Automattic quietly updated the WP Engine Tracker website with an activity log showing a continuously updated list of domains that have switched away from managed WordPress host, WP Engine. This update is part of Mullenweg’s self-described “nuclear war” against WP Engine, with the Tracker site actively promoting competitors by offering links to their hosting promotions.
WP Engine Tracker
Automattic created a website for the purpose of tracking how many sites have abandoned WP Engine six September 21st, 2024, the date that Matt Mullenweg started went “nuclear” on WP Engine after they rebuffed his request for $32 million dollars. The website promotes deals with other web hosts for moving away from WP Engine, and a CSV spreadsheet with the domain names of the sites that have left WP Engine.
At some point after launching the website was updated with a list of the top web hosts that WP Engine customers have migrated to and a constantly updated list of sites that have recently moved.
WP Engine Tracker “Activity Log Today”
Automattic escalated what the WP Engine Tracker website does by adding an additional feature that shows a continually updated running list of domains that have migrated away from WP Engine and the destination host.
Screenshot Of Activity Log Today Feature
WP Engine Lawsuit
The WP Engine Tracker website, created by Automattic and Matt Mullenweg to publicly monitor and offer links to promotions to other web hosts, was cited in a preliminary injunction filed by WP Engine as evidence of Mullenweg’s purposeful “attack on WPE” as part of his “nuclear war” against the managed WordPress host.
The preliminary injunction filed by WP Engine explains:
“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.
September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”
But available transcripts of the preliminary injunction hearing of November 26th do not show that it was mentioned. The judge at that hearing asked the plaintiff and defendants to return to court on Monday December 2nd with an agreement on a narrow and specific scope for a preliminary injunction, having said that the original request was too vague and consequently unenforceable.
A flaw in a WordPress anti-spam plugin with over 200,000 installations allows rogue plugins to be installed on affected websites. Security researchers rated the vulnerability 9.8 out of 10, reflecting the high level of severity determined by security researchers.
Screenshot Of CleanTalk Vulnerability Severity Rating
A highly rated anti-spam firewall with over 200,000 installations was found to have an authentication bypass vulnerability that enables attackers to gain full access to websites without providing a username or password. The flaw lets attackers upload and install any plugin, including malware, granting them full control of the site.
The flaw in the Spam protection, Anti-Spam, FireWall by CleanTalk plugin, was pinpointed by security researchers at Wordfence as caused by reverse DNS spoofing. DNS is the system that turns an IP address to a domain name. Reverse DNS spoofing is where an attacker manipulates the system to show that it’s coming from a different IP address or domain name. In this case the attackers can trick the Ant-Spam plugin that the malicious request is coming from the website itself and because that plugin doesn’t have a check for that the attackers gain unauthorized access.
This vulnerability is categorized as: Missing Authorization. The Common Weakness Enumeration (CWE) website defines that as:
“The product does not perform an authorization check when an actor attempts to access a resource or perform an action.”
Wordfence explains it like this:
“The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.”
Recommendation
Wordfence recommends users of the affected plugin to update to version 6.44 or higher.
WP Engine had their day in court, but it didn’t go entirely in their favor, as Judge Araceli Martínez-Olguín ruled the request for a preliminary injunction was too vague. However, the judge said they were “inclined to grant some sort of injunction.”
“That’s How You Set A Ransom”
The attorney for plaintiff offered new details about what happened behind the scenes on the day that Matt Mullenweg went “nuclear” on WP Engine at WordCamp USA. She first explained that Mullenweg’s demand for trademark license was a sham. Then showed how Mullenweg failed to enforce his trademark claim for fifteen years.
Among the new details was that Mullenweg’s demand for $32 million dollars was communicated in a one-page letter and that the agreement was for a seven year period that automatically renews “essentially forever.” She then revealed new details of how Mullenweg decided on the $32 million dollars, explaining that it was just “a number” that Mullenweg felt WP Engine was able to pay.
The point of this part of the plaintiff’s argument was to show that the royalty rate that Mullenweg was asking for was not based on any value of the mark but rather the rate was a figure that Mullenweg felt he was able to squeeze out of WP Engine, saying that the rate was “set in an extortionate manner.”
WP Engine’s attorney offered this narrative of events:
“We know that defendants had no right to offer that, quote unquote, service because it is a pretext. It is a sham. …You look at the record. We see that for 15 years, WP Engine was making nominative fair use of the WordPress mark as the entire community did for 15 years without so much as a shoulder tap. ‘Excuse me.’ ‘Here’s an email.’ ‘Here’s a text.’ ‘Here’s a cease and desist letter.’ Nothing.
Nothing whatsoever, until the morning of September 20th when we receive this one page bizarre trademark license agreement. That’s not how trademark owners operate. That is not how you protect and enforce your mark. You don’t wait 15 years and then drop a demand for thirty two million dollars on the recipient.
We also know from the price set, …this one page license listed a price of eight percent of WP Engines gross revenues, which happens to amount to thirty two million dollars. And it set that price for a seven year period to automatically renew essentially forever.
And when asked, how did you set that price? Mr. Mullenweg, defendant Matthew Mullenweg, acknowledged, “it’s what I thought they could pay. We did an analysis to figure out what the free cash flow was. That’s how we set that number.” That’s not how you calculate a royalty. That’s how you set a ransom.”
Judge Questioned WP Engine’s Attorneys
There was a point in the proceedings where the Judge Araceli Martínez-Olguín asked WP Engine’s attorneys what right to continued acces did they have without paying any kind of license.
WP Engine’s attorney answered:
“So there’s just simply no connection there, your Honor, whatsoever. The test is not: does WP Engine have a right to be free from a trademark license?”
The attorney also pointed out that free access to WordPress.org was the “status quo” for fifteen years, which changed on September 20th when Mullenweg initiated his dispute with WP Engine.
Automattic’s Defense Tactic
The attorney for Automattic and Mullenweg argued several technical points as to why the judge should not grant an injunction. One key point was that WP Engine’s extortion claim, under California law, fails because California courts do not recognize a private cause of action for attempted extortion under the California Penal Code.
They then point out that the case law WP Engine’s attorney is relying on (Tran v. Winn) concerns a different legal concept (duress and rescission) rather than extortion. They said that the plaintiff’s legal theory doesn’t match extortion claims and involves different legal principles.
Automattic’s attorney then follows that up by stating that even if WP Engine could use the Tran v. Winn case law, the plaintiff’s argument still fails under the other case law they are citing to base their claims on (Levitt case). They argue that the plaintiff cannot meet the legal standard for economic extortion because they are unable to show that the defendant had no right to demand payment for the services in question.
An argument made by Automattic’s attorney about the trademark license demand is that the plaintiffs omit a second option in the license, which was to provide volunteer hours equivalent to the payment. Shaw also pointed out that Mullenweg had made a reference to negotiating the terms the following week, but WP Engine never responded to his message.
The attorney said:
“…there is a text from Mr. Mullenweg in which he says, or he makes reference to even negotiating the terms the following week. They just never responded to Mr. Mullenweg’s response.”
What The Judge Said
Judge Araceli Martínez-Olguín had a lot to untangle, with perhaps the main thing being that WP Engine’s injunction was too vague.
The judge gave an indication of what direction she was leaning but also explained that the request was a “non-starter.”
“Having reviewed everything, I am inclined to grant some sort of injunction. Here’s the problem that I have with your proposed injunction, though. This is a nonstarter because it is exceedingly vague.”
The judge then encouraged the parties to work together to narrow down the preliminary injunction to something that isn’t vague and failing that they could submit “dueling submissions.” There was some back and forth about what date to return to court with, with WP Engine asking for a Friday date and eventually agreeing to return on Tuesday, December 3rd.
Reaction To Preliminary Injunction Hearing
A lawyer live blogging the proceedings on Bluesky wrote up their take on what happened:
“I knew that WPE was in very good shape when the opening question was “tell me about your one best shot” because that’s not generally a question you’d ask if you thought nothing had any merit.
I thought that tortious interference was the best shot. I’m pretty sure WordPress’s lawyers did too.”
“I was reasonably sure that this was leaning toward a grant on the PI. I think that Automattic was close to getting their alternative, but Mack may have saved things with his tech walk through.”
He offered a good opinion about the judge, saying that she appears to recognize that some of the technical issues are outside of her area of expertise and that she expressed a willingness to ask questions to better understand.
“It’s clear that the Judge isn’t overly technical in her background, but is aware of that and is willing to listen attentively – this is very good, and not a universal federal judge trait.
It will be interesting to see what we get on Monday.
Almost certainly, dueling proposals.”
This summary of what happened in court is based on a live blog and a post on Bluesky by a lawyer of the proceedings over Zoom.
Automattic cloned WP Engine’s paid ACF Premium plugin and is distributing it for free. Many in the WordPress community disapprove of this action, expressing concerns that it undermines the plugin and theme ecosystem.
Advanced Custom Fields Plugin
Advanced Custom Fields (ACF) is a WordPress plugin that’s popular with WordPress website developers because it enables them to create custom fields that WordPress publishers and authors can use.
Custom fields allows developers to take full control of the editing screens to add things like a form for building structured data specific for a kind of WordPress page like Schema.org markup for ecommerce, news, legal or medical context. A custom field can be used to give article authors a place to enter the author name or a featured quote.
Website developers and use ACF to enable authors to add author bios, featured quotes, or article metadata like publication date, modification data or links to sources. For example, a field for a featured quote can be used so that authors can input what the featured quote says and it’ll appear in the article using all the predefined styling. All the author needs to do is fill in the form and hit the submit button.
ACF was developed by a company named Delicious Brains which was acquired by WP Engine in 2022 which assumed responsibility for developing and updating the free and premium versions.
WordPress Freemium Ecosystem
ACF is popular because it built trust and authoritativeness as a solid plugin through the use of the freemium WordPress business model. Plugin and theme developers use the freemium business model to offer a free version of their software and a premium version that offers additional functionality. Offering a highly functional and useful free version increases the popularity and goodwill of a plugin or theme with basic users and the more advanced users are able to try the functionality of the free version then choose the premium version for the additional features. It can take years to build that goodwill, trust and authoritativeness with users.
The developers of plugins like Yoast and Wordfence spend thousands of hours developing and promoting their free plugins, which are then installed on millions of websites. They put all that effort into the free versions to upsell their premium products.
Timeline: Automattic Forks ACF
In the context of WordPress plugins and themes, the term “forking” refers to the creation of an independent version of an existing WordPress plugin or theme using the source code of the original version to create a different version. Forking is made possible with open source licenses. All plugins and themes that are derivatives of WordPress must be developed with an open source license.
Forking of a theme or plugin sometimes happens when a developer abandons their project and an interested party decides to continue developing their version of the software, a “forked” version of the original.
October 3, 2024 Automattic Releases Independent Updates
Automattic locked ACF plugin out of the WordPress.org servers, preventing ACF customers from updating their versions of the plugin directly from WordPress.org servers, forcing WP Engine to create a workaround on October 3rd.
WP Engine announced:
“On October 3, we released new versions of our widely used plugins, featuring independent update capabilities and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and don’t need to take any action, community members are encouraged to download these versions of our free, open-source plugins and updates directly from the ACF and NitroPack websites to ensure they receive updates directly from us.
If you’re running v6.3.2 or earlier of ACF, or have been forcibly switched to “Secure Custom Fields” without your consent, you can install ACF 6.3.8 directly from the ACF website, or follow these instructions to fix the issue.
These efforts support our customers and plugin users and seek to protect the community at large.”
Screenshot Of ACF Plugin Changelog Showing Lockout Workaround
On October 5th Automattic notified WP Engine of a vulnerability in the ACF plugin and announced it on a now deleted post on X (formerly Twitter).
Screenshot Of Post On X By Automattic
October 7th: WP Engine Fixes ACF Vulnerability
On October 7th, WP Engine fixed the plugin vulnerability, as noted in their changelog.
Screenshot Of ACF Changelog About Security Patch
October 12, 2024: Automattic Forks ACF
But then, on October 12th, Automattic forked WP Engine’s ACF plugin, renaming it Secure Custom Forms (SCF) and replaced the ACF plugin in the official WordPress plugin respository with their fork, using the same URL formerly used by the ACF plugin. Matt Mullenweg posted an announcement on WordPress.org citing security concerns as the reason for forking ACF but later in the announcement also citing WP Engine’s lawsuit seeking relief from Mullenweg’s actions.
“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
…This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
Automattic Forks Premium Version Of ACF
Social media was buzzing over the weekend because it was noticed that a new version of ACF was published on WordPress.org using a new URL (/secure-custom-fields/), marked as a beta version. David McCan of WebTNG downloaded the plugin, took a look at the code and confirmed that the new version is a fork of the paid version of ACF. He notes that the WP Engine copyright information was removed, remarking that may be a problem. He also noted that the code that checks for whether the software is paid for and licensed has also been removed.
Viewing the code, he says:
“We go to the version for secure custom fields. You see the file name is still the same ACF dot PHP, But this one. The header information says secure custom fields. It says the author is wordpress.org. There is no copyright notice in here of WP engines code, which is probably a problem.
So by removing the license check and update from WP engine, this seems like a classic case of an old plugin which is now being hosted in the WordPress plugin directory. So I’m wondering if this is even a legal fork. I’m not an expert in software licensing law, but my understanding is you need to preserve the original copyright notices when you fork a plug in. It’s one of the requirements.”
Developer Response In Facebook Group
Whether or not whether making the pro version of the plugin freely available for download is legal is something for the courts to decide. What Automattic may not have considered is that there is an impact to competitors like Meta Box Pro, who offer a similar functionality to ACF. Current users of Meta Box Pro may be incentivized to not renew their current license because they can now get similar premium features for free from WordPress.org.
Someone posted this concern in the private Dynamic WordPress group (posted here, group membership required to view), writing that they had purchased a lifetime license ($699) for Meta Box prior to Mullenweg’s dispute with WP Engine. They wrote that they feel like they made a mistake for purchasing a license for Meta Box, noting that they don’t agree with “stealing” ACF and expressed that this will cause Meta Box to lose users. A yearly subscription to Meta Box starts at $149/year.
One of the Facebook group members remarked that no, they didn’t make a bad decision by purchasing a license for Meta Box, saying that Matt Mullenweg was the one that made the poor decision. Another group member expressed that he regarded Mullenweg as an unreliable steward of the ACF fork and wouldn’t trust his fork, ACF, on any of the websites he develops.
Other developers agreed that SCF is not trustworthy enough for use on a live website, noting that many sites are having issues with the Secure Custom Fields. Someone else noted that this may end poorly for Meta Box within a year from now as SCF becomes more stable. Some members said they’re glad to have Meta Box and are glad to be uninvolved with the WordPress versus WP Engine drama.
Response On WordPress Subreddit
The response from the WordPress community on Reddit was similarly disapproving.
Members of the WordPress subreddit expressed disapproval, nobody was celebrating Mullenweg’s move.
“It’s crazy because they literally are suing someone else for hosting nulled plugins, and that guy had his bank accounts frozen. They are doing the same thing now over at WordPress.”
“Oh wow, so this is actually Matt putting the premium/pro version of ACF with all of it’s features that are normally behind their paywall, up for people to download and use for free on wordpress.org while calling it Secure Custom Forms Pro or whatever, completely out of spite?
This is worse than I thought it was from just seeing the title of this thread, much worse.”
Another post that’s representative of how people feel about WordPress.org distributing a premium plugin for free:
“If he wanted to shoot WordPress in the other foot, this was the perfect move.”
Whether this move will impact ACF’s competitors and the greater premium WordPress ecosystem remains to be seen. One thing is certain: most people on social media appear to disapprove of Matt Mullenweg forking a premium WordPress plugin, and, legal or not, it’s perceived as crossing a line typically associated with software piracy.
Here are seven essential features to look for in an SEO-friendly WordPress host that will help you:
1. Reliable Uptime & Speed for Consistent Performance
A website’s uptime and speed can significantly influence your site’s rankings and the success of your SEO strategies.
Users don’t like sites that suffer from significant downtime or sluggish load speeds. Not only are these sites inconvenient, but they also reflect negatively on the brand and their products and services, making them appear less trustworthy and of lower quality.
For these reasons, Google values websites that load quickly and reliably. So, if your site suffers from significant downtime or sluggish load times, it can negatively affect your site’s position in search results as well as frustrate users.
Reliable hosting with minimal downtime and fast server response times helps ensure that both users and search engines can access your content seamlessly.
Performance-focused infrastructure, optimized for fast server responses, is essential for delivering a smooth and engaging user experience.
When evaluating hosting providers, look for high uptime guarantees through a robust Service Level Agreement (SLA), which assures site availability and speed.
Bluehost Cloud, for instance, offers a 100% SLA for uptime, response time, and resolution time.
Built specifically with WordPress users in mind, Bluehost Cloud leverages an infrastructure optimized to deliver the speed and reliability that WordPress sites require, enhancing both SEO performance and user satisfaction. This guarantee provides you with peace of mind.
Your site will remain accessible and perform optimally around the clock, and you’ll spend less time troubleshooting and dealing with your host’s support team trying to get your site back online.
2. Data Center Locations & CDN Options For Global Reach
Fast load times are crucial not only for providing a better user experience but also for reducing bounce rates and boosting SEO rankings.
Since Google prioritizes websites that load quickly for users everywhere, having data centers in multiple locations and Content Delivery Network (CDN) integration is essential for WordPress sites with a global audience.
To ensure your site loads quickly for all users, no matter where they are, choose a WordPress host with a distributed network of data centers and CDN support. Consider whether it offers CDN options and data center locations that align with your audience’s geographic distribution
This setup allows your content to reach users swiftly across different regions, enhancing both user satisfaction and search engine performance.
Bluehost Cloud integrates with a CDN to accelerate content delivery across the globe. This means that whether your visitors are in North America, Europe, or Asia, they’ll experience faster load times.
By leveraging global data centers and a CDN, Bluehost Cloud ensures your site’s SEO remains strong, delivering a consistent experience for users around the world.
3. Built-In Security Features To Protect From SEO-Damaging Attacks
Security is essential for your brand, your SEO, and overall site health.
Websites that experience security breaches, malware, or frequent hacking attempts can be penalized by search engines, potentially suffering from ranking drops or even removal from search indexes.
Therefore, it’s critical to select a host that offers strong built-in security features to safeguard your website and its SEO performance.
When evaluating hosting providers, look for options that include additional security features.
Bluehost Cloud, for example, offers comprehensive security features designed to protect WordPress sites, including free SSL certificates to encrypt data, automated daily backups, and regular malware scans.
These features help maintain a secure environment, preventing security issues from impacting your potential customers, your site’s SEO, and ultimately, your bottom line.
With Bluehost Cloud, your site’s visitors, data, and search engine rankings remain secure, providing you with peace of mind and a safe foundation for SEO success.
4. Optimized Database & File Management For Fast Site Performance
A poorly managed database can slow down site performance, which affects load times and visitor experience. Therefore, efficient data handling and optimized file management are essential for fast site performance.
Choose a host with advanced database and file management tools, as well as caching solutions that enhance site speed. Bluehost Cloud supports WordPress sites with advanced database optimization, ensuring quick, efficient data handling even as your site grows.
With features like server-level caching and optimized databases, Bluehost Cloud is built to handle WordPress’ unique requirements, enabling your site to perform smoothly without additional plugins or manual adjustments.
Bluehost Cloud contributes to a better user experience and a stronger SEO foundation by keeping your WordPress site fast and efficient.
5. SEO-Friendly, Scalable Bandwidth For Growing Sites
As your site’s popularity grows, so does its bandwidth requirements. Scalable or unmetered bandwidth is vital to handle traffic spikes without slowing down your site and impacting your SERP performance.
High-growth websites, in particular, benefit from hosting providers that offer flexible bandwidth options, ensuring consistent speed and availability even during peak traffic.
To avoid disaster, select a hosting provider that offers scalable or unmetered bandwidth as part of their package. Bluehost Cloud’s unmetered bandwidth, for instance, is designed to accommodate high-traffic sites without affecting load times or user experience.
This ensures that your site remains responsive and accessible during high-traffic periods, supporting your growth and helping you maintain your SEO rankings.
For websites anticipating growth, unmetered bandwidth with Bluehost Cloud provides a reliable, flexible solution to ensure long-term performance.
6. WordPress-Specific Support & SEO Optimization Tools
WordPress has unique needs when it comes to SEO, making specialized hosting support essential.
Hosts that cater specifically to WordPress provide an added advantage by offering tools and configurations such as staging environments and one-click installations specifically for WordPress.
WordPress-specific hosting providers also have an entire team of knowledgeable support and technical experts who can help you significantly improve your WordPress site’s performance.
Bluehost Cloud is a WordPress-focused hosting solution that offers priority, 24/7 support from WordPress experts, ensuring any issue you encounter is dealt with effectively.
Additionally, Bluehost’s staging environments enable you to test changes and updates before going live, reducing the risk of SEO-impacting errors.
Switching to Bluehost is easy, affordable, and stress-free, too.
Bluehost offers a seamless migration service designed to make switching hosts simple and stress-free. Our dedicated migration support team handles the entire transfer process, ensuring your WordPress site’s content, settings, and configurations are moved safely and accurately.
Currently, Bluehost also covers all migration costs, so you can make the switch with zero out-of-pocket expenses. We’ll credit the remaining cost of your existing contract, making the transition financially advantageous.
You can actually save money or even gain credit by switching
7. Integrated Domain & Site Management For Simplified SEO Administration
SEO often involves managing domain settings, redirects, DNS configurations, and SSL updates, which can become complicated without centralized management.
An integrated hosting provider that allows you to manage your domain and hosting in one place simplifies these SEO tasks and makes it easier to maintain a strong SEO foundation.
When selecting a host, look for providers that integrate domain management with hosting. Bluehost offers a streamlined experience, allowing you to manage both domains and hosting from a single dashboard.
SEO-related site administration becomes more manageable, and you can focus on the things you do best: growth and optimization.
Find A SEO-Friendly WordPress Host
Choosing an SEO-friendly WordPress host can have a significant impact on your website’s search engine performance, user experience, and long-term growth.
By focusing on uptime, global data distribution, robust security, optimized database management, scalable bandwidth, WordPress-specific support, and integrated domain management, you create a solid foundation that supports both SEO and usability.
Ready to make the switch?
As a trusted WordPress partner with over 20 years of experience, Bluehost offers a hosting solution designed to meet the unique demands of WordPress sites big and small.
Our dedicated migration support team handles every detail of your transfer, ensuring your site’s content, settings, and configurations are moved accurately and securely.
Plus, we offer eligible customers a credit toward their remaining contracts, making the transition to Bluehost not only seamless but also cost-effective.
Learn how Bluehost Cloud can elevate your WordPress site. Visit us today to get started.
WP Engine escalated its Federal complaint by citing Automattic’s publication of the WP Engine Tracker website as evidence of intent to harm WP Engine and exposing customers to potential cybercrimes. The updated complaint incorporates recent actions by Mullenweg to further strengthen their case.
A spokesperson for WP Engine issued a statement to Search Engine Journal about the WP Engine Tracker website:
“Automattic’s wrongful and reckless publication of customer’s information without their consent underscores why we have moved for a preliminary injunction. WP Engine has requested the immediate takedown of this information and looks forward to the November 26th hearing on the injunction.”
Legal Complaint Amended With More Evidence
WP Engine (WPE) filed a complaint in Federal court seeking a preliminary injunction to prevent Matt Mullenweg and Automattic from continuing actions that harm WPE’s business and their relationships with their customers. That complaint was amended with further details to support their allegations against Mullenweg and Automattic.
The legal complaint begins by stating in general terms what gives rise to their claim:
“This is a case about abuse of power, extortion, and greed.”
It then grows progressively specific by introducing evidence of how Automattic and Mullenweg continue their “bad acts unabated” for the purpose of harming WP Engine (WPE).
The amended claim adds the following, quoting Mullenweg himself:
“Since then, Defendants have continued to escalate their war, unleashing a campaign to steal WPE’s software, customers and employees. Indeed, just days ago, Defendants were unambiguous about their future plans:”
This is the statement Mullenweg made that is quoted in the amended complaint:
“[S]ince this started [with WPE] they’ve had uh, we estimate tens of thousands of customers leave. . . . So, um you know, I think over the next few weeks, they’re actually gonna lose far more than 8% of their business . . . we’re at war with them. We’re . . . going to go brick by brick and take . . . take every single one of their customers . . . if they weren’t around guess what? . . . We’d happily have those customers, and in fact we’re getting a lot of them.”
WP Engine Tracker Site Used As Evidence
Automattic recently created a website on the WordPressEngineTracker.com domain called WP Engine Tracker that encourages WordPress Engine customers to leave, offering links to promotions that offer discounts and promise a smooth transition to other web hosts.
WPE states that the WP Engine Tracker website is part of a campaign to encourage WPE customers to abandon it, writing:
“Defendants also created a webpage at wordpress.org offering “Promotions and Coupons” to convince WPE customers to stop doing business with WPE and switch over to Automattic’s competitor hosting companies like wordpress.com and Pressable; they later added links to other competitors as well.”
The WordPress Engine Tracker website calls attention to the number of sites that have abandoned WP Engine (WPE) since Matt Mullenweg’s September 21st public denunciation of WP Engine and the start of his “nuclear” war against the web host. The amended Federal lawsuit points to the September 21st date listed on that site as additional evidence tying Automattic to a campaign to harm WP Engine’s business.
The legal document explains:
“Just last week, in an apparent effort to brag about how successful they have been in harming WPE, Defendants created a website—www.wordpressenginetracker.com—that “list[s] . . . every domain hosted by @wpengine, which you can see decline every day. 15,080 sites have left already since September 21st.
September 21 was not selected randomly. It is the day after Defendants’ self-proclaimed nuclear war began – an admission that these customer losses were caused by Defendants’ wrongful actions. In this extraordinary attack on WPE and its customers, Defendants included on their disparaging website a downloadable file of ‘all [WPE] sites ready for a new home’—that is, WPE’s customer list, literally inviting others to target and poach WPE’s clients while Defendants’ attacks on WPE continued..”
The purpose of the above allegations are to build as much evidence that lend credence to WP Engine’s claim that Automattic is actively trying to cause harm WP Engine’s business.
WPE Accuses Automattic Of Additional Harms
Another new allegation against Automattic is that the spreadsheet offered for download on the WP Engine Tracker website includes sensitive information that is not publicly available and could cause direct harm to WPE customers.
The amended Federal lawsuit explains:
“Worse, this downloadable file contains private information regarding WPE’s customers’ domain names, including development, test, and pre-production servers—many of which are not intended to be accessed publicly and contain sensitive or private information. Many of these servers are intentionally not indexed or otherwise included in public search results because the servers are not safe, secure or production-ready and not intended to be accessed by the general public.
By disclosing this information to the general public, Defendants put these development, test, and pre-production domains at risk for hacking and unauthorized access.”
WP Engine Tracker Site Part Of A Larger Strategy
WPE’s amended complaint alleges that the WP Engine Tracker site is one part of a larger strategy to cause harm to WP Engine’s business that includes encouraging WPE employees to resign. The legal document adds new information of how the WP Engine Tracker website is just one part of a larger strategy to harm WPE’s business.
The updated document adds the following new allegations as evidence of WPE’s claims:
“Not content with interfering with WPE’s customer relations, Automattic has recently escalated its tactics by actively recruiting hundreds of WPE employees, in an apparent effort to weaken WPE by sowing doubts about the company’s future and enticing WPE’s employees to join Automattic:”
The document includes a screenshot of an email solicitation apparently sent to an employee that encourages them to join Automattic.
Screenshot Of Evidence Presented In Amended Complaint
Escalation Of Federal Complaint
WP Engine’s amended complaint against Mullenweg and Automattic invokes the Sherman Act (prohibiting monopolization to maintain a competitive marketplace), the Lanham Act (governing trademarks, false advertising, and unfair competition), and the Computer Fraud and Abuse Act (addressing unauthorized computer access and cybercrimes). The amendments tie recent actions by Mullenweg and Automattic—such as the creation of the WP Engine Tracker website—directly to their claims, turning Mullenweg’s attacks on WP Engine into evidence.
A critical vulnerability was discovered in a popular WordPress security plugin with over 4 million installations. The flaw allows attackers to log in as any user, including administrators, and gain full access to their site-level permissions. Assigned a threat score of 9.8 out of 10, it underscores the ease of exploitation and the potential for full site compromise, including malware injection, unauthorized content changes, and attacks on site visitors.
Really Simple Security
Really Simple Security is a WordPress plugin that was developed to improve resistance of WordPress sites against exploits (called security hardening), enable two-factor authentication, detect vulnerabilities and it also generates an SSL certificate. One of the reasons it promotes itself as lightweight is because it’s designed as a modular software that allows users to choose what security enhancements to enable so that (in theory) the processes for disabled capabilities don’t load and slow down the website. It’s a popular trend in WordPress plugins that allows a software to do many things but only do the tasks that a user requires.
The plugin is promoted through affiliate reviews and according to Google AI Overview enjoys highly positive reviews. Over 97% of reviews on the official WordPress repository are rated with five stars, the highest possible rating, with less than 1% rating the plugin as 1 star.
What Went Wrong?
A security flaw in the plugin makes it vulnerable to authentication bypass, which is a flaw that allows an attacker to access areas of a website that require a username and a password without having to provide credentials. The vulnerability specific to Really Simple Security allows an attacker to acquire access of any registered user of the website, including the administrator, simply by knowing the user name.
This is called an Unauthenticated Access Vulnerability, one of most severe kinds of flaws because it is generally easier to exploit than an “authenticated” flaw which requires an attacker to first attain the user name and password of a registered user.
Wordfence explains the exact reason for the vulnerability:
“The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the ‘check_login_and_get_user’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the “Two-Factor Authentication” setting is enabled (disabled by default).
Wordfence blocked 310 attacks targeting this vulnerability in the past 24 hours.”
Recommended Course Of Action:
Wordfence encourages users of the plugin to update to Really Simple Security version 9.1.2 (or higher version).
The Really Simple Security plugin’s changelog responsibly announces the reason for the updated software:
WordPress has released version 6.7, codenamed Rollins. This update introduces better font controls, a new default theme, enhanced design tools for easier page creation, 65 accessibility improvements, and performance optimizations. Version 6.7 focuses on making it easy to build attractive, high-performance websites.
Twenty Twenty-Five Theme
Twenty Twenty-Five is the new default theme that ships with WordPress. Twenty Twenty-Five was purpose intentionally built to offer users an easier and more intuitive experience for creating websites.
“While ideating Twenty Twenty-Five, one recurring idea was that simple things should be intuitive while complex things should be possible. This concept of simplicity and complexity leads to a reliable foundation for extending a default WordPress experience to make it yours.
Twenty Twenty-Five embodies ultimate flexibility and adaptability, showcasing the many ways WordPress enables people to tell their stories with many patterns and styles to choose from.”
The key improvements are:
Better Patterns WordPress patterns are pre-designed ready to use blocks for different parts of a page. This allows users to choose from pre-made sections of a web page like the header, call-to-actions, pricing tables and on. Twenty Twenty-Five ships with a wide range of patterns that are appropriate for different kinds of sites.
Improved Styles Better support for fonts in multiple languages plus bundled color variations.
New Templates There are three base templates that can serve as a starting point for creating a website.
The new template versions are:
Personal Blog (Default) The Personal Blog template is focused on simplicity and ease of use.
Photo Blog (Alternative) This template has multiple layouts that are suitable for image heavy sites.
Complex Blog (Alternative) This template is intended for complex websites, offering more design flexibility.
Typography
As part of the emphasis on a better design experience, WordPress 6.7 features better font management that allows users to more control over fonts.
The WordPress announcement explains:
“Create, edit, remove, and apply font size presets with the next addition to the Styles interface. Override theme defaults or create your own custom font size, complete with fluid typography for responsive font scaling.”
New Zoom Out Feature
WordPress 6.7 has a new design feature that lets users zoom out from the details and see what the site looks like as a whole so that users can swap out block patterns and see what it looks like in macro view. This is in keeping with the focus on making it easy to design attractive websites.
Accessibility Improvements
The documentation for WordPress 6.7 was not as organized as it usually is, making it difficult to navigate to the documentation for the 65 improvements to accessibility are. WordPress documentation is usually better but it seems less organized this time.
This is what the announcement said about the accessibility improvements:
“65+ accessibility fixes and enhancements focus on foundational aspects of the WordPress experience, from improving user interface components and keyboard navigation in the Editor, to an accessible heading on WordPress login screens and clearer labeling throughout.”
Performance Updates
The latest version of the WordPress core ships with faster pattern loading and better PHP 8+ support. Old code (deprecated) is removed to create a more lightweight theme, plus a new auto size component that improves lazy-loading images.
That last improvement to lazy loading should help improve core web vitals scores because the Auto Sizes feature helps the browser select the right image size from the CSS and use that to build the web page, rather than using the image size itself. CSS is usually downloaded before images, so having to depend on image size is redundant and slower. Chrome shipped with this ability last year, December 2023.
Engineering lead at Google Chrome Addy Osmani tweeted about it last year:
“Chrome is shipping support for lazy-loaded images with srcset, this allows the browser to use the layout width of the image in order to select the source url from the srcset.
For lazy-loaded images, CSS is often available before the image load begins. The browser can take the actual width of the image from CSS and use that as if it was the image’s sizes.”
The official WordPress announcement for the auto sizes for lazy loading explains:
WordPress documentation for the auto sizes feature explains:
“WordPress 6.7 adds sizes=”auto” for lazy-loaded images. This feature, which was recently added to the HTML specification, allows the browser to use the rendered layout width of the image when selecting a source from the srcset list, since lazy loaded images don’t load until after the layout is known.”
Is It Safe To Download WordPress 6.7?
Most developers discussing the latest version of WordPress in the private Dynamic WordPress Facebook group report that updating to the latest version is easy and trouble-free.
But some developers reported maintenance mode errors that were easily resolved by deleting the .maintenance file (maintenance mode file. The .maintenance mode error doesn’t happen because there’s something wrong with the update, it’s usually because there’s something going on with the upstream server that’s providing the update. The WordPress.org 6.7 documentation page was temporarily down so maybe the WordPress servers were experiencing too much traffic.
Wordfence issued an advisory on a vulnerability patched in the popular Happy Addons for Elementor plugin, installed on over 400,000 websites. The security flaw could allow attackers to upload malicious scripts that execute when browsers visit affected pages.
Happy Addons for Elementor
The Happy Addons for Elementor plugin extends the Elementor page builder with dozens of free widgets and features like image grids, a user feedback and reviews function, and custom navigation menus. A paid version of the plugin offers even more design functionalities that make it easy to create functional and attractive WordPress websites.
Stored Cross-Site Scripting (Stored XSS)
Stored XSS is a vulnerability typically occur when a theme or plugin doesn’t properly filter user inputs (called sanitization), allowing malicious scripts to be uploaded to the database and stored on the server itself. When a user visits the website the script downloads to the browser and executes actions like stealing browser cookies or redirecting the user to a malicious website.
The stored XSS vulnerability affecting the Happy Addons for Elementor plugin requires a hacker acquiring Contributor-level permissions (authentication), making it harder to take advantage of the vulnerability.
WordPress security company Wordfence rated the vulnerability 6.4 on a scale of 1 – 10, a medium threat level.
According Wordfence:
“The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
Plugin users should consider updating to the latest version, currently 3.12.6, which contains a security patch for the vulnerability.
In an ironic twist to the ongoing dispute between Automattic and WP Engine, a newly published website on WPEngineTracker.com is displaying a protest message against CEO Matt Mullenweg.
Copycat Domain Name Registered
Someone registered the domain name WPEngineTracker.com using the words that Automattic’s WordPressEngineTracker.com domain uses to describe itself (WP Engine Tracker) . If people who are looking for Automattic’s WP Engine Tracker domain navigate to WPEngine.com they will land on the variant website which is currently publishing a protest message against Matt Mullenweg.
Screenshot of Typosquat Domain
The above domain name was only registered a few days ago on November 7th. The Internet being what it is, it was arguable inevitable that someone would register the typosquat domain name variant.
Registration Of Domain Announced On GitHub
Someone posted a comment in the official WordPressEngineTracker.com GitHub repository to announce that they registered the domain name variant. The post was met with approval as evidenced by the 15 likes and 18 laughing emojis it received.
Screenshot Of Announcement In GitHub Repository
Domain Registration Announced On Reddit
The person who made the announcement on GitHub appears to have posted a discussion on the WordPress subreddit announcing that they have registered the domain name variant. The Reddit member who made the announcement is a 16 year member.
“I found it odd that Matt registered wordpressenginetracker.com when the thingamajig isn’t called “WordPress Engine Tracker” – it’s “WP Engine Tracker” Thought I should try to be helpful so I bought https://wpenginetracker.com”
That post was also met with positive reactions, receiving 138 upvotes three days later.
Matt Mullenweg’s Dispute With WPEngine
Disputes can appear different depending on who is telling the story. Automattic’s recent motion to dismiss WP Engine’s lawsuit offers details from its side, providing insight into the situation. Despite multiple opportunities to share its perspective, Automattic has received limited approval from WordPress users on social media. The registration of the WP Engine Tracker domain name variant could be said to be a manifestation of that negative sentiment toward Automattic and Mullenweg.
