WordPress Archives WordPress

Dec 16 2024

Mullenweg Disgusted & Sickened As WP Engine Regains Access via @sejournal, @martinibuster

WP Engine regained control of their Advanced Custom Forms plugin and login access to WordPress.org. Matt Mullenweg responded by expressing that he is “disgusted and sickened.”

Mullenweg tweeted about how he felt about how things turned out:

“I’m disgusted and sickened by being legally forced to provide free labor and services to @wpengine, a dangerous precedent that should chill every open source maintainer. While I disagree with the court’s decision, I’ve fully complied with its order. You can see most changes on the site. They have access to ACF slug but haven’t changed it… must not have been the emergency they claimed.”

The response to Matt’s tweet was predictable.

One person reflected Matt’s words back at him:

I’m disgusted and sickened that you released software as GPL, made it intimately dependent on a private website+APIs you personally own and then you’re shocked when you learn you can’t discriminate against users

Another accused Mullenweg of tricking the WordPress community:

“And what about all of the free labor that you, @photomatt , tricked the WordPress community into providing to your personal .org website that the community believed was owned by the Foundation?”

Despite the compliance, Mullenweg pointed out that WP Engine had yet to change the plugin slug, questioning their claim of urgency. The ACF team subsequently reclaimed the plugin slug and tweeted an announcement about it.

On December 13, 2024, WP Engine’s official Advanced Custom Fields account confirmed on X (formerly Twitter) that they had regained access. The WordPress.org plugin directory now displays the original ACF plugin instead of Mullenweg’s forked version, Secure Custom Fields.

The ACF team tweeted:

“We’re pleased to share that our team has had account access restored on WordPress dot org along with control of the ACF plugin repo. This means all ACF users can rest assured that the ACF team you trust is once again maintaining the plugin. There’s no action required if you have installed ACF directly from the ACF website or you are an ACF PRO user.”

Members of the WordPress community congratulated WP Engine.

Some offered congratulations:

“Excellent news. Congratulations!”

Others expressed their happiness that ACF’s access was restored:

Happy for @wpengine. You have done a great job.

👏🏼 YES!!!!
https://x.com/CaroManelR/status/1867934316992610459

Another person tweeted:

NEVER trusting wordpess dot org again.

Origin Of Mullenweg – WP Engine Dispute

Matt Mullenweg claims that WP Engine does not contribute enough to the WordPress ecosystem. He has also raised concerns about WP Engine’s use of the word “WordPress” and has written about his years long attempt to get WP Engine to pay a “fair share” back into the WordPress open source project. On the September 20, 2024 Matt Mullenweg publicy denounced WP Engine at the United States WordCamp conference, after WP Engine declined to agree to his demands for $30 million dollars.

WP Engine sued Automattic and Matt Mullenweg in federal court, obtaining a preliminary injunction that required Automattic and Mullenweg to restore WP Engine’s access to WordPress.org, the plugin repository, logins and to remove a WP Engine customer list from a website Mullenweg created to encourage customers to leave WP Engine.

Mullenweg’s History Of Disputes

There is some history of Mullenweg engaging in disputes related to GPL licensing of code and trademarks. In 2010 Mullenweg rightfully challenged Chris Pearson and his theme company Thesis over software licensing. Chris Pearson himself has acknowledged that he was ignorant at the time about software licensing.

Mullenweg escalated his dispute with Pearson by offering Thesis customers any premium theme of their choice in exchange for abandoning their use of the Thesis them. These disputes caused Pearson to lose a significant amount of business and gain a negative perception in the WordPress community, which he described in a blog post:

“…I was woefully ignorant about software licensing, and I felt as though I was being backed into a corner and asked to accept something I didn’t fully understand. Instead of handling it in a measured, polite manner, I was a jerk.

I made a mistake, and I paid dearly for it.The WordPress community’s reaction towards me was incredibly negative, but on top of that, Matt did whatever he could to further damage what was left of my business. His most blatant effort in this regard was making a public offer to buy Thesis customers the premium, GPL-licensed Theme of their choice if they quit using Thesis.”

Three years later Mullenweg purchased the Thesis.com domain name which began another dispute with Pearson that Mullenweg also won. His motivation for going after the Thesis.com domain name was never fully acknowledged but the WordPress community largely understood it as “retribution” against Pearson.

The comments in a WP Tavern report about Automattic were largely negative, with one person’s comment representative of the negative sentiment:

“I don’t think anyone is saying what Automattic did was illegal, they’re saying it was unethical.

It’s possible to be a jerk without breaking the law, but that doesn’t make it acceptable behavior.”

In 2016 Matt Mullenweg initiated a dispute with Wix in relation to GPL licensing. Wix’s CEO responded with his own blog post showing how Wix had contributed over 224 open source projects, writing:

“Yes, we did use the WordPress open source library for a minor part of the application (that is the concept of open source right?), and everything we improved there or modified, we submitted back as open source, see here in this link – you should check it out, pretty cool way of using it on mobile native. I really think you guys can use it with your app (and it is open source, so you are welcome to use it for free). And, by the way, the part that we used was in fact developed by another and modified by you.”

Wix eventually removed the disputed code from their mobile app.

Mullenweg Complies To Court Order… With Humor

The court’s ruling emphasizes the importance of adherence to legal agreements within the WordPress ecosystem. WP Engine’s victory may bolster its chances of prevailing in the ongoing federal lawsuit. Automattic’s to their loss signals their intention to challenge the outcome during a full trial, stating:

“We look forward to prevailing at trial as we continue to protect the open-source ecosystem during full-fact discovery and a full review of the merits.”

Matt Mullenweg continues to provoke WP Engine, only this time using humor. Automattic removed a checkmark from the WordPress.org login page that previously required users to affirm that they are not associated with WP Engine. Today there’s a checkbox asking users to affirm that pineapple on pizza is delicious.

Ecommerce MGMT 0 Comments

Dec 12 2024

Automattic Removes WP Engine Client List From Tracker Site via @sejournal, @martinibuster

Automattic removed a spreadsheet containing the domain names of WP Engine customers from the WP Engine Tracker website. The removal is in response to a preliminary injunction granted to WP Engine, ordering Automattic and Matt Mullenweg to remove the spreadsheet within 72 hours.

The preliminary injunction was warmly received on X (formerly Twitter), a tweet by Joe Youngblood representative of the general sentiment:

“The ruling was a gigantic win for small businesses and entrepreneurs that rely on open source keeping it’s promises. That includes allowing webhosts to host and not stealing code repositories.

I am hopeful the full outcome of this looks much the same.”

Someone else tweeted:

“Unbiased parties watching on the sidelines think the court got it right. This was obvious from day one.

Next step for you guys is to try to settle out of court to prevent further embarrassment and reduce potential risk in damages.”

Mullenweg’s Dispute With WP Engine

Matt Mullenweg began an attack against WP Engine on September 20, 2024 after WP Engine declined to pay tens of millions of dollars, what WP Engine’s attorney’s called “extortionate monetary demands” in a cease and desist letter sent to Automattic’s Chief Legal Officer on September 23rd.

On November 6th Automattic intensified the pressure on WP Engine by launching a website called WP Engine Tracker that offered a list of WP Engine customers that could be used by other web hosts to solicit the clients with offers to leave WP Engine.

Solicitations of WP Engine customers apparently followed, as related by a Redditor in a discussion about the WP Engine Tracker website:

“I was out of the office for some medical procedures, so I missed the WPE Tracker thing. However, this explains why I’ve received unsolicited hosting calls from certain operations. Clearly, someone is mining it to solicit business. Absolutely aggravating and also completely expected.

All this does is further entrench me on WP Engine. Good work, Matt, you dweeb.”

The WP Engine Tracker website became evidence of the harm Mullenweg was causing to WP Engine and was cited in the request for a preliminary injunction.

The judge sided with WP Engine and granted the preliminary injunction, requiring among many other things that Automattic and Mullenweg take down the list of WP Engine customers.

The court order states:

“Within 72 hours, Defendants are ORDERED to:

…(a) remove the purported list of WPEngine customers contained in the “domains.csv” file linked to Defendants’ wordpressenginetracker.com website (which was launched on or about
November 7, 2024) and stored in the associated GitHub repository located at https://github.com/wordpressenginetracker/wordpressenginetracker.github.io.”

The CSV file was subsequently removed although the link to a non-existent file , with a link showing zero :

Screenshot Of WP Engine Tracker Website

Clicking the link leads to a 404 error response message.

Screenshot Of 404 Error Response For CSV Download

A pull request on GitHub shows that a request was made to remove the CSV file on December 11th.

“Remove CTA to download list of sites #29

wordpressenginetracker commented 9 hours ago
This PR removes the text and download link to download the list of sites that have are still using WPE”

Screenshot Of GitHub Pull Request

Advanced Custom Fields Plugin

Automattic removed WP Engine’s Advanced Custom Fields (ACF) plugin from the official WordPress.org plugin repository and replaced it with Automattic’s cloned version, renamed as Secure Custom Fields (SCF).

The preliminary injunction orders Automattic to also restore access to the Advanced Custom Fields (ACF) plugin repository:

“Within 72 hours, Defendants are ORDERED to:

…(v) returning and restoring WPEngine’s access to and control of its Advanced Custom Fields (“ACF”) plugin directory listing at https://wordpress.org/plugins/advanced-customfields, as it existed as of September 20, 2024.”

The cloned SCF plugin currently still exists at that URL, although Automattic still has time to take it down.

Screenshot Of SCF Plugin In The ACF Directory Listing

Featured Image by Shutterstock/tomertu

Ecommerce MGMT 0 Comments

Dec 11 2024

Judge Sides With WP Engine Against Automattic & Mullenweg In WordPress Dispute via @sejournal, @martinibuster

A judge ruled in WP Engine’s favor in their request for a preliminary injunction against Automattic and Matt Mullenweg. The court agreed that WP Engine will suffer irreparable harm if the injunction is not granted and giving the defendants (Automattic and Mullenweg) 72 hours to return things to the way they were as of September 20th, 2024.

The judge ruled against Mullenweg and Automattic on every argument, granting WP Engine a preliminary injunction. The ruling requires the defendants to restore WP Engine’s access to WordPress.org, regain control of the WordPress.org directory listing for the Advanced Custom Fields (ACF) plugin, and remove a list of WP Engine customers from the domains.csv file linked on the wordpressenginetracker.com website.

There were six parts labeled A – F that outline the judge’s analysis of the case:

A. Success on the Merits

B. Irreparable Harm

C. Balance of Equities

D. Public Interest

E. Bond

F. Scope of Injunction

A. Success on the Merits

On WP Engine’s “claim for tortious interference with contractual relations” the judge ruled:

“Defendants’ arguments in opposition do not compel a different conclusion.

Defendants’ argument that the interference WPEngine alleges consists of acts they had a right to take fares no better.”

B. Irreparable Harm

Mullenweg and Automattic completely failed at defending against WP Engine’s claims of irreparable harm if the injunction isn’t granted. The judge wrote:

“Defendants counter with four arguments. None is persuasive”

C. Balance of Equities

In this part of the ruling the judge had to weigh the impact of the injunction on both parties. The judge found that WP Engine had good reason for obtaining an injunction to prevent further harm and that there would be no impact on Automattic or Mullenweg.

The judge wrote:

“The conduct described at length above – including the termination of WPEngine’s access to WordPress, the interference with the ACF plugin, and the additional burdens imposed on WPEngine’s customers, such as the sign-in pledge – demonstrates that WPEngine has a significant interest in obtaining preliminary injunctive relief.

Defendants’ arguments in opposition do not establish that they will suffer any damage that overrides WPEngine’s interest in obtaining relief. …Requiring Defendants to restore access on those terms while this action proceeds imposes a minimal burden.”

D. Public Interest

This part of the ruling addresses how granting the injunction impacts parties beyond the plaintiff and defendants. The judge concluded that denying the preliminary injunction would cause significant harm.

The court explained:

“Here, the public consequences of withholding injunctive relief are significant. Mullenweg himself acknowledges that ‘[t]oday, more than 40% of all websites run on WordPress.’

…Over two million websites run the ACF plugin Mullenweg allegedly tampered with, and those users rely on the stability of the plugin, and WordPress more broadly, to operate their websites, run their businesses, and go about their day online.

Moreover, the availability of WordPress as open-source software has created a sector for companies to operate at a profit. This includes Mullenweg’s own companies like Automattic and Pressable, and as Mullenweg himself acknowledged in 2017, it also includes WPEngine, which at the time, Mullenweg described as ‘the largest dedicated managed WP host…’

Those who have relied on the WordPress’s stability, and the continuity of support from for-fee service providers who have built businesses around WordPress, should not have to suffer the uncertainty, losses, and increased costs of doing business attendant to the parties’ current dispute.

Defendants’ arguments in opposition do not persuade otherwise.

…Accordingly, the final Winter element – the public interest – weighs in favor of granting preliminary injunctive relief.”

E. Bond

Automattic and Mullenweg argued that WP Engine should be required file a bond of $1.6 million to ensure that they are compensated for potential costs and damages if it’s later found that the preliminary injunction was granted without sufficient basis.

The judge agreed with WP Engine’s argument that reverting to the status quo, to how things were on September 20th, would have no effect.

They wrote:

“WPEngine’s arguments are persuasive. …the Court finds that any harm to Defendants resulting from the issuance of preliminary injunctive relief is unlikely, as it merely requires them to revert to business as usual as of September 20, 2024. Accordingly, the Court declines to require WPEngine to post a bond.”

F. Scope Of Injunction

The court has ordered the defendants, their coworkers, and anyone helping them to stop doing the following things:

Preventing WP Engine, its employees, users, customers, or partners from accessing WordPress.org.
Disrupting WP Engine’s control over or access to plugins or extensions hosted on WordPress.org
Modifying WP Engine plugins on WordPress installations (websites built with WordPress software) through unauthorized auto-migrate or auto-update commands
The court ordered that the defendants take actions within 72 hours to address WP Engine’s claims and restore things to the way they were on September 20, 2024.
Delete the list of WP Engine customers from the WP Engine Tracker website and the GitHub repository.
Restore WP Engine employee login credentials to WordPress.org and login.wordpress.org.
Disable any “technological blocking” like IP blocking, that were set up around September 25, 2024.
Remove the checkbox added on October 8, 2024, at login.wordpress.org, which required users to confirm they were ‘not affiliated with WP Engine in any way, financially or otherwise.’
Restore WP Engine’s control over its Advanced Custom Fields (ACF) plugin directory listing to the way it was on September 20, 2024.

The injunction goes into effect immediately and will remain until the court issues a final judgment after the trial.

A Win For WP Engine And The WordPress Community

Many people agree with the principle that those who profit from WordPress should give back to it. However the overwhelming sentiment on social media has not been supportive of how Mullenweg’s actions against WP Engine. Today a judge agreed with WP Engine and issued a preliminary injunction in their favor.

Featured Image by Shutterstock/Brian A Jackson

Ecommerce MGMT 0 Comments

Dec 10 2024

Automattic Acquisition Will Bring AI Into WordPress via @sejournal, @martinibuster

Automattic announced the acquisition of WPAI, a company that creates AI-powered functionalities that make WordPress easier and more efficient to use. The core technologies of the current apps will be integrated into new offerings by Automattic.

WPAI

WPAI released it’s first product, CodeWP in 2022. CodeWP was an AI integrated development environment (IDE) for developers, enabling them to quickly generate code that’s optimized for performance and WordPress standards.

The second app produced by WPAI is AgentWP, released in August 2024. AgentWP was an autonomous AI agent that could proactively take action such as as making design changes. It indexes a website and is able to improve WordPress website workflow from content to code generation.

The technology of both apps will be integrated into WordPress.

According to the announcement by WPAI:

“We are excited to combine forces with Automattic to push the boundaries of how we can apply artificial intelligence to be more impactful on the CMS that powers the majority of the internet,’ says James LePage. ‘By integrating our technology and research with current and future Automattic products, we’ll be able to accelerate towards our goal of making WordPress, the Operating System of the Web, more accessible to everybody.”

Automattic explains:

“WPAI is an AI startup, focused on building AI solutions for WordPress. The brilliant founding team behind it—James LePage, Greg Hunt, and Ovidiu “Ovi” Iulian Galatan—will be joining Automattic to lead the exploration of applied AI as an interaction paradigm for WordPress. They’ll be working on testing, building, and integrating innovative AI solutions into the core ecosystem to redefine how users and developers work with WordPress.”

Read the announcement on Automattic:

Automattic Welcomes WPAI

Read the announcement on WPAI:

WPAI Has Been Acquired by Automattic

Check out WPAI’s free WP Chat tool that answers WordPress related questions (while it’s still available):

https://wp.chat

Ecommerce MGMT 0 Comments

Dec 9 2024

WPForms Plugin Vulnerability Affects Up To 6 Million Sites via @sejournal, @martinibuster

The WPForms plugin for WordPress exposes websites to a vulnerability that allows attackers to update subscriptions and issue refunds. This flaw enables attackers to modify data they normally should not have access to.

Missing Capability Check

The vulnerability is due to a missing capability check in a function within the plugin called wpforms_is_admin_page, which means that the plugin doesn’t check for appropriate permissions of the user attempting to make a change with this function. That means that the plugin allows data to be modified by attackers lacking sufficient privileges.

Attackers need to acquire at least subscriber level permissions in order to launch an attack. Normally this kind of attack doesn’t attain this high of a severity rating. But it may be because sites that have users that pay for a subscription are likely to have subscriber level users. This may be why the severity level of this authenticated attack is higher than general.

The Wordfence announcement explains it like this:

“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”

It’s recommended that users of versions WPForms plugin users from versions 1.8.4 up to an including 1.9.2.1 update their plugins.

Read the Wordfence security alert:

WPForms 1.8.4 – 1.9.2.1 – Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

Featured Image by Shutterstock/Tithi Luadthong

Ecommerce MGMT 0 Comments

Dec 4 2024

Accessibility Champ: Wix, WordPress, Squarespace, Duda, Or…? via @sejournal, @martinibuster

The HTTP Archive published its report on the state of accessibility on the web, based on scores generated with the Lighthouse Accessibility Audit, a feature of Google’s Lighthouse website auditing tool that also measures website performance, best practices, and SEO. The report compared traditional content management systems with website building platforms, with WordPress scoring surprisingly well.

Lighthouse is a feature available through Chrome DevTools built into every Chrome-based browser and as one of the audits on the standalone PageSpeed Insights tool.

HTTP Archive

The research was conducted by the HTTP Archive, a community driven open source project that tracks data about how how sites are built and perform. They offer a configurable report of how different content management platforms perform that is updated monthly.

The accessibility report was done using data collected by the The WebAim Million study which is based on the top one million website home pages. WebAim Million uses data from the Tranco list which itself is based on six different sources to come up with the list of million sites, a list that is designed to be resistant to manipulation.

The Tranco List site explains:

“Researchers in web security or Internet measurements often use rankings of popular websites. However, in our paper we showed that these rankings disagree on which domains are most popular, can change significantly on a daily basis and can be manipulated (by malicious actors).

As the research community still benefits from regularly updated lists of popular domains, we provide Tranco, a ranking that improves upon the shortcomings of current lists. We also emphasize the reproducibility of these rankings and the studies using them by providing permanent citable references.

We currently use the lists from five providers: Cisco Umbrella (available free of charge), and Majestic (available under a CC BY 3.0 license), Farsight (only for the default list), the Chrome User Experience Report (CrUX) (available under a CC BY-SA 4.0 license), and Cloudflare Radar (available under a CC BY-NC 4.0 license). Tranco is not affiliated with any of these providers.”

Top CMS Accessibility Performance

HTTP Archive performed it’s research to identify the best performing platforms and shortcomings of each.

Accessibility: Traditional CMS

Adobe Experience Manager and Contentful were the top traditional content management systems when it came to accessibility, tied with a score of 87%, followed by Sitecore and WordPress in second place. An interesting fact about the top ranked CMSs is that, except for WordPress, three of the four top ranked CMSs were closed source, Adobe Experience Manager (AEM), Contentful and Sitecore .

Accessibility Scores By CMS:

Adobe Experience Manager 87%
Contentful 87%
Sitecore 85%
WordPress 85%
Craft CMS 84%
Contao 84%
Drupal 84%
Liferay 83%
TYPO3 CMS 83%
DNN 82%

What’s going on with the CMS scores? HTTP Archive explains:

“When most folks think about CMS, they think about the ones that you can download and install yourself. This is predominantly made up of open source tools, but not exclusively. Adobe Experience Manager (AEM), Contentful and Sitecore were the most accessible three in this list of top 10. A possible explanation for this is that closed-source software like AEM is more likely to be used by larger corporations, which have more resources to address accessibility issues. Additionally, open-source software gives website owners a lot of freedom, which in some cases can lead to worse accessibility.”

Accessibility: Website Platforms

This comparison is by website building platform, comparing platforms like Wix, Duda, and Squarespace. The accessibility scores for the platforms were higher than the scores for traditional CMSs, reflecting how private platforms are better able to control variables as opposed to an open source CMS that offers users a more open ended experience.

Accessibility Scores By Website Platform

Wix 94%
Squarespace 92%
Google Sites 90%
Duda 87%
Hubspot CMS Hub 87%
Pixnet 87%
Weebly 86%
GoDaddy Website Builder 85%
Webnode 84%
Tilda 83%

Wix Beats Out All CMS & Platforms

What’s notable about these scores is that sites built with Wix score higher for accessibility than all other sites built on any other CMS or website building platform. Ninety four percent of sites built with Wix have a That’s a reflection of Wix’s well-known effort to create a product that is strong in performance, SEO and accessibility.

Here is the list arranged in descending order by percentage:

1. Wix – 94%
2. Squarespace – 92%
3. Google Sites – 90%
4. Adobe Experience Manager – 87%
5. Contentful – 87%
6. Duda – 87%
7. Hubspot CMS Hub – 87%
8. Pixnet – 87%
9. Sitecore – 85%
10. WordPress – 85%
11. GoDaddy Website Builder – 85%
12. Weebly – 86%
13. Craft CMS – 84%
14. Contao – 84%
15. Drupal – 84%
16. Webnode – 84%
17. Liferay – 83%
18. TYPO3 CMS – 83%
19. Tilda – 83%
20. DNN – 82%

Website Accessibility

SEOs are understandably motivated by best practices for ranking better. For example, many didn’t prioritize site performance until it became a ranking factor, even though website performance improves sales and advertising performance and may have indirect impact on rankings.

Accessibility also has indirect advantages for improved search performance. For example, about .5% of the female population and 8% of males are color blind. Why would anyone who cares about their rankings alienate, frustrate and exclude approximately 4.5% of website visitors?

Wix and Squarespace are prioritizing accessibility. Everyone else should as well, because it’s both ethical and a sound business practice.

Read the HTTP Archive report here.

Featured Image by Shutterstock/Happy_Nati

Ecommerce MGMT 0 Comments

Dec 3 2024

Maximize SEO Efforts: How To Fix Website Issues That Drain Time, Money & Performance

This post was sponsored by Bluehost. The opinions expressed in this article are the sponsor’s own.

Your website’s hosting is more than a technical decision.

It’s a cornerstone of your business’s online success that impacts everything from site speed and uptime to customer trust and overall branding.

Yet, many businesses stick with subpar hosting providers, often unaware of how much it’s costing them in time, money, and lost opportunities.

The reality is that bad hosting doesn’t just frustrate you. It frustrates your customers, hurts conversions, and can even damage your brand reputation.

The good news?

Choosing the right host can turn hosting into an investment that works for you, not against you.

Let’s explore how hosting affects your bottom line, identify common problems, and discuss what features you should look for to maximize your return on investment.

1. Start By Auditing Your Website’s Hosting Provider

The wrong hosting provider can quickly eat away at your time & efficiency.

In fact, time is the biggest cost of an insufficient hosting provider.

To start out, ask yourself:

Is Your Bounce Rate High?
Are Customers Not Converting?
Is Revenue Down?

If you answered yes to any of those questions, and no amount of on-page optimization seems to make a difference, it may be time to audit your website host.

Why Audit Your Web Host?

Frequent downtime, poor support, and slow server response times can disrupt workflows and create frustration for both your team and your visitors.

From an SEO & marketing perspective, a sluggish website often leads to:

Increased bounce rates.
Missed customer opportunities.
Wasted time troubleshooting technical issues.

Could you find workarounds for some of these problems? Sure. But they take time and money, too.

The more dashboards and tools you use, the more time you spend managing it all, and the more opportunities you’ll miss out on.

For example, hosts offering integrated domain and hosting management make overseeing your website easier and reduce administrative hassles.

Bluehost’s integrated domain services simplify website management by bringing all your hosting and domain tools into one intuitive platform.

2. Check If Your Hosting Provider Is Causing Slow Site Load Speeds

Your website is often the first interaction a customer has with your brand.

A fast, reliable website reflects professionalism and trustworthiness.

Customers associate smooth experiences with strong brands, while frequent glitches or outages send a message that you’re not dependable.

Your hosting provider should enhance your brand’s reputation, not detract from it.

How To Identify & Measure Slow Page Load Speeds

Identifying and measuring slow site and page loading speeds starts with using tools designed to analyze performance, such as Google PageSpeed Insights, GTmetrix, or Lighthouse.

These tools provide metrics like First Contentful Paint (FCP) and Largest Contentful Paint (LCP), which help you see how quickly key elements of your page load.

Pay attention to your site’s Time to First Byte (TTFB), a critical indicator of how fast your server responds to requests.

Regularly test your site’s performance across different devices, browsers, and internet connections to identify bottlenecks. High bounce rates or short average session durations in analytics reports can also hint at speed issues.

Bandwidth limitations can create bottlenecks for growing websites, especially during traffic spikes.

How To Find A Fast Hosting Provider

Opt for hosting providers that offer unmetered or scalable bandwidth to ensure seamless performance even during periods of high demand.

Cloud hosting is designed to deliver exceptional site and page load speeds, ensuring a seamless experience for your visitors and boosting your site’s SEO.

With advanced caching technology and optimized server configurations, Bluehost Cloud accelerates content delivery to provide fast, reliable performance even during high-traffic periods.

Its scalable infrastructure ensures your website maintains consistent speeds as your business grows, while a global Content Delivery Network (CDN) helps reduce latency for users around the world.

With Bluehost Cloud, you can trust that your site will load quickly and keep your audience engaged.

3. Check If Your Site Has Frequent Or Prolonged Downtime

Measuring and identifying downtime starts with having the right tools and a clear understanding of your site’s performance.

Tools like uptime monitoring services can track when your site is accessible and alert you to outages in real time.

You should also look at patterns.

Frequent interruptions or prolonged periods of unavailability are red flags. Check your server logs for error codes and timestamps that indicate when the site was down.

Tracking how quickly your hosting provider responds and resolves issues is also helpful, as slow resolutions can compound the problem.

Remember, even a few minutes of downtime during peak traffic hours can lead to lost revenue and customer trust, so understanding and monitoring downtime is critical for keeping your site reliable.

No matter how feature-packed your hosting provider is, unreliable uptime or poor support can undermine its value. These two factors are critical for ensuring a high-performing, efficient website.

What Your Hosting Server Should Have For Guaranteed Uptime

A Service Level Agreement (SLA) guarantees uptime, response time, and resolution time, ensuring that your site remains online and functional. Look for hosting providers that back their promises with a 100% uptime SLA.

Bluehost Cloud offers a 100% uptime SLA and 24/7 priority support, giving you peace of mind that your website will remain operational and any issues will be addressed promptly.

Our team of WordPress experts ensures quick resolutions to technical challenges, reducing downtime and optimizing your hosting ROI.

4. Check Your Host For Security Efficacy

Strong security measures protect your customers and show them you value their privacy and trust.

A single security breach can ruin your brand’s image, especially if customer data is compromised.

Hosts that lack built-in security features like SSL certificates, malware scanning, and regular backups leave your site vulnerable.

How Hosting Impacts Security

Security breaches don’t just affect your website. They affect your customers.

Whether it’s stolen data, phishing attacks, or malware, these breaches can erode trust and cause long-term damage to your business.

Recovering from a security breach is expensive and time-consuming. It often involves hiring specialists, paying fines, and repairing the damage to your reputation.

Is Your Hosting Provider Lacking Proactive Security Measures?

Assessing and measuring security vulnerabilities or a lack of proactive protection measures begins with a thorough evaluation of your hosting provider’s features and practices.

Review Included Security Tools

Start by reviewing whether your provider includes essential security tools such as SSL certificates, malware scanning, firewalls, and automated backups in their standard offerings.

If these are missing or come as costly add-ons, your site may already be at risk.

Leverage Brute Force Tools To Check For Vulnerabilities

Next, use website vulnerability scanning tools like Sucuri, Qualys SSL Labs, or SiteLock to identify potential weaknesses, such as outdated software, unpatched plugins, or misconfigured settings.

These tools can flag issues like weak encryption, exposed directories, or malware infections.

Monitor your site for unusual activity, such as unexpected traffic spikes or changes to critical files, which could signal a breach.

Make Sure The Host Also Routinely Scans For & Eliminates Threats

It’s also crucial to evaluate how your hosting provider handles updates and threat prevention.

Do they offer automatic updates to patch vulnerabilities?
Do they monitor for emerging threats and take steps to block them proactively?

A good hosting provider takes a proactive approach to security, offering built-in protections that reduce your risks.

Look for hosting providers that include automatic SSL encryption, regular malware scans, and daily backups. These features not only protect your site but also give you peace of mind.

Bluehost offers robust security tools as part of its standard WordPress hosting package, ensuring your site stays protected without extra costs. With built-in SSL certificates and daily backups, Bluehost Cloud keeps your site secure and your customers’ trust intact.

5. Audit Your WordPress Hosting Provider’s Customer Support

Is your host delivering limited or inconsistent customer support?

Limited or inconsistent customer support can turn minor issues into major roadblocks. When hosting providers fail to offer timely, knowledgeable assistance, you’re left scrambling to resolve problems that could have been easily fixed.

Delayed responses or unhelpful support can lead to prolonged downtime, slower page speeds, and unresolved security concerns, all of which impact your business and reputation.

Reliable hosting providers should offer 24/7 priority support through multiple channels, such as chat and phone, so you can get expert help whenever you need it.

Consistent, high-quality support is essential for keeping your website running smoothly and minimizing disruptions.

Bluehost takes customer service to the next level with 24/7 priority support available via phone, chat, and email. Our team of knowledgeable experts specializes in WordPress, providing quick and effective solutions to keep your site running smoothly.

Whether you’re troubleshooting an issue, setting up your site, or optimizing performance, Bluehost’s dedicated support ensures you’re never left navigating challenges alone.

Bonus: Check Your Host For Hidden Costs For Essential Hosting Features

Hidden costs for essential hosting features like:

Backups.
SSL certificates.
Additional bandwidth can quickly erode the value of a seemingly affordable hosting plan.

What Does This Look Like?

For example, daily backups, which are vital for recovery after data loss or cyberattacks, may come with an unexpected monthly fee.

Similarly, SSL certificates, which are essential for encrypting data and maintaining trust with visitors, are often sold as expensive add-ons.

If your site experiences traffic spikes, additional bandwidth charges can catch you off guard, adding to your monthly costs.

Many providers, as you likely have seen, lure customers in with low entry prices, only to charge extra for services that are critical to your website’s functionality and security.

These hidden expenses not only strain your budget but also create unnecessary complexity in managing your site.

A reliable hosting provider includes these features as part of their standard offering, ensuring you have the tools you need without the surprise bills.

Which Hosting Provider Does Not Charge For Essential Features?

Bluehost is a great option, as their pricing is upfront.

Bluehost includes crucial tools like daily automated backups, SSL certificates, and unmetered bandwidth in their standard plans.

This means you won’t face surprise fees for the basic functionalities your website needs to operate securely and effectively.

Whether you’re safeguarding your site from potential data loss or ensuring encrypted, trustworthy connections for your visitors, or need unmetered bandwidth to ensure your site can handle traffic surges without penalty, you’ll gain the flexibility to scale without worrying about extra charges.

We even give WordPress users the option to bundle premium plugins together to help you save even more.

By including these features upfront, Bluehost simplifies your WordPress hosting experience and helps you maintain a predictable budget, freeing you to focus on growing your business instead of worrying about unexpected hosting costs.

Transitioning To A Better Hosting Solution: What To Consider

Switching hosting providers might seem daunting, but the right provider can make the process simple and cost-effective. Here are key considerations for transitioning to a better hosting solution:

Migration Challenges

Migrating your site to a new host can involve technical hurdles, including transferring content, preserving configurations, and minimizing downtime. A hosting provider with dedicated migration support can make this process seamless.

Cost of Switching Providers

Many businesses hesitate to switch hosts due to the cost of ending a contract early. To offset these expenses, search for hosting providers that offer migration incentives, such as contract buyouts or credit for remaining fees.

Why Bluehost Cloud Stands Out

Bluehost Cloud provides comprehensive migration support, handling every detail of the transfer to ensure a smooth transition.

Plus, our migration promotion includes $0 switching costs and credit for remaining contracts, making the move to Bluehost not only hassle-free but also financially advantageous.

Your hosting provider plays a pivotal role in the success of your WordPress site. By addressing performance issues, integrating essential features, and offering reliable support, you can maximize your hosting ROI and create a foundation for long-term success.

If your current hosting provider is falling short, it’s time to evaluate your options. Bluehost Cloud delivers performance-focused features, 100% uptime, premium support, and cost-effective migration services, ensuring your WordPress site runs smoothly and efficiently.

In addition, Bluehost has been a trusted partner of WordPress since 2005, working closely to create a hosting platform tailored to the unique needs of WordPress websites.

Beyond hosting, Bluehost empowers users through education, offering webinars, masterclasses, and resources like the WordPress Academy to help you maximize your WordPress experience and build successful websites.

Take control of your website’s performance and ROI. Visit the Bluehost Migration Page to learn how Bluehost Cloud can elevate your hosting experience.

This article has been sponsored by Bluehost, and the views presented herein represent the sponsor’s perspective.

Learn more about Bluehost’s latest migration promotion

Image Credits

Featured Image: Image by Bluehost. Used with permission.

Ecommerce MGMT 0 Comments

Nov 30 2024

Automattic Quietly Intensifies WP Engine Tracker Site via @sejournal, @martinibuster

Automattic quietly updated the WP Engine Tracker website with an activity log showing a continuously updated list of domains that have switched away from managed WordPress host, WP Engine. This update is part of Mullenweg’s self-described “nuclear war” against WP Engine, with the Tracker site actively promoting competitors by offering links to their hosting promotions.

WP Engine Tracker

Automattic created a website for the purpose of tracking how many sites have abandoned WP Engine six September 21st, 2024, the date that Matt Mullenweg started went “nuclear” on WP Engine after they rebuffed his request for $32 million dollars. The website promotes deals with other web hosts for moving away from WP Engine, and a CSV spreadsheet with the domain names of the sites that have left WP Engine.

At some point after launching the website was updated with a list of the top web hosts that WP Engine customers have migrated to and a constantly updated list of sites that have recently moved.

WP Engine Tracker “Activity Log Today”

Automattic escalated what the WP Engine Tracker website does by adding an additional feature that shows a continually updated running list of domains that have migrated away from WP Engine and the destination host.

Screenshot Of Activity Log Today Feature

WP Engine Lawsuit

The WP Engine Tracker website, created by Automattic and Matt Mullenweg to publicly monitor and offer links to promotions to other web hosts, was cited in a preliminary injunction filed by WP Engine as evidence of Mullenweg’s purposeful “attack on WPE” as part of his “nuclear war” against the managed WordPress host.

The preliminary injunction filed by WP Engine explains:

“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.

September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”

But available transcripts of the preliminary injunction hearing of November 26th do not show that it was mentioned. The judge at that hearing asked the plaintiff and defendants to return to court on Monday December 2nd with an agreement on a narrow and specific scope for a preliminary injunction, having said that the original request was too vague and consequently unenforceable.

Featured Image by Shutterstock/Gearstd

Ecommerce MGMT 0 Comments

Nov 27 2024

WordPress Anti-Spam Plugin Vulnerability Hits 200k+ Sites via @sejournal, @martinibuster

A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites. Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity determined by security researchers.

Screenshot Of CleanTalk Vulnerability Severity Rating

CleanTalk Anti-Spam WordPress Plugin Vulnerability

A highly rated anti-spam firewall with over 200,000 installations was found to have an authentication bypass vulnerability that enables attackers to gain full access to websites without providing a username or password. The flaw lets attackers upload and install any plugin, including malware, granting them full control of the site.

The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing. DNS is the system that turns an IP address to a domain name. Reverse DNS spoofing is where an attacker manipulates the system to show that it’s coming from a different IP address or domain name. In this case the attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn’t have a check for that the attackers gain unauthorized access.

This vulnerability is categorized as: Missing Authorization. The Common Weakness Enumeration (CWE) website defines that as:

“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”

Wordfence explains it like this:

“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.”

Recommendation

Wordfence recommends users of the affected plugin to update to version 6.44 or higher.

Read the Wordfence advisory:

Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 – Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation

Featured Image by Shutterstock/SimpleB

Ecommerce MGMT 0 Comments

Nov 27 2024

WP Engine Vs Automattic: Judge Inclined To Grant Preliminary Injunction via @sejournal, @martinibuster

WP Engine had their day in court, but it didn’t go entirely in their favor, as Judge Araceli Martínez-Olguín ruled the request for a preliminary injunction was too vague. However, the judge said they were “inclined to grant some sort of injunction.”

“That’s How You Set A Ransom”

The attorney for plaintiff offered new details about what happened behind the scenes on the day that Matt Mullenweg went “nuclear” on WP Engine at WordCamp USA. She first explained that Mullenweg’s demand for trademark license was a sham. Then showed how Mullenweg failed to enforce his trademark claim for fifteen years.

Among the new details was that Mullenweg’s demand for $32 million dollars was communicated in a one-page letter and that the agreement was for a seven year period that automatically renews “essentially forever.” She then revealed new details of how Mullenweg decided on the $32 million dollars, explaining that it was just “a number” that Mullenweg felt WP Engine was able to pay.

The point of this part of the plaintiff’s argument was to show that the royalty rate that Mullenweg was asking for was not based on any value of the mark but rather the rate was a figure that Mullenweg felt he was able to squeeze out of WP Engine, saying that the rate was “set in an extortionate manner.”

WP Engine’s attorney offered this narrative of events:

“We know that defendants had no right to offer that, quote unquote, service because it is a pretext. It is a sham. …You look at the record. We see that for 15 years, WP Engine was making nominative fair use of the WordPress mark as the entire community did for 15 years without so much as a shoulder tap. ‘Excuse me.’ ‘Here’s an email.’ ‘Here’s a text.’ ‘Here’s a cease and desist letter.’ Nothing.

Nothing whatsoever, until the morning of September 20th when we receive this one page bizarre trademark license agreement. That’s not how trademark owners operate. That is not how you protect and enforce your mark. You don’t wait 15 years and then drop a demand for thirty two million dollars on the recipient.

We also know from the price set, …this one page license listed a price of eight percent of WP Engines gross revenues, which happens to amount to thirty two million dollars. And it set that price for a seven year period to automatically renew essentially forever.

And when asked, how did you set that price? Mr. Mullenweg, defendant Matthew Mullenweg, acknowledged, “it’s what I thought they could pay. We did an analysis to figure out what the free cash flow was. That’s how we set that number.” That’s not how you calculate a royalty. That’s how you set a ransom.”

Judge Questioned WP Engine’s Attorneys

There was a point in the proceedings where the Judge Araceli Martínez-Olguín asked WP Engine’s attorneys what right to continued acces did they have without paying any kind of license.

WP Engine’s attorney answered:

“So there’s just simply no connection there, your Honor, whatsoever. The test is not: does WP Engine have a right to be free from a trademark license?”

The attorney also pointed out that free access to WordPress.org was the “status quo” for fifteen years, which changed on September 20th when Mullenweg initiated his dispute with WP Engine.

Automattic’s Defense Tactic

The attorney for Automattic and Mullenweg argued several technical points as to why the judge should not grant an injunction. One key point was that WP Engine’s extortion claim, under California law, fails because California courts do not recognize a private cause of action for attempted extortion under the California Penal Code.

They then point out that the case law WP Engine’s attorney is relying on (Tran v. Winn) concerns a different legal concept (duress and rescission) rather than extortion. They said that the plaintiff’s legal theory doesn’t match extortion claims and involves different legal principles.

Automattic’s attorney then follows that up by stating that even if WP Engine could use the Tran v. Winn case law, the plaintiff’s argument still fails under the other case law they are citing to base their claims on (Levitt case). They argue that the plaintiff cannot meet the legal standard for economic extortion because they are unable to show that the defendant had no right to demand payment for the services in question.

An argument made by Automattic’s attorney about the trademark license demand is that the plaintiffs omit a second option in the license, which was to provide volunteer hours equivalent to the payment. Shaw also pointed out that Mullenweg had made a reference to negotiating the terms the following week, but WP Engine never responded to his message.

The attorney said:

“…there is a text from Mr. Mullenweg in which he says, or he makes reference to even negotiating the terms the following week. They just never responded to Mr. Mullenweg’s response.”

What The Judge Said

Judge Araceli Martínez-Olguín had a lot to untangle, with perhaps the main thing being that WP Engine’s injunction was too vague.

The judge gave an indication of what direction she was leaning but also explained that the request was a “non-starter.”

“Having reviewed everything, I am inclined to grant some sort of injunction. Here’s the problem that I have with your proposed injunction, though. This is a nonstarter because it is exceedingly vague.”

The judge then encouraged the parties to work together to narrow down the preliminary injunction to something that isn’t vague and failing that they could submit “dueling submissions.” There was some back and forth about what date to return to court with, with WP Engine asking for a Friday date and eventually agreeing to return on Tuesday, December 3rd.

Reaction To Preliminary Injunction Hearing

A lawyer live blogging the proceedings on Bluesky wrote up their take on what happened:

“I knew that WPE was in very good shape when the opening question was “tell me about your one best shot” because that’s not generally a question you’d ask if you thought nothing had any merit.

I thought that tortious interference was the best shot. I’m pretty sure WordPress’s lawyers did too.”

And followed up with:

“I was reasonably sure that this was leaning toward a grant on the PI. I think that Automattic was close to getting their alternative, but Mack may have saved things with his tech walk through.”

He offered a good opinion about the judge, saying that she appears to recognize that some of the technical issues are outside of her area of expertise and that she expressed a willingness to ask questions to better understand.

He offered his opinion about the judge and the final outcome:

“It’s clear that the Judge isn’t overly technical in her background, but is aware of that and is willing to listen attentively – this is very good, and not a universal federal judge trait.

It will be interesting to see what we get on Monday.

Almost certainly, dueling proposals.”

This summary of what happened in court is based on a live blog and a post on Bluesky by a lawyer of the proceedings over Zoom.

Featured Image by Shutterstock/Jidvg

Ecommerce MGMT 0 Comments