Ensuring Stability and Security: Recent Timeline
We’re keenly aware of the impact recent events have had on the WordPress community and ecosystem, and we’re deeply grateful to the many partners and customers who have stood by WP Engine and trust us to serve you in the face of unprecedented and unwarranted attacks and attempts to disrupt our platform.
WP Engine’s top priority has always been and remains the integrity, security, availability and performance of our tools, and we will continue to take the decisive steps necessary to ensure we can continue to deliver the enterprise-grade experience we’re committed to building.
Whether as a customer, an agency partner, or a valued member of the WordPress community we’re committed to keeping you updated on the latest developments. With that in mind, we’d like to share the following timeline of our most recent actions and statements:
October 18, 2024: Request for preliminary injunction
On October 18, WP Engine filed a motion for a preliminary injunction, requesting that the court order Matt Mullenweg and Automattic to stop their harmful actions immediately and act to preserve the status quo ante while the case is being litigated.
We sought rapid court action to minimize or prevent any further interference with WP Engine’s access to the WordPress community, including WordPress.org and the plugin and theme directory and repository, and to re-establish control over the plugins and extensions we manage as they existed before September 20, 2024. The requested injunction also seeks to provide protection and certainty for WP Engine’s partners, employees, users, and customers, and demand the restoration of any restricted or altered access or operations. You can view the injunction request in full, here.
October 16, 2024: Email to customers
On October 16, WP Engine CEO, Heather Brunner emailed customers to address concerns about recent events and outline the actions we’ve taken to ensure platform stability and security.
The letter, which you can read here, emphasizes our commitment to protecting customers and supporting the ongoing success of the open-source WordPress community.
October 12, 2024: ACF takeover
On October 12, WordPress.org forcibly took control of our Advanced Custom Fields (ACF) plugin, marking the first time in WordPress’s 21-year history that a plugin under active development was taken over without consent.
While ACF Pro users remain unaffected, free users are advised to download the latest version of ACF from advancedcustomfields.com for secure updates. The ACF team released the following statement regarding the takeover:
Since 2011, our ACF team has actively developed the plugin, evolving it into a highly sophisticated solution with over 200,000 lines of code. Our continuous work to enhance, support, and invest in the plugin has made it a critical part of the WordPress ecosystem, relied on by millions of users.
The forced takeover replaced the ACF plugin with unapproved code, breaking from standard protocol and raising concerns about control, governance, and the motives behind such a move. WP Engine continues to actively develop the genuine version of ACF and provide support and updates which can be downloaded at www.advancedcustomfields.com, and will automatically update once downloaded.
October 9, 2024: New checkbox on WordPress.org
On October 9, WordPress.org added a new checkbox to its login and registration process, requiring users to assert that they are “not affiliated with WP Engine.”
The unclear statement next to the check box has left many bewildered—both as to whether and how they should answer it and as to why it’s there. We believe that the checkbox is confusing and disturbing to many and that none of our customers, agency partners, open-source tool users, or members of the community, are legally ‘affiliates’ of WP Engine. WP Engine released the following statement regarding the checkbox:
October 7, 2024: Secure Updater plugin
On October 7, we introduced the WP Engine Secure Updater plugin, which currently supports updates for all of our open-source plugins and allows us to assist other plugin or theme developers in the community on request.
Installing the Secure Updater is optional and precautionary, and this free-to-everyone plugin has been developed for users self-hosting, or hosted outside of the WP Engine platform—detailed instructions are available here.
Note: WP Engine and Flywheel managed customers are already protected by the WP Engine update system and do not need to take any action.
October 3, 2024: Independent update capabilities
On October 3, we released new versions of our widely used plugins, featuring independent update capabilities and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and don’t need to take any action, community members are encouraged to download these versions of our free, open-source plugins and updates directly from the ACF and NitroPack websites to ensure they receive updates directly from us.
Note: ACF PRO customers are automatically protected by the WP Engine update system and don’t need to take any action.
If you’re running v6.3.2 or earlier of ACF, or have been forcibly switched to “Secure Custom Fields” without your consent, you can install ACF 6.3.8 directly from the ACF website, or follow these instructions to fix the issue.
These efforts support our customers and plugin users and seek to protect the community at large.
October 2, 2024: Commencement of legal action
On October 2, WP Engine took legal action against Matt Mullenweg and Automattic to address their continuing misconduct and protect our business, our customers, and our participation in the broader community. The complaint can be read here and WP Engine released the following statement regarding the decision to file a lawsuit:
September 30, 2024: Plugin and theme update solution
On September 30, following interruptions to WordPress.org, and instability in the services used to update WordPress websites, we deployed a solution to all sites across the WP Engine and Flywheel platforms, that enables customers to use their normal workflows and receive plugin and theme updates without relying on the WordPress.org API.
The solution was launched after WordPress.org was once again blocked for thousands of WordPress users. WP Engine released the following statement regarding the block and our solution:
This solution allows WP Engine and Flywheel customers to use their preferred workflows without fear of further disruption or delays.
September 27, 2024: Temporary access restored
On September 27, WP Engine was given three days to develop a solution to help its customers update plugins and themes, and access to WordPress.org was temporarily restored. We released the following statement regarding our restored access:
WP Engine engineers worked around the clock on a solution for the reliability of update functionality and workflows. Their work was vital to increase resilience, reduce dependencies, and provide improved stability and protection from further disruptions.
September 25, 2024: WP Engine blocked from WordPress.org
On September 25, WP Engine was blocked from accessing plugin and theme updates on the WordPress.org repository. This forced WP Engine customers to update plugins and themes manually or seek other solutions.
While Matt Mullenweg asserted that he took this action because WP Engine had filed litigation against WordPress.org, this was untrue. Our prior cease-and-desist letter was not a lawsuit—and it was directed at Automattic due to Matt Mullenweg’s pattern of repeated misconduct. WP Engine released the following statement in response to the blocked access:
September 23, 2024: “Cease and desist” letter
On September 23, WP Engine sent a “cease and desist” letter to Automattic demanding that Automattic and its CEO Matt Mullenweg stop making and retract false, harmful, and disparaging statements about WP Engine. While you can read the full letter here, it was initially sent privately. We also released the following statement regarding our letter, after Matt Mullenweg made various inaccurate statements about it:
After our cease-and-desist letter was sent, Automattic sent a cease-and-desist letter to WP Engine, alleging infringement of several trademarks, including WordPress and WooCommerce. WP Engine denies these allegations as set forth in our Complaint.
Resource links
● Install and Update WP Engine Owned Plugins and Themes
● WordPress Community Contributions
Start the conversation.