When Matt Mullenweg called WP Engine a “cancer to WordPress” from the stage at WordCamp US in September 2024, it felt like a founder having a bad day. Heated language, corporate posturing, the kind of thing that blows over in a news cycle. It didn’t blow over. What followed was a chain of events that exposed something most WordPress users had never thought to question: who actually controls the platform that powers 40% of the web, and what happens when that control is exercised without restraint?
The answer, it turns out, is that nobody quite knew. And the consequences of that ambiguity are still playing out — in courtrooms, in contributor forums, and in a community that has spent the past year reckoning with the fact that WordPress governance was never really governance at all.
What happened, and why it escalated
The short version: Mullenweg accused WP Engine, a major managed WordPress hosting company backed by private equity firm Silver Lake, of profiting from the WordPress ecosystem without contributing enough back. He demanded 8% of WP Engine’s monthly gross revenue as a trademark licensing fee. WP Engine refused, and in October 2024 filed a lawsuit alleging extortion, abuse of power, and interference with its business.
What happened next is what made this more than a trademark dispute. Mullenweg used his control over WordPress.org — the central repository for plugins, themes, and updates that virtually every WordPress site depends on — to block WP Engine’s access. WP Engine customers couldn’t receive plugin updates through normal channels. The Advanced Custom Fields plugin, one of the most widely used tools in the ecosystem, was taken over without the developer’s consent and forked into a new plugin called Secure Custom Fields.
A login checkbox was added to WordPress.org requiring users to confirm they weren’t affiliated with WP Engine. A tracker site was launched showing WP Engine customer departures, which WP Engine alleged exposed private staging and development domains. Over 200,000 WordPress sites were directly affected by the access block.
In December 2024, a federal judge granted WP Engine a preliminary injunction, ordering Automattic to restore access within 72 hours. Mullenweg complied, but publicly described being “disgusted and sickened” by being legally compelled to provide what he characterised as free labour and services to a competitor.
The governance problem underneath the legal one
The lawsuit is dramatic, and a jury trial is scheduled for February 2027. But the legal battle is a symptom. The underlying disease is structural.
WordPress operates under what’s known as a BDFL model — Benevolent Dictator for Life. Mullenweg has held this role since WordPress’s creation, serving simultaneously as project lead, CEO of Automattic (which operates WordPress.com and WooCommerce), and, until recently, a board member of the WordPress Foundation. The Foundation nominally exists to steward the project, but as contributors and legal filings have revealed, its role has been largely administrative — managing WordCamps and meetups while exercising no meaningful oversight over the project itself.
The deeper structural issue surfaced during discovery in the lawsuit. WP Engine alleged that when Automattic transferred the WordPress trademarks to the Foundation in 2010, it simultaneously granted itself an exclusive, perpetual, royalty-free licence — effectively retaining control while presenting the transfer as an act of open-source stewardship. WP Engine further alleged that this licence was never disclosed in the Foundation’s IRS filings.
WordPress.org itself, which the community had long understood as belonging to the project or the Foundation, was claimed in legal filings as Mullenweg’s personal property. As The Repository reported, community members described this disclosure as a “massive inflection point” in WordPress history.
An open letter signed by twenty core contributors — committers, team leads, people who had built WordPress for years — laid out the objections plainly. They cited the Foundation’s lack of community oversight, the absence of a conflict of interest policy, and what they called “the volatility of the self-governing BDFL model.” Contributors who spoke up about governance were banned from WordPress.org, losing the ability to manage their own plugins or participate in community channels.
The community response: FAIR and the push for decentralisation
The crisis has produced something constructive. In June 2025, at an independently organised event alongside WordCamp Europe in Basel, a coalition of contributors launched FAIR — Federated and Independent Repositories. Led by Yoast founder Joost de Valk and Crowd Favorite CEO Karim Marucchi, and built by up to 300 contributors including veteran core committers, FAIR operates as a technical project under the Linux Foundation.
FAIR isn’t a fork. It doesn’t replace WordPress. It creates a decentralised distribution layer — a parallel package management system that lets hosting companies run their own update servers, supports cryptographic code signing, and provides an alternative to the single-point-of-failure dependency on WordPress.org. Its governance is structured to prevent the kind of unilateral decisions that triggered the crisis: company representation is limited, funding is separated from technical decision-making, and contributors have a clear path to influence policies.
Ryan McCue, a longtime core committer and one of FAIR’s technical steering committee co-chairs, framed it directly: “Until we fix this problem, WordPress remains vulnerable.”
The project has received mixed but broadly positive reception. Some see it as an essential insurance policy. Others worry about fragmentation in a community already under strain. But its existence represents something unprecedented in WordPress’s 22-year history: a serious, well-resourced, technically credible effort to build infrastructure that doesn’t depend on a single person’s goodwill.
What bloggers and publishers should take from this
If you run a WordPress site, you might reasonably wonder whether any of this affects you directly. The honest answer is: it already has, and it might again.
The access block demonstrated that WordPress.org — the infrastructure your site depends on for plugin and theme updates — can be weaponised in a commercial dispute. If your hosting provider ends up on the wrong side of a future disagreement, your site’s ability to receive updates could be disrupted overnight.
That’s not a reason to abandon WordPress. It’s a reason to think about resilience. Practically, that means understanding that your site’s update infrastructure has a single point of failure and that alternatives like FAIR are being built to address it. It means paying attention to which plugins you depend on and whether they’re maintained by entities that could be caught in governance disputes. And it means considering, when evaluating hosting providers, whether they’ve taken steps to ensure update continuity independent of WordPress.org.
More broadly, the Mullenweg-WP Engine conflict is a case study in what happens when a platform’s governance doesn’t keep pace with its scale. WordPress powers roughly 40% of the web. Its governance structure was designed for a project a fraction of that size, led by a founder whose interests were assumed to align with the community’s. That assumption held for two decades. When it stopped holding, there were no mechanisms to absorb the shock.
For anyone who builds on open-source platforms — not just WordPress, but any project where infrastructure is maintained by a small number of people with outsized control — the lesson is worth internalising. The question isn’t whether the people in charge are trustworthy. It’s whether the system works when they’re not.
