Automattic, the commercial company that guides WordPress, has launched a scorched-Earth campaign against WP Engine. For those who don't know, WP Engine is a popular hosting provider for WordPress websites. It also owns many of the plugins that elevate WordPress from a simple blogging platform to an enterprise-capable content management system.
Less than a month ago, Automattic CEO Matt Muellenweg delivered a keynote at WordCamp US that condemned WP Engine for its lack of contributions to WordPress core. Mullenweg went on to make the argument that private equity firms like the one that owns WP Engine hollow out and destroy open source communities.
An abbreviated timeline
The weeks that have followed the WordCamp keynote have felt like months. In that time, the following events have unfolded:
September 23: WP Engine sent a cease and desist letter to Automattic. The letter includes screenshots of texts from Mullenweg threatening to take a "scorched earth nuclear approach" with WP Engine if they did not agree to pay a percentage of their gross revenue to Automattic for a WordPress trademark license (this is now known to be 8%). WP Engine has existed since 2010 and has never previously needed a license.
September 24: While the WordPress Foundation's trademark policy had permitted the free use of "WP" as recently as mid-September, the policy was updated to call out WP Engine's usage of "WP" because it "confuses people."
September 25: In retaliation for the cease and desist letter, WordPress.org blocked WP Engine's customers from receiving theme and plugin updates, leaving millions of sites potentially vulnerable to security issues.
September 26: In an interview with ThePrimeagen, Mullenweg says that Automattic is using trademark law against WP Engine because there's no law that says that WP Engine has to contribute back. He elaborated on this point in an interview with Theo.
October 2: WP Engine sued Automattic. The lawsuit alleged Mullenweg attempted extortion against WP Engine's CEO.
October 5: Automattic tweets that they have "responsibly disclosed" a security vulnerability in Advanced Custom Fields to WP Engine. However, WP Engine was blocked from uploading their plugins to WordPress.org. Further, announcing a discovered vulnerability before it is fixed is out of line with Automattic's security policy and WordPress's security policy. It also goes against the spirit of responsible disclosure. The tweet has since been deleted, but screenshots can be found on Twitter and the tweet's data was captured by the Wayback Machine.
October 12: Automattic takes control of the Advanced Custom Fields plugin listing, rebranding it as Secure Custom Fields. This was done vaguely under the guise of security-related concerns. ACF had already patched the vulnerability, but WordPress.org had locked them out of publishing the updates. The transition from ACF to SCF would happen automatically, potentially without users understanding that the plugin is not from the original author. If viewed through the right lens, this could be seen as a supply chain attack. Meanwhile, the rebranded plugin broke sites in the wild.
The preceding timeline excludes the WordPress Twitter bullying community members, Mullenweg's now-deleted tirade against DHH, or the checkbox ordeal. You can find those and more on What in the WorldPress?, bullenweg.com and mullenweg.wtf.
WordPress impact
What will the result of this feud between WordPress and WP Engine be? It will be the total vindication of the open source alarmists in the late 90s and early 2000s. Steve Ballmer is smiling right now, believing that he was right to call Linux and the GPL a cancer.
In the short term, both WordPress and WP Engine will probably take small hits in adoption as a result of this "scorched earth nuclear" conflict. But there currently aren't great alternatives to WordPress or WP Engine: for better or worse, both are best-in-class for the moment. And migrating existing sites off of WordPress or WP Engine won't pencil out for many companies in the short-term, even though there is an ecosystem of alternative content management systems and hosting providers.
However, migrating sooner rather than later might make sense for some sites. WhiteHouse.gov is a WordPress site, and WordPress.org's capricious security policies could cause a vulnerability that allows a bad actor to post on the site that the US has declared war on China and is dropping bombs within the hour. What happens next? Is WordPress really so good that it's worth that risk?
Changing tides in OSS
The security risks that came with open source software were generally worth it to companies because of the associated cost savings. Open sourced licensed software was often "free as in beer," or it at least had predictable pricing. The WordPress conflict upends that predictability: there is now a prominent case study of a major open source maintainer allegedly attempting to extort a CEO for money once their company got big. CEOs don't love unpredictable cost structures, and they really don't love being extorted.
Let's take a step back and look at the open source ecosystem outside of content management systems. It's not a stretch to think that there are thousands of risk-averse CTOs watching the utter chaos of the WordPress conflict unfold and seriously reconsidering using Node/Rust/Elixir/etc for their next greenfield projects. Some of these folks were around when companies first started adopting open source software like Linux, Apache, MySQL, and PHP in their stacks. There was incredible skepticism that free software could compete with companies that sold developer tools as their core business. On top of that, the backdrop for this WordPress conflict is years of OSS license rug pulls from Redis, Terraform, Elasticsearch, and others.
Microsoft will win, open source will lose
There's an old tech phrase: "No one ever got fired for buying IBM."
IBM may not have always been the best option and it certainly wasn't the cheapest, but it was a safe bet. If you're an enterprise CTO looking for the programming equivalent of that safe bet, what do you buy? Microsoft.
The result of this WordPress debacle will almost certainly be a gentle migration away from exciting open source technologies back towards tried-and-true corporate frameworks like Microsoft ASP.NET. Those apps will run on Microsoft IIS servers, sparing us the cancer of open source software like Linux. Matt Mullenweg has probably done more for Adobe Experience Manager in the past month than their marketing team has done in the past year. Mullenweg has given Oracle sales reps one more talking point about why their clients should stay locked into their safe contracts. In this holy war for open source, we've seen how fragile open source is. Proprietary tech companies will use their lack of BDFL as a selling point.
The more that WordPress "wins" against WP Engine, the more that open source will lose trust of the people who depend on it. I hope you like writing C# and deploying on Azure.
For the sake of a future where open source is still a viable option, this conflict must end quickly, and WP Engine must win. An enormous amount of damage has already been done, but shaking down users of your free software because they became successful is a precedent than open source software might not survive in the current tech landscape.
Top comments (2)
Wow, this whole situation feels so intense and messy! It’s a reminder of how critical community and collaboration are in open-source ecosystems. I wonder if focusing on user-centric hosting solutions like Cloudways or SiteGround could help developers avoid getting caught in these disputes while still enjoying smooth WordPress experiences. What’s your take?
In what ways are Cloudways and SiteGround user-centric that WP Engine is not? As a user and customer of WP Engine, I've always found their documentation well-written, their platform fully-featured, and their customer support top-notch. As a user, the platform feels centered around my needs.
I think that moving forward, there is an inherent risk to using WordPress. Matt Mullenweg has total control of the platform's roadmap, the documentation, the updates, and deciding who does and doesn't get to participate in the community. Even if a hosting provider or plugin developer is in Matt's good graces in 2024, it doesn't necessarily mean that they will be in 2025. There is no mechanism in place to prevent Matt from doing this again to some other company or developer.