What WordPress users need to know about the Automattic and WP Engine conflict


Richard Drury/Getty Images

A long, long time ago, I built websites by hand using the vi editor to write HTML. It was hard. Then along came NoteTab and Bluefish, which made writing and editing HTML easier but still a pain. 

DreamWeaver, one of the first what-you-see-is-what-you-get (WYSIWYG) tools, was a big jump forward. But, the real game-changer was when content management systems showed up, which combined creation, editing, and production in one package. The first ones, such as VignetteDotNetNuke, and RedDot, tended to be difficult to use and expensive. Then along came WordPress in 2003 and everything changed. 

Also: The best WordPress hosting services: Expert tested

Invented by Matt Mullenweg and Mike Little, the open-source WordPress runs approximately 43.6% of all websites today. It reached this dominant position because it’s easy to use, simple to customize, and can run on even the lowest-powered Linux server. 

In particular, thanks to its extensibility through themes, pre-designed templates that control a website’s appearance, and plugins, add-ons that extend a site’s functionality of WordPress sites without needing extensive programming skills, it’s easy to build a site that looks and works just the way you want. 

So, what’s the problem? Well, without going deep into the weeds, WordPress founder Mullenweg and his company, Automattic, which runs WordPress.com, have accused WP Engine, a leading WordPress hosting company, of taking advantage of WordPress and being a “cancer to WordPress.” 

In particular, Mullenweg claims WP Engine is misusing WordPress trademarks, poorly modifying core WordPress features, and not contributing enough to the WordPress open-source project.

The result of all this has been back-and-forth cease-and-desist letters and lawsuits. You know the drill. 

In the meantime, this situation means WP Engine users, in particular, have some worries. For a while, WordPress banned WP Engine and users from accessing WordPress.org resources. At the top of the list of concerns was a fear that WP Engine users might be unable to get the latest WordPress core PHP files. 

Also: I’m an AI tools expert, and these are the only two I pay for

These files are the heart of WordPress, and the project regularly releases security patches and feature updates. If you or your WordPress hosting provider are cut off from these updates, your website will be left open to possible attacks, malware, and potential data breaches.

And who wants that? Answer: Nobody.

Since WordPress is the most popular web hosting software platform, it gets attacked — a lot. By Patchstack‘s count, in 2023, the WordPress security company discovered a rather shocking 5,948 new holes. 

These security vulnerabilities aren’t just theoretical. They lead to successful attacks. Indeed, according to WordPress security company Melapress’s survey of WordPress administrators, 72% of respondents reported at least one breach in 2024.

In short, a smart WordPress administrator knows they must keep the core program up to date. 

Another issue for administrators was that they couldn’t update WordPress-hosted plugins and theme updates either. In turn, this ban raised worries about potential security holes due to outdated plugins and themes. 

Also: Perplexity Pro’s AI absolutely aced my coding tests – but there’s a catch

On 10 December, the US District Court granted WP Engine’s motion for a preliminary injunction against Automattic. This ruling required Automattic to restore WP Engine’s access to WordPress.org resources.  

For you as a WP Engine user, this means Automattic can’t block you from WordPress’s resources. But what one court decision gives, another can take away. Here are some ways to protect yourself if Automattic locks WP Engine out of WordPress’s resources.

You can, of course, as Mullenweg would prefer, move your site to Automattic. Presuming you don’t want to do that, here are your options. 

Use a proxy server

I’m going to get a little technical now, but one way to keep access to WordPress is to use a forward proxy server. This program serves as a gateway between your site and WordPress.org. This proxy routes requests from your server to, in this case. WordPress.org while disguising your site’s WP Engine origins. 

If you’re Linux savvy, you can always set up the Squid proxy on your server. But if you’d rather spend your time running your website instead of administering Linux, you’re better off using a free or low-cost proxy service. Some good ones include Webshare, Oxylabs, and IPRoyal.

Also: I tested 9 AI content detectors – and these 2 correctly identified AI text every time

Once you have a proxy set up, you must add the following configuration code, filling in the xs with your information, to your wp-config.php file:

define(‘WP_PROXY_HOST’, ‘xxx.xxx.xxx.xxx’); // Proxy Address

define(‘WP_PROXY_PORT’, ‘xxx’); // Port Number

define(‘WP_PROXY_USERNAME’, ‘xxxxx’); // Proxy Username (if exists)

define(‘WP_PROXY_PASSWORD’, ‘xxxxx’); // Proxy Password (if exists)

To limit your proxy use to only wordpress.com, add the following code to your site’s functions.php file:

add_filter(‘pre_http_send_through_proxy’, function($result, $uri) {

    if (strpos(‘wordpress.org’, $uri) !== false) {

       return true;

    } else {

       return false;

    }

}, 10, 2);

This is more of a stopgap than a permanent fix, but if you need it, you’re really going to need it. 

Update manually

No one wants to update programs by hand, but sometimes you’ve got to do what you’ve got to do. This approach requires you to learn where your WordPress plugins and themes came from. Armed with this information, you can download the latest versions from their official source homes. 

Then, you upload these versions via your hosting control panel, such as cPanel, Plesk, or ISPConfig. Once you have them on your server, you can manually update your site to keep it up-to-date and secure. Unsure what you’re doing? Then don’t try this method. Bad things can happen. 

Practice WordPress security 101

Even if your software isn’t completely up to the moment, you can still keep your WordPress site safe by:

  • Keep themes, plugins, and WordPress core up-to-date

  • Use strong username and password practices

  • Use two-factor authentication for added security

  • Disable file editing in WordPress to prevent unauthorized changes

You should also use a third-party security program to keep an eye on your site and attacks directed at it. The one I use is WordFence

Back up your site

When something goes wrong, and something always does, a regular backup agenda will make sure you’re not caught without a safety belt. There are many ways to back up your WordPress site. Just pick one, run it regularly, and double-check every now and again that you can actually successfully restore your site from a backup. Nothing is quite as miserable as discovering your site is gone for good because your backups turned out to be rotten. 

WP Engine comes with backup programs. But if you’d rather roll your own, there are many good choices, such as UpdraftPlusBackupBuddy, and VaultPress Backup.

Keeping up to date on WordPress news

Before this messy fight between Automattic and WP Engine, you didn’t need to worry about the latest WordPress news. The program and its management have always been stable. That’s no longer the case. You need to monitor what’s happening or you may find yourself in an awkward software mess through no fault of your own. 

WPTavern, The WP Minute, and CMSWire are your go-to sites for WordPress and related news. You should also watch Automattic and WP Engine’s in-house news pages.

Also: The best secure browsers for privacy: Expert tested

The situation remains fluid, with ongoing legal proceedings and community discussions shaping WordPress’s future and its relationship with hosting providers like WP Engine. I hope things will soon stabilize so we can get back to work on our websites without worrying about the politics behind the technology. However, now the lawyers are involved, it could be years before that happens. 

Hang in there, WordPress users. It will be a long, hard ride. 





Source link