The WordPress ecosystem is in turmoil, and for once, it’s not about a plugin vulnerability or a Gutenberg controversy. Over the past two weeks, Matt Mullenweg — CEO of Automattic and co-founder of WordPress — has launched an increasingly aggressive campaign against WP Engine, one of the largest WordPress hosting companies. What started as a WordCamp keynote criticizing WP Engine’s contributions to the open source project has escalated into blocked access to WordPress.org resources, legal threats, and a schism that’s shaking the foundation of the web’s most popular CMS.
As someone who’s built and maintained WordPress sites for clients over the years, I’m watching this unfold with a mixture of fascination and concern.
What Happened#
The timeline is important for understanding how quickly this escalated:
September 20: Matt Mullenweg publishes a blog post titled “WP Engine is not WordPress,” criticizing WP Engine for profiting from WordPress without contributing sufficiently to the open source project. He calls them a “cancer to WordPress.”
September 23: WP Engine sends Automattic a cease-and-desist letter regarding Mullenweg’s statements. Automattic responds with their own C&D, demanding WP Engine pay a trademark licensing fee for using the WordPress and WooCommerce names.
September 25: Automattic blocks WP Engine’s servers from accessing WordPress.org — the repository that hosts plugins, themes, and updates. This means WP Engine customers can’t update their plugins and themes through the normal WordPress mechanism.
September 27: After significant community backlash, the block is temporarily lifted for a “brief reprieve” to allow WP Engine customers to update their sites.
October 1: The block is reinstated. WP Engine begins mirroring the WordPress.org plugin repository on their own infrastructure.
And here we are, with the situation still unfolding.
The Underlying Issue#
Strip away the personal animosity and legal posturing, and there’s a legitimate question at the core of this conflict: what obligations do companies have to the open source projects they profit from?
WP Engine is a billion-dollar company backed by Silver Lake private equity. They built their entire business on WordPress. Mullenweg’s argument is that they contribute far too little back — in code, in community resources, in financial support — relative to what they extract.
There’s data to support this. WP Engine contributes relatively few hours of developer time to WordPress core compared to Automattic. Their “Five for the Future” pledge (where WordPress companies commit 5% of their resources to the project) is, by Mullenweg’s account, essentially unfulfilled.
But the counterargument is equally strong. WP Engine contributes to the WordPress ecosystem in other ways — through developer tools, through making WordPress hosting reliable and accessible, through employing people who build plugins and themes. The open source social contract has never required specific contribution levels, and the GPL license explicitly permits commercial use without strings attached.
The Governance Problem#
What concerns me most isn’t the business dispute — companies fight about money and trademarks all the time. What concerns me is the governance structure that made this possible.
WordPress.org — the repository that hosts plugins, themes, updates, and much of the project’s infrastructure — is controlled by Automattic. Or more precisely, it’s controlled by Matt Mullenweg personally. There is no independent foundation governing the project’s shared infrastructure. Unlike the Linux Foundation, the Apache Software Foundation, or even the Python Software Foundation, WordPress has no independent body that separates the project’s governance from any single company’s interests.
This means that one person can, as we’ve just seen, cut off a major hosting provider’s access to the plugin repository. That’s an enormous amount of power concentrated in a single individual, and the fact that it was exercised impulsively — in the context of what reads like a personal grudge — should alarm everyone in the WordPress ecosystem.
The WordPress community has tolerated this governance structure because, for twenty years, it mostly worked. Mullenweg was seen as a benevolent steward. But benevolent dictator models have a fundamental flaw: they work exactly until the dictator stops being benevolent, and there are no institutional checks to constrain them.
Implications for the Ecosystem#
The practical implications are already cascading through the WordPress world. Plugin developers are uncertain about the reliability of WordPress.org as a distribution platform. Hosting companies are evaluating whether their dependence on WordPress.org infrastructure is a business risk. Enterprise customers who chose WordPress precisely because of its open source nature are reconsidering that choice.
Some of this will blow over. Lawsuits will be filed and settled, tempers will cool, and pragmatic business interests will eventually reassert themselves. But the fundamental trust has been damaged.
If you’re running WordPress at any scale, my immediate recommendation is to ensure you have local mirrors of your critical plugins and themes. Don’t assume WordPress.org will always be available when you need it. Plugin developers should consider whether distributing exclusively through WordPress.org is a risk they’re comfortable with.
My Take#
I think Mullenweg has a legitimate grievance about large companies free-riding on WordPress without contributing proportionally. I’ve seen this pattern in many open source projects, and it’s a real problem that threatens the sustainability of critical software.
But the way he’s chosen to address it — using personal control over shared infrastructure as a weapon in a business dispute — is worse than the problem he’s trying to solve. He’s demonstrated that WordPress’s critical infrastructure is subject to the whims of a single individual, and that’s a systemic risk that no amount of subsequent good behavior can fully mitigate.
The WordPress community needs an independent foundation. Not tomorrow, not after the lawsuit — now. The project is too important, powering over 40% of the web, to have its governance depend on one person’s good judgment and emotional state.
Open source has always required trust. Today, that trust is a little harder to extend.
This post is part of my Developer Landscape series, tracking shifts in the broader software development ecosystem.