluehost offers a streamlined experience, allowing you to manage both domains and hosting from a single dashboard.
SEO-related site administration becomes more manageable, and you can focus on the things you do best: growth and optimization.
Find A SEO-Friendly WordPress Host
Choosing an SEO-friendly WordPress host can have a significant impact on your website’s search engine performance, user experience, and long-term growth.
By focusing on uptime, global data distribution, robust security, optimized database management, scalable bandwidth, WordPress-specific support, and integrated domain management, you create a solid foundation that supports both SEO and usability.
Ready to make the switch?
As a trusted WordPress partner with over 20 years of experience, Bluehost offers a hosting solution designed to meet the unique demands of WordPress sites big and small.
Our dedicated migration support team handles every detail of your transfer, ensuring your site’s content, settings, and configurations are moved accurately and securely.
Plus, we offer eligible customers a credit toward their remaining contracts, making the transition to Bluehost not only seamless but also cost-effective.
Learn how Bluehost Cloud can elevate your WordPress site. Visit us today to get started.
WP Engine escalated its Federal complaint by citing Automattic’s publication of the WP Engine Tracker website as evidence of intent to harm WP Engine and exposing customers to potential cybercrimes. The updated complaint incorporates recent actions by Mullenweg to further strengthen their case.
A spokesperson for WP Engine issued a statement to Search Engine Journal about the WP Engine Tracker website:
“Automattic’s wrongful and reckless publication of customer’s information without their consent underscores why we have moved for a preliminary injunction. WP Engine has requested the immediate takedown of this information and looks forward to the November 26th hearing on the injunction.”
Legal Complaint Amended With More Evidence
WP Engine (WPE) filed a complaint in Federal court seeking a preliminary injunction to prevent Matt Mullenweg and Automattic from continuing actions that harm WPE’s business and their relationships with their customers. That complaint was amended with further details to support their allegations against Mullenweg and Automattic.
The legal complaint begins by stating in general terms what gives rise to their claim:
“This is a case about abuse of power, extortion, and greed.”
It then grows progressively specific by introducing evidence of how Automattic and Mullenweg continue their “bad acts unabated” for the purpose of harming WP Engine (WPE).
The amended claim adds the following, quoting Mullenweg himself:
“Since then, Defendants have continued to escalate their war, unleashing a campaign to steal WPE’s software, customers and employees. Indeed, just days ago, Defendants were unambiguous about their future plans:”
This is the statement Mullenweg made that is quoted in the amended complaint:
“[S]ince this started [with WPE] they’ve had uh, we estimate tens of thousands of customers leave. . . . So, um you know, I think over the next few weeks, they’re actually gonna lose far more than 8% of their business . . . we’re at war with them. We’re . . . going to go brick by brick and take . . . take every single one of their customers . . . if they weren’t around guess what? . . . We’d happily have those customers, and in fact we’re getting a lot of them.”
WP Engine Tracker Site Used As Evidence
Automattic recently created a website on the WordPressEngineTracker.com domain called WP Engine Tracker that encourages WordPress Engine customers to leave, offering links to promotions that offer discounts and promise a smooth transition to other web hosts.
WPE states that the WP Engine Tracker website is part of a campaign to encourage WPE customers to abandon it, writing:
“Defendants also created a webpage at wordpress.org offering “Promotions and Coupons” to convince WPE customers to stop doing business with WPE and switch over to Automattic’s competitor hosting companies like wordpress.com and Pressable; they later added links to other competitors as well.”
The WordPress Engine Tracker website calls attention to the number of sites that have abandoned WP Engine (WPE) since Matt Mullenweg’s September 21st public denunciation of WP Engine and the start of his “nuclear” war against the web host. The amended Federal lawsuit points to the September 21st date listed on that site as additional evidence tying Automattic to a campaign to harm WP Engine’s business.
The legal document explains:
“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.
September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”
The purpose of the above allegations are to build as much evidence that lend credence to WP Engine’s claim that Automattic is actively trying to cause harm WP Engine’s business.
WPE Accuses Automattic Of Additional Harms
Another new allegation against Automattic is that the spreadsheet offered for download on the WP Engine Tracker website includes sensitive information that is not publicly available and could cause direct harm to WPE customers.
The amended Federal lawsuit explains:
“Worse, this downloadable file contains private information regarding WPE’s customers’ domain names, including development, test, and pre-production servers—many of which are not intended to be accessed publicly and contain sensitive or private information. Many of these servers are intentionally not indexed or otherwise included in public search results because the servers are not safe, secure or production-ready and not intended to be accessed by the general public.
By disclosing this information to the general public, Defendants put these development, test, and pre-production domains at risk for hacking and unauthorized access.”
WP Engine Tracker Site Part Of A Larger Strategy
WPE’s amended complaint alleges that the WP Engine Tracker site is one part of a larger strategy to cause harm to WP Engine’s business that includes encouraging WPE employees to resign. The legal document adds new information of how the WP Engine Tracker website is just one part of a larger strategy to harm WPE’s business.
The updated document adds the following new allegations as evidence of WPE’s claims:
“Not content with interfering with WPE’s customer relations, Automattic has recently escalated its tactics by actively recruiting hundreds of WPE employees, in an apparent effort to weaken WPE by sowing doubts about the company’s future and enticing WPE’s employees to join Automattic:”
The document includes a screenshot of an email solicitation apparently sent to an employee that encourages them to join Automattic.
Screenshot Of Evidence Presented In Amended Complaint
Escalation Of Federal Complaint
WP Engine’s amended complaint against Mullenweg and Automattic invokes the Sherman Act (prohibiting monopolization to maintain a competitive marketplace), the Lanham Act (governing trademarks, false advertising, and unfair competition), and the Computer Fraud and Abuse Act (addressing unauthorized computer access and cybercrimes). The amendments tie recent actions by Mullenweg and Automattic—such as the creation of the WP Engine Tracker website—directly to their claims, turning Mullenweg’s attacks on WP Engine into evidence.
A critical vulnerability was discovered in a popular WordPress security plugin with over 4 million installations. The flaw allows attackers to log in as any user, including administrators, and gain full access to their site-level permissions. Assigned a threat score of 9.8 out of 10, it underscores the ease of exploitation and the potential for full site compromise, including malware injection, unauthorized content changes, and attacks on site visitors.
Really Simple Security
Really Simple Security is a WordPress plugin that was developed to improve resistance of WordPress sites against exploits (called security hardening), enable two-factor authentication, detect vulnerabilities and it also generates an SSL certificate. One of the reasons it promotes itself as lightweight is because it’s designed as a modular software that allows users to choose what security enhancements to enable so that (in theory) the processes for disabled capabilities don’t load and slow down the website. It’s a popular trend in WordPress plugins that allows a software to do many things but only do the tasks that a user requires.
The plugin is promoted through affiliate reviews and according to Google AI Overview enjoys highly positive reviews. Over 97% of reviews on the official WordPress repository are rated with five stars, the highest possible rating, with less than 1% rating the plugin as 1 star.
What Went Wrong?
A security flaw in the plugin makes it vulnerable to authentication bypass, which is a flaw that allows an attacker to access areas of a website that require a username and a password without having to provide credentials. The vulnerability specific to Really Simple Security allows an attacker to acquire access of any registered user of the website, including the administrator, simply by knowing the user name.
This is called an Unauthenticated Access Vulnerability, one of most severe kinds of flaws because it is generally easier to exploit than an “authenticated” flaw which requires an attacker to first attain the user name and password of a registered user.
Wordfence explains the exact reason for the vulnerability:
“The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the “Two-Factor Authentication” setting is enabled (disabled by default).
Wordfence blocked 310 attacks targeting this vulnerability in the past 24 hours.”
Recommended Course Of Action:
Wordfence encourages users of the plugin to update to Really Simple Security version 9.1.2 (or higher version).
The Really Simple Security plugin’s changelog responsibly announces the reason for the updated software:
