News 11 December 2025 8 min read

Court Orders Automattic to Restore WP Engine Access in 72 Hours

A California federal judge ordered Automattic to restore WP Engine's WordPress.org access within 72 hours. The ruling ended a three-month standoff that blocked updates for 200,000+ sites and raised questions about who controls the WordPress ecosystem.

MM
Mark McNeece Founder & Managing Director, 365i
A courtroom gavel resting on a laptop showing the WordPress admin dashboard, with legal documents scattered around it

Update (April 2026): The case is still active. WP Engine filed a third amended complaint in early 2026 with new allegations: that Automattic intended to target ten different hosting companies with WordPress trademark royalty fees, and that Mullenweg attempted to get Stripe to cancel its contract with WP Engine. Automattic, the WordPress Foundation, and WooCommerce filed counterclaims accusing WP Engine of trademark misuse and deceptive branding. A separate WP Engine customer class action was dismissed but the customers were granted leave to file an amended complaint. No trial date has been set and no settlement has been reached. The article below covers the December 2025 access-restoration ruling that ended the immediate disruption.

On 10 December 2025, a California federal judge ordered Automattic and WordPress co-founder Matt Mullenweg to restore WP Engine's full WordPress.org access within 72 hours. The ruling ended a three-month standoff that had blocked plugin and theme updates for hundreds of thousands of WordPress sites.

This wasn't a minor spat between two tech companies. It was the first serious legal test of who controls the WordPress ecosystem, and the answer affects every site owner, developer, and agency that depends on it.

How the Dispute Started

The conflict kicked off in September 2025 when Mullenweg publicly called WP Engine "a cancer to WordPress" at WordCamp US. The accusation: WP Engine profits from WordPress without contributing enough back to the open-source project. Mullenweg demanded roughly $26 million per year (about 8% of WP Engine's revenue) as a trademark licensing fee.

WP Engine refused. What followed was a series of escalations that nobody in the WordPress community expected.

Automattic blocked WP Engine's access to WordPress.org, cutting off plugin and theme updates for their customers. They added a mandatory "WP Engine affiliation" checkbox to WordPress.org login screens. They took control of the Advanced Custom Fields (ACF) plugin, forking it into "Secure Custom Fields" without WP Engine's consent. And they launched a "WP Engine Tracker" website that collected customer data.

For the 200,000+ sites hosted on WP Engine, this meant no security patches, no plugin updates, and no way to fix vulnerabilities through normal channels. Site owners were caught in the middle of someone else's fight.

Timeline showing the Automattic vs WP Engine dispute from September to December 2025, with key events marked
The dispute unfolded over three months before the court intervened.

What the Court Actually Ordered

Judge Martínez-Olguín's ruling was about as clear as court orders get. Within 72 hours, Automattic had to:

  • Restore full WordPress.org access for WP Engine, its employees, customers, and partners
  • Return control of the Advanced Custom Fields plugin
  • Remove the "WP Engine affiliation" checkboxes from WordPress.org login screens
  • Delete customer tracking data from the WP Engine Tracker site
  • Stop making unauthorised modifications to WP Engine-developed plugins

The judge found that WP Engine was "likely to succeed on the merits" of its intentional interference claim and would face "irreparable harm" without court intervention. A lost contract worth roughly $32,000 served as concrete evidence of financial damage, but the broader harm was the security risk to hundreds of thousands of WordPress installations running without updates.

Why This Matters Beyond WP Engine

If you don't use WP Engine hosting, you might think this doesn't affect you. It does.

The core question here is one every WordPress user should care about: who decides what happens to the plugins, themes, and updates your site relies on? Before this ruling, one person had effectively demonstrated the ability to cut off a major hosting company and its hundreds of thousands of customers from the WordPress ecosystem with no legal check.

"Open source software is only as reliable as the governance structures that protect it. When those structures fail, every downstream user bears the cost."

Heather Meeker, Open Source in the Spotlight, Open Source Licensing Expert, O'Melveny & Myers LLP

I've been running a hosting company since 2001, and what struck me about this case wasn't the legal drama. It was the vulnerability it exposed. Every WordPress hosting provider, including us, depends on WordPress.org for plugin and theme distribution. The idea that access could be revoked over a business dispute is something we'd never seriously considered before September 2025.

Diagram showing the WordPress ecosystem with WordPress.org at the centre connected to hosts, developers, agencies, and site owners
WordPress.org sits at the centre of the ecosystem, and controlling access to it means controlling everyone downstream.

The Open-Source Governance Problem

WordPress is open source. The code is free. Anyone can download, modify, and distribute it under the GPL licence. But the infrastructure around that code (the plugin directory, the theme repository, the update servers) is controlled by Automattic and, to a large degree, by Mullenweg personally.

This creates a structural tension that the WordPress community had largely ignored until it blew up. The software is free, but the distribution channel isn't. And whoever controls the distribution channel has an enormous amount of leverage over everyone in the ecosystem.

Other major open-source projects solved this years ago. The Linux Foundation, the Apache Software Foundation, and the Python Software Foundation all have independent governance structures with multiple stakeholders. WordPress doesn't. The WordPress Foundation exists, but its role in day-to-day decisions about WordPress.org access and plugin management has been minimal.

What Site Owners Should Take From This

Whether you're running a small business site or managing dozens of WordPress installations for clients, this case highlighted some practical risks worth addressing.

Diversify your update sources

Don't depend entirely on WordPress.org for updates. Keep local backups of your critical plugins. Some hosts (including our platform) maintain their own update caches, but knowing where your plugins come from and having a fallback plan matters.

Monitor your plugin supply chain

The ACF takeover showed that a plugin you've been using for years can change ownership overnight. Pay attention to plugin change logs and author updates. If a plugin's development suddenly shifts direction, that's worth investigating.

Have a hosting migration plan

WP Engine customers were stuck because their host was blocked. Most small businesses don't have a written migration plan. If your hosting provider was suddenly cut off from WordPress.org, could you move to a different host within 48 hours? Having a tested backup and recovery process is the single most practical defence.

Watch for governance reforms

The WordPress community is now actively debating governance changes. Proposals for an independent board, community-elected leadership, and transparent decision-making processes are all on the table. These changes, if they happen, will shape how WordPress operates for the next decade.

A checklist showing site protection steps: backup plugins, diversify sources, test migration, monitor supply chain
Four practical steps every WordPress site owner should consider after the WP Engine dispute.

The Advanced Custom Fields Takeover

The ACF situation deserves its own discussion because it sets a dangerous precedent. Advanced Custom Fields is one of the most popular WordPress plugins, installed on millions of sites. WP Engine acquired its developer, Delicious Brains, and maintained the plugin.

During the dispute, Automattic forked ACF into "Secure Custom Fields" and redirected the plugin's WordPress.org listing. Sites that had ACF installed received an automatic update that replaced it with Automattic's fork, without the site owner's knowledge or consent.

"The ability to control what software runs on millions of websites, by controlling a centralised distribution point, is a power that demands accountability."

Matt Mullenweg's own words used against him, as reported by The Verge

That quote resonated with me in a way I suspect Mullenweg didn't intend. He was making the case for why WP Engine should contribute more. But the same logic applies to him: controlling the distribution point is power, and power without accountability is the definition of the problem this court ruling addressed.

The Trademark Question

Part of Automattic's argument was about trademark protection. The "WordPress" name is trademarked, and Automattic claimed WP Engine was misusing it. WP Engine argued that its use of "WP" was descriptive, not infringing, and that Mullenweg had previously approved such usage.

The court didn't settle the trademark question in this preliminary ruling. That'll be resolved at trial, expected within 12-18 months. But the judge's decision to issue an injunction suggests the trademark claims alone didn't justify blocking WordPress.org access.

For other WordPress businesses, the trademark angle matters. If "WP" in a business name is potentially infringing, that affects thousands of companies. The trial outcome will set precedent for the entire WordPress commercial ecosystem.

What Comes Next

The December 2025 ruling was a preliminary injunction, not a final verdict. Here's what's still in play:

Timeline of remaining legal proceedings
Stage Expected Timeframe What It Decides
Discovery phase Q1-Q2 2026 Both sides exchange documents, internal communications, and financial records
Automattic counterclaims Filed early 2026 Automattic's trademark and contribution claims against WP Engine
Full trial Late 2026 or early 2027 Final ruling on all claims, including trademark, interference, and governance
Community governance reforms Ongoing 2026 Independent proposals for WordPress Foundation restructuring

Automattic plans to file counterclaims arguing that WP Engine's insufficient contributions to WordPress constitute a form of free-riding that harms the project. The discovery phase should reveal internal communications that may clarify whether the access block was a calculated business move or a genuine governance concern.

Three Lessons for WordPress Users

After 24 years in this industry, here's what I think the WordPress community should take from this:

Centralised control is a single point of failure. WordPress powers 43% of the web. Having one organisation and one individual control the infrastructure that serves updates to all of those sites is a structural risk that the community can no longer ignore. The security implications alone are reason enough for reform.

Open source needs independent governance. The GPL protects the code. It doesn't protect the ecosystem. WordPress needs a governance model that separates the control of WordPress.org from any single commercial entity. Linux, Python, and Apache all managed this transition. WordPress can too.

Your site is your responsibility. Regardless of what happens in boardrooms and courtrooms, you're the one responsible for keeping your site secure and running. That means backups, migration plans, and not assuming that the tools you depend on today will always be available through the same channels. We offer hosting plans that include automated daily backups and staging environments for exactly this reason.

The sister site at 365iwebdesign.co.uk covered the Elementor V4 Beta launch that followed partly in response to ecosystem instability. And the broader context of WordPress 7.0's development is happening against the backdrop of governance questions this case raised.

Frequently Asked Questions

What was the Automattic vs WP Engine dispute about?

Automattic demanded roughly $26 million per year from WP Engine for WordPress trademark usage. When WP Engine refused, Automattic blocked their access to WordPress.org, cutting off plugin and theme updates for over 200,000 sites. A court ordered access restored in December 2025.

Were WP Engine-hosted sites at risk during the dispute?

Yes. Sites hosted on WP Engine lost access to WordPress.org plugin and theme updates for roughly three months. This meant security patches couldn't be applied through normal channels, leaving sites vulnerable to known exploits.

What happened to the Advanced Custom Fields plugin?

Automattic forked ACF into "Secure Custom Fields" and redirected the WordPress.org listing. Sites received an automatic update that replaced ACF with Automattic's fork without the site owner's consent. The court ordered ACF returned to WP Engine's control.

What did the court order Automattic to do?

Restore full WordPress.org access for WP Engine, return control of ACF, remove login screen checkboxes, delete WP Engine Tracker data, and stop modifying WP Engine's plugins. All within 72 hours.

Does this affect my WordPress site if I don't use WP Engine?

The dispute exposed structural risks in WordPress governance that affect everyone. If one hosting company can be cut off from updates, so can others. Having your own backup and migration plan is now more important than ever.

Will WordPress governance change as a result?

Community proposals for independent governance are actively being discussed. No structural changes have been implemented yet, but the pressure for reform is stronger than at any point in WordPress's 20-year history.

Is using "WP" in a business name trademark infringement?

The court hasn't ruled on the trademark question yet. That'll be decided at full trial, expected in late 2026 or early 2027. The outcome will set precedent for thousands of WordPress-related businesses.

WordPress Hosting That Keeps You in Control

Daily backups, staging environments, and update management built in. Your site stays secure regardless of what happens in the wider WordPress ecosystem.

Explore WordPress Hosting

Sources

Published: · Last reviewed: · Written by: Mark McNeece, Founder & Managing Director, 365i

Editorially reviewed by: Mark McNeece on · Our editorial standards

Tags:
WordPress Plugins WordPress Hosting Open Source WordPress Updates
Continue Reading

More Articles

Security 15 May 2026

Avada Builder Just Patched a 1M-Site SQL Injection. The WooCommerce Deactivated Trap Is the Buried Lead.

Wordfence disclosed CVE-2026-4798 in Avada Builder this week, affecting over 1,050,000 WordPress installations. The headline is patch to 3.15.3. The buried lead almost nobody covered is the WooCommerce-installed-then-deactivated precondition that turns the SQL injection from a "1M sites at risk" panic into a much narrower exploit window. We have held Avada licences for years and patched our portfolio first. Here is what actually matters.

7 min read Read