WP Engine Sues WordPress for Libel, Extortion

WP Engine, a major web hosting provider, has filed a federal lawsuit against WordPress [PDF] co-founder Matt Mullenweg and Automattic, alleging libel and attempted extortion. The suit stems from a public dispute over WordPress trademark usage and open-source licensing.

WP Engine, which hosts over 200,000 websites, accuses Mullenweg and Automattic of "abuse of power, extortion, and greed." The conflict escalated after Mullenweg called WP Engine a "cancer to WordPress" on his blog, prompting a cease-and-desist letter. Automattic subsequently demanded 8% of WP Engine's monthly revenue as royalties for alleged trademark infringement. The lawsuit includes 11 complaints, ranging from slander to violations of the Computer Fraud and Abuse Act.

Third opinion

[CEC-P]

As a former web UI designer and web developer, I hate them both. They're garbage and a complete and utter stain on the internet. They make generic garbage websites and let unqualified people run the whole website project into the ground while getting their email accounts hacked to send out phishing scams. You know, instead of hiring a professional web design firm to do it, who probably also is some dumb 20 year old with no college degree who also uses wordpress and thinks scaling an image while changing the aspect ratio is just fine and doesn't know what JPG encoding levels even is.

Re:Third opinion

[drinkypoo]

I'm going to join in with you here and at least one of us will be downmodded, probably me. Even without adding questionable addons, Wordpress is a security shitshow. For example, there have been numerous SQL injection and XSS vulnerabilities in the WP core.

Cites: https://patchstack.com/databas... [patchstack.com]

Re:Third opinion

[whoever57]

That link doesn't provide the support for your argument that you claim.

A casual look at it shows that WP plugins are a security shitshow.

It's true that WP has had its share of security issues in the past, but I think that recently, it has been much better.

Re: Third opinion

[Midnight_Falcon]

One of the things wp engine does is monitor for plugins with vulnerabilities and automatically disables blacklisted ones with issues. As to why this couldn't be done by core WordPress..it's a laissez-faire attitude. Unfortunately expecting a bunch of amateur web admins to implement security best practices is what led us to this understanding WP is a security shit show.

Re: Third opinion

[BringsApples]

I just want everyone in the upline here to know that you're next for this libel lawsuit.

Re: Third opinion

[Midnight_Falcon]

Unfortunately my comments aren't libel because they have the benefit of being true. If it was that easy, Scientology would have come after me a long time ago!

Re:Third opinion

[drinkypoo]

That link doesn't provide the support for your argument that you claim.

Tell us you couldn't figure out how to operate the site without telling us.

A casual look at it shows that WP plugins are a security shitshow.

You have to click twice to see only core vulnerabilities. HTH, HAND.

Ah yes, there is the downmod

[drinkypoo]

For some reason there are literally always people with modpoints who reliably defend WP against "attacks", AKA sharing facts about it.

I can only conclude that they are not only WP devs, but also personally responsible for it being trash software.

What's weird to me is that it is among the least secure CMSes, even though it is arguably the most popular CMS. The conventional wisdom is that many eyes improve security, but there must be something at WordPress which prevents that from occurring.

Drupal used to have moderate security problems, it was almost as bad as WordPress, but they had it pretty well in hand and then switched to being based on the Symfony framework [symfony.com] and security improved even more. They were wise enough to know that they would benefit from letting someone else handle the very base of the software. They also have developed an incredibly strong developer community and site tools which help the developers of modules increase reliability and security.

WordPress should perhaps consider a similar set of moves, since the Drupal community has proven that it works.

Re:Third opinion

[Revek]

I don't disagree but you have to consider the reason why wordpress gets compromised so much is because of its popularity. No one is trying to hack some fringe framework.

Re: Third opinion

[drinkypoo]

Drupal is the basis for over 50% of the government websites in the world. You think nobody is attacking those?

Re: Third opinion

[destined2fail1990]

I work as a SOC Analyst, some of our alerts are from web vulnerability scans that are occurring. I can say with certainty, even from my own websites, that the majority of them are either out to get something written in Java or Wordpress, doing code injection or scanning for common files found in Wordpress. On my personal sites, I see scans looking for the Wordpress admin or plugins even though I don't use Wordpress at all for most of them.

I'm 99% certain that these vulnerability scans are 100% automated, just scanning every new .tld (ex: .com) for vulnerabilities.

One thing I did notice with my sites, since I use Let's Encrypt on all of them, is that they would get scanned extremely rapidly. Well apparently Let's Encrypt publishes the list of domains that it creates certs for. This list is then monitored and attacked automatically. If you set up subdomains, be sure to use a wildcard certificate with the DNS challenge if you don't want it to be publicly known. It's not full proof, but requires an attack on your DNS. The subdomain works like passwords, so the more obscure the better chance of it staying a secret.

Re:Third opinion

[cstacy]

scaling an image while changing the aspect ratio is just fine and doesn't know what JPG encoding levels even is.

How you even know you got JPG encoding levels, kid?

a childhood memory [youtube.com]

Re:Third opinion

[rabbirta]

I thought this line was funny too -- there's no such thing as JPEG encoding levels, AFAIK.
There's JPEG COMPRESSION levels, maybe that's what they meant?


https://blog.naver.com/xhakti/... [naver.com]
https://www.mylargescale.com/t... [mylargescale.com]


The only two references to that phrase I can find, and the primary is from a non-english blog.

Re:Third opinion

[bradley13]

Welcome to modern IT. There is such a huge demand for software (and I loosely include websites as software) - there just aren't enough competent IT people to produce it all. There is the flip-side as well: what top-notch IT person wants to produce endless crappy websites? Hence, you get tools like WordPress that let marginally competent people produce stuff.

Why WordPress a mess? It is designed to let basically anyone do basically anything, either directly, or with any of a zillion plugins. There is no way for it *not* to be a mess. Imagine trying to create a competing framework: If you tighten the security, restrict plugins, etc, - basically no one is going to use your product.

There is no solution to this problem. It is just inevitable...

Re:Third opinion

[smooth wombat]

There is no solution to this problem. It is just inevitable...

I'm presuming the KISS principle isn't an option? We have to have the most convoluted, jazz-fangled software/web sites imaginable.

This is like people complaining the touchscreens in their vehicles are a pain to use. Apparently there's no way to correct this situation.

Re:Third opinion

[Anonymous Coward]

Why WordPress a mess? It is designed to let basically anyone do basically anything, either directly, or with any of a zillion plugins. There is no way for it *not* to be a mess.

WordPress is a mess because it's badly designed by incompetent developers. WordPress Plugins are a mess because they're just as badly designed by people just as incompetent as the WordPress developers. When it comes down to it, WordPress doesn't really do all that much. Just templates, menus, and users, with a worse-than-useless editor and an ill-considered plugin API. Comments and the blogging features should be plugins, but it's incompetently designed.

Why so stupid? WordPress started out as a blogging software. It was a hideous bloated mess back then, so it's no surprise that it's a hideous bloated mess now that it has a bunch of ill-considered features glued on. That incompetence is, oddly enough, is largely responsible for WPs success. There is a huge industry around WP that only exists because WP can't get basic features right. There are countless services that, for a monthly fee, will replace the abomination that is the WP editor with something that sucks a little bit less.

Yeah, that editor sucks. It fucks with any HTML in ways that change randomly with updates. Sometimes it adds paragraph tags, sometimes it doesn't. It strips out anything that it doesn't know how to sanitize. It uses comments to tell itself what to ignore, specialized to make it cumbersome to use yourself in an attempt to get the editor to produce the output you want. There is no "leave my shit alone" option, so you just have to deal with it or replace it with a shady third-party plugin.

Oh, the plugins... It's amazing the bullshit people will put up with under the delusion that whatever they're doing is "easier". Never mind that migrating their data will be expensive (because it's damn-near impossible) or that they need to constantly invent new, largely manual, processes because of missing features and a lack of integration. I've seen data stuffed into needlessly complicated *keys* mapping to serialized php objects, of all things, that spread data that could be organized into a few simple tables across endless seemingly unrelated records in the most inaccessible way possible.

This absolutely wrecks performance, of course. It's so bad that WordPress even warns you if you don't have a cache plugin (why isn't that build-in?) and keeps track of average page load time, expecting an average of 500ms! WTF?! The last WP contract I did managed to average below 100ms (without caching) just by including basic functionality in the theme and removing the zillion plugins installed by the last group that overcharged the client. That said, I'll never touch that shit again. It is an abomination.

Naturally, there is a whole shady industry of WordPress performance plugins for you to pay for. They're snake oil, obviously, and mostly exist to slow down the admin page with meaningless graphs to make you think it's doing something.

I hate WordPress

Re:Third opinion

[unrtst]

there just aren't enough competent IT people to produce it all.

Oh, there are enough of them. There just aren't enough competent IT people WILLING to produce all that garbage for next to nothing.

What I used to think was unacceptably awful output from MS FrontPage would look lightweight and clean compared to most of those WP sites (where you must consider both the backend code, frontend, and the javascript in the middle). I wouldn't go so far as to say that such things have a right place and right time, but there's certainly a market for it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Third opinion

[Bill, Shooter of Bul]

I 100% agree with you, but I also 100% disagree with you. Wordpress and Drupal are terrible... And so was everything else before they existed. And so are "professional" websites created by scratch by small, medium and large companies. They're all crap. HTML/CSS was a mistake. Bring back gopher.

Re:Third opinion

[drinkypoo]

Wordpress and Drupal are terrible

Conflating Wordpress and Drupal is terribly ignorant.

Drupal has a far superior security record.

Re:Third opinion

[Anonymous Coward]

I have nothing to offer. Don't know anything or care about these two companies.

Re:Third opinion

[rickb928]

"'scaling an image while changing the aspect ratio is just fine and doesn't know what JPG encoding levels even is."

Um, I've known all that since around 1995. I'm not an expert, no college, no training except my own self-taught.

So the experts, professionals, for so long, were designing web pages more than 18700 pixels tall, when common monitors were 800x600, and 1024 monitors were pricey and uncommon. Forcing most visitors to scroll to see the SUBMIT button just to accept the TOS/EULA agreements and actually access the 'free' content they wanted. Professionals? They were. Clueless about UX? Actually many still are.

Your post smells more like rent-seeking. Its been a while since the Web was claimed as the rightful domain of the 'professionals', and long-standing security problems proves it more than anything. Your everyday 'serious' WordPress user pays attention to plug in security, avoiding those with poor histories, keeps the site(s) updated, takes reasonable precautions, and generally wants their site(s) to be secure, usable, and functional.

Automatic, OTOH, desperately needs revenue, and they are trying to extort WP Engine, plain and simple.

ps - To an uninterested passer-by, most every site is 'generic'. Really? Your work is, each instance, uniquely appealing and arrestingly beautiful? Even when your client asks merely for function? pfft.

Re:Third opinion

[jonadab]

Eh, I'm not a huge fan of WordPress either, but at least its output can be meaningfully styled with CSS, and can reflow reasonably when the browser window is a different width. The real cancer in web design is those horrible PrintShop-esque prefab website services (Wix, SquareSpace, etc.)

Re:Third opinion

[mysidia]

As a former web UI designer and web developer, I hate them both.

Wordpress solves a problem. So unless you have a better solution to that problem which is not massively more expensive (such as requiring people familiar with handcoding HTML, CSS, and JS to build websites), and is not massively more limited (Such as not capable of doing what wordpress can do to the same extent with the same ease for its userbase): The existence of Wordpress is a net positive for the internet as it makes things better for Wordpress' users, and the visitors to their websites.

web dee-zy-ner

[Anonymous Coward]

Das solution is to lrn2k0d3 w3b or hire a web dee-zy-ner 2 do it for u.

Re:Third opinion

[Anonymous Coward]

Name one good website that would not exist if people had to know HTMLto make one.

Re:Third opinion

[garett_spencley]

Name one good piece of furniture that would not exist if people had to know how to use a hand plane to make one.

The person you're replying to made a point that Wordpress is a tool and that it serves the needs of its users, who have unique and varied requirements.

But us engineer types LOVE to argue about which tools are superior.

It's true that Wordpress has been plagued with security issues over the years. That's a valid strike against Wordpress.

But it has also lowered the barrier of entry for people creating websites. People are unique and varied and have their own unique and varied circumstances. Maybe a non-tech person is starting a small business, has done a bit of dabbling and doesn't have the budget to hire someone and just needs a simple home page to post contact information for that business.

You probably wouldn't consider this website to be "good", but that's not even relevant. If it serves the needs of that hypothetical business owner, that's all that matters.

The question then becomes, who the fuck are you or I or anyone else to tell them what is the "right" way to go about doing that?

And yeah there are services like Wix out there now that can fill that void probably better. But it's just a different tool and every tool has its tradeoffs just like every user has their own requirements.

Re:Third opinion

[Type44Q]

But it has also lowered the barrier of entry for people creating websites.

Having to learn basic HTML served as an excellent flter for weeding out those too stupid to be allowed to create content.

Re:Third opinion

[thegarbz]

You don't get to arbitrarily decide if a Scotsman is true based on their kilt. Your criteria of "good" is already worthless.

Re:Third opinion

[drinkypoo]

Wordpress solves a problem. So unless you have a better solution to that problem which is not massively more expensive (such as requiring people familiar with handcoding HTML, CSS, and JS to build websites), and is not massively more limited

It is called Drupal.

They have had far fewer vulnerabilities in the core, and in the popular modules. Today this is in large part because it is based on the Symfony framework, so they don't have to do that part.

The existence of Wordpress is a net positive for the internet

False. If it didn't exist, most of the people who use it would use Drupal, which is more secure.

Re:Third opinion

[thegarbz]

Sorry but no. Having used both, one is a single click away, the other requires actual knowledge. They are not the same. There are many people who rely on Wordpress. Heck even me as a tech head could setup Wordpress on my hosting provider *LITERALLY* with a single click, but Drupal would be far more complex.

Re:Third opinion

[drinkypoo]

Sorry but no. Having used both, one is a single click away, the other requires actual knowledge. They are not the same.

You do not need to know shit, because if you do not know shit, you just go to a hosting provider who does the installs for you like most of them do.

Heck even me as a tech head could setup Wordpress on my hosting provider *LITERALLY* with a single click, but Drupal would be far more complex.

Me as a tech head could set up Drupal on my hosting provider *LITERALLY* with a single click. They have a facility for that. Are you new?

Re:Third opinion

[nicubunu]

Drupal is so much less friendly that if it was the most used platform, there Web would be significantly smaller (a net negative). Now, if you think a smaller web would be beneficial, how can I argue?

Re:Third opinion

[mysidia]

It is called Drupal.

They have had far fewer vulnerabilities in the core, and in the popular modules.

It seems that Drupal is not actually an alternative to Wordpress for the basic problem of providing an easily installable system with an intuitive User-friendly UI for non-technical users to build and deploy blogs and simple websites.

I would point out that Wordpress came to fruition years after Drupal released. If Drupal had solved the problem, then people would likely have already been using Drupal for years by the time the earliest version of Wordpress came out.

They lose for the basic use cases Wordpress is most common for, because a Drupal site is more complicated to build. They also don't have the capacity with the Themes and free Plugins available for people to get up and running and build what they like as well as that the Wordpress ecosystem has.

Drupal is an alternative for the more general problem of building a website, but it is not unequivocally better.

Drupal just has advantages you mention which will be less important to many people than their ability to use the software; familiarity with the controls, UIs, and what plugins are available, etc. Thus it is not a better alternative based on what you said for the user: in the context where the other aspects of Wordpress are more important.

Re:Third opinion

[destined2fail1990]

I've never used Drupal, but I imagine it still boils down to the tech skills of the user. Are there virus scans on plugins like the Google App store? Do plugins run in containers and talk to each other through APIs? That's more or less how Android works (At least GrapheneOS). Since none of those are true, there are still chances you can get a faulty website. Is it more common with Wordpress? yes, because of people's tech skills, but it's entirely possible to completely secure a Wordpress site. Wordpress.org releases updates in a timely manner to vulnerabilities, it's a matter of you updating it (at least before auto update). A website with Wordpress requires maintenance, just more so than a static website, and probably more so than drupal.

I work for a top 10 international bank that uses Wordpress for their primary site. The site isn't slow, and it's not been hacked. I have a Wordpress site of my own that has yet to be hacked, but I keep it updated with limited plugins.

If you want to talk about insecurity, lets talk about what Wordpress replaced: php-nuke

A complete sh*t show in the making

[CuriousButterfly]

This is all a bit weird to say, but WordPress put a better UI on poorly implemented webpages, open-sourced it, and WP Engine did a much better job at monetizing that particular monster. I'm not sure how to frame the outrage here. They both sucked and excelled at different things. In the perfect world, they figure out a better way to come together, but this is the modern version of enshittification on both sides of this equation. At least the latter paid a few of my invoices a few years ago, but I would not trust either of them with a ten-foot pole these days.

Re:A complete sh*t show in the making

[Targon]

The thing that strikes me is that you have WP Engine that uses WordPress as the core of what it offers to its customers/clients, but then decides to start saying how horrible WordPress is. Now, it makes some sense for WordPress to tell WP Engine, "Well, you don't like what we provide, so, fuck off!", then WP Engine suddenly realizes that without WordPress, their business is GONE.

When you are taking something and making a business based on what you are taking, going public and saying how much you dislike that thing is a recipe for going out of business, or being forced to change how your entire business operates. The expression, "don't bite the hand that feeds you" comes to mind.

Re: A complete sh*t show in the making

[RazorSharp]

When did WP Engine publicly trash WordPress?

Re:A complete sh*t show in the making

[Dracos]

This is a fight between a turd and a slightly polished turd.

They both need to be flushed.

My giveacrap-o-meter is reading below 0

[acroyear]

Seriously, this isn't as fundamental an argument as, say, SCO v Linux or the Java/Javascript trademark issue, or even deno v node. It doesn't need the daily attention on /. that the mods seem to be giving it.

Re:My giveacrap-o-meter is reading below 0

[fleeped]

You want more AI stories I suppose? Count your lucky stars that we still get some non-AI non-Apple/Google/Meta/Amazon stories

Re:My giveacrap-o-meter is reading below 0

[thegarbz]

It doesn't need the daily attention on /. that the mods seem to be giving it.

At the core is an issue of a potential GPL violation. This story qualifies more for this audience (or at least this audience with a sub 7 digit UID) than most of the drivel posted here these days.

But further down is a story of Paypal making a transaction with a stable coin (whooopediefuckingdoo) if that tickles your loins more.

All of this...

[peterww]

because one dude didn't like that a completely separate company wasn't enabling version control in its customers' web pages

JFC. How about you just make a marketing campaign that *your* company is superior because it has versioning? Rather than get into a pointless legal battle?

This could turn into a wild ride...

[DeplorableCodeMonkey]

WordPress.com is a commercial entity. WordPress.org is a non-profit. Both of them are run by the same guy, Matt Mullenweg. From the outside, it does not appear that there is a meaningful separation to prevent a conflict of interest like this where the .org is being used as a weapon to defend the .com side.

IANAL, but Mullenweg could be starting to crack open Pandora's Box for his side by weaponizing a non-profit to materially benefit a for-profit entity he owns a substantial share in and runs.

To my knowledge, WP Engine is not accused of any sort of GPL violation. Literally their whole "evilnness" is being too competitive at hosting services without contributing what Mullenweg thinks is "their fair share."

I would be very curious to know if Mullenweg has the kind of legal team that can look at the situation holistically and tell him if he's truly safe or inviting a bloodbath from state and federal regulators over misuse of the non-profit.

Re:This could turn into a wild ride...

[Anonymous Coward]

The most insightful comment here, so far.

Re:This could turn into a wild ride...

[thegarbz]

To my knowledge, WP Engine is not accused of any sort of GPL violation.

Correct, he's accused of trademark dilutement, by offering a locked down product based on the original code. That was the complaint. Go read it, we've only run multiple slashdot stories on it so far.

and tell him if he's truly safe or inviting a bloodbath from state and federal regulators over misuse of the non-profit.

There is nothing about being a non-profit that prevents you also running a for profit entity in the same line of business. This is something they've been doing for 20 years now, they'll be fine on this front.

Re:This could turn into a wild ride...

[chirino]

The WPEngine trademark has been in use for like 10 years. They never enforced the trademark before on them. As far as I'm concerned, WordPress has failed to protect the 'WP' as a mark and have lost that. They better be careful, because they might also loose the Wordpress mark too if it's shown they did not aggressively protect that one either. IANAL.. just my 2 cents. Remember these all use to be trademarks: Aspirin, Escalator, Thermos, Yo-Yo, Zipper, Videotape, Trampoline

Re:This could turn into a wild ride...

[thegarbz]

That's not the point being made. They aren't going after WP Engine because they use WP in the name at all. They are going after them for the recent practices of offering a restricted product claiming to be Wordpress.

Wordpress actively allows the use of their name on services that provide their product.

Think of it this way: A car dealership has been selling Fords for a decade. Suddenly they decide to sell Fords but with 2 of the cylinders removed from each engine. It's no longer the original Ford product. Just because they have used the word Ford for a decade doesn't mean that Ford has lost the trademark for their product as a result.

wordpress is toxic garbage

[awwshit]

Between the security issues in the core and the security issues in the endless plugins, wordpress is garbage. Our Marketing group uses outside help for the web site and they demand wordpress. I run it at a hosting provider I don't care about and the website stands completely alone in the world. I keep that toxic garbage as far from everything else as possible, just a matter of time before compromise.