Matt Mullenweg Personally Owns the Update Servers for Half the Internet. The WordPress Single Point of Failure

The Control Point: One person personally owns the domain, update servers, and plugin directory that 43.5% of the internet depends on.

The Setup

One person personally owns the domain, the update servers, and the plugin directory that 43.5% of the entire internet depends on.[1,2] Not a nonprofit. Not a foundation with a board and bylaws. One guy. And unsealed court filings from February 2026 show he already used that control to try to demand money from a competitor's business.[1]

IMHO, this is the biggest infrastructure blind spot in tech right now. When you host on AWS, you know you're renting from a corporation that answers to a board and shareholders. You understand the risk model. WordPress is different. Because the software is open source, everyone assumes the infrastructure around it is some kind of public good. It isn't. The update servers, the plugin directory, the domain itself: all personal property of one man.

Here's what happened, what's still happening, and what you need to know before you spend another dollar on a WordPress-dependent business model.

Why I Wrote This

I've been in the WordPress "business" long enough to know what a single point of failure looks like. I've watched companies bet everything on infrastructure they assumed was unbreakable. And I watched this story unfold over two years while most of the industry looked the other way. So I dug into the court filings and the public record. This is what I found.

The Target List

Friends, Would-be Friends, and Charlatans: Automattic's internal classification system for the WordPress hosting ecosystem.

Internal Automattic emails show this went way beyond trademark protection. The company built a tiered classification system for every major WordPress host, and your tier decided whether you got a partnership or a lawsuit.[1,4]

• Friends: Companies like Newfold Digital that pay Automattic large trademark or partnership fees. Safe.[1]
• Would-be Friends: Good ecosystem participants who don't pay Automattic directly. Conversion targets.[1,4]
• Charlatans: Competitors who won't pay. "Free game."[4]

The internal directive for charlatans: "we should steal every single WP site that they host."[4]

That's not a trademark dispute. That's a protection racket running on open-source infrastructure.

WP Engine landed in the charlatan tier. They were pulling $400+ million a year hosting WordPress sites without cutting Automattic in on the revenue. So Automattic started using the dot-org repository, the plugin directory, and the update servers as weapons.[1]

The Stripe Call

During an active lawsuit, Automattic's CEO contacted Stripe directly to demand they terminate WP Engine's account.

Days after the lawsuit kicked off in October 2024, Mullenweg called a senior executive at Stripe.[1]

The ask: cancel any contracts or partnerships with WP Engine. The threat: Automattic would pull its own Stripe business if Stripe refused.[1,4]

Sit with that for a second. This isn't a legal filing. This isn't a trademark cease-and-desist. This is one CEO trying to cut a competitor off from their payment processor while a lawsuit is already in court. The filings treat it as economic interference.[1,5] Hard to argue with that characterization.

The Alignment Ultimatum

The Alignment Offer: Nine months severance, four hours to decide. 159 people walked.

In late 2024, Automattic handed their own staff an ultimatum: back the CEO's war on WP Engine or take a buyout.[6,7] They called it the "Alignment Offer." Nine months of severance, and a four-hour window to decide.[8]

159 people walked.[9]

These were not junior developers grinding through ticket queues. The people who left included the WordPress Executive Director, the Head of WordPress.com, and the Principal Architect for AI.[9,10] These are the people who kept the project's community infrastructure running. When they walk, the institutional knowledge walks with them.

Automattic has since hired replacements. But a decade of ecosystem experience doesn't get rebuilt in a few months. The project you depend on got weaker, and nobody sent out a press release about it.

The Plugin Takeover

The ACF Incident: Automatic updates replaced a WP Engine plugin with an Automattic version, without user consent.

Advanced Custom Fields (ACF) is one of the most widely installed WordPress plugins on the planet. WP Engine owns it. In October 2024, Mullenweg had his security team fork it, rename it "Secure Custom Fields" (SCF), and swap the ACF listing in the WordPress.org plugin directory with their version.[11,12]

If you were running ACF, you got an automatic update that quietly replaced the WP Engine plugin with the Automattic version. No notification. No consent.[3,14] Multiple technical analysts called it a supply-chain attack on the plugin directory's trust model.[15]

Believe me, this one matters. The entire security model of the WordPress plugin directory depends on a basic assumption: the person running the directory won't use automatic updates to replace plugins they don't like with their own code. That assumption got tested in October 2024. It failed.

The Counter-Argument: Tragedy of the Commons

Let's be honest about Automattic's side of this. They have a real point about open-source survival.

WP Engine was pulling an estimated $400 million a year from WordPress. Their contribution back to the core project? About 40 hours a week, compared to Automattic's 4,000.[11] Mullenweg called it a tragedy of the commons: a private equity-backed company extracting massive value from a shared resource while leaving everyone else to maintain it.

Automattic also argued that WP Engine's heavy use of "WP" and "WordPress" in their branding confused customers into thinking they were buying an official product.[11] Their position: if you're making hundreds of millions off open source, you either pay a trademark fee or contribute real developer time.

Those are fair arguments about how open-source projects stay alive. If one company extracts half a billion dollars from a project and gives nearly nothing back, that project eventually starves. Automattic correctly identified a real crisis in open-source funding. They just chose to solve it by weaponizing their unchecked personal control over the internet's infrastructure.

Why This Is Bigger Than WordPress

History Rhymes: The railroad crash of 1873 wiped out thousands of businesses. The tracks survived. WordPress is in its governance crash phase.

What follows are my personal thoughts on the matter.

WordPress is the foundation of today's Internet. 43.5% of all websites. It did for publishing what the railroads did for movement, what fiber did for communication: it collapsed the cost of doing something that used to be expensive and hard.

Every infrastructure boom follows the same pattern. Capital floods in, the market builds like crazy, someone tries to monopolize the chokepoint, the crash comes, but the infrastructure stays. The railroad crash of 1873 wiped out thousands of businesses. The tracks survived. The 2001 fiber crash destroyed stock portfolios. The cables stayed in the ground.

WordPress is in the governance crash phase of this cycle. The software is fine. The gatekeeper is the problem. And right now, the gatekeeper is trying to collect tolls on tracks the entire community laid down together.

The $32M Demand

The Royalty Demand: 8% of gross revenue at industry rates of 4-6%, designed to drain a competitor, not protect a brand.

Before the lawsuit, Mullenweg demanded 8% of WP Engine's gross revenue as a trademark license.[1,11] WP Engine's annual revenue runs around $400 million. That puts the ask at roughly $32 million a year.[1]

Industry-standard trademark royalties sit between 4% and 6%.[17,18] Eight percent on a name that's been used descriptively for two decades? That's the top of the market, bordering on punitive. The court filings argue the number was designed to drain a competitor, not protect a brand.[1,18,19]

For context: Automattic reported $710 million in total revenue for 2024.[1,16] A $32 million annual payment from WP Engine would have added 4.5 points to that number. This was about revenue.

Ownership vs. Foundation

Personal Ownership: WordPress.org, the domain, update servers, plugin directory, belongs to one person with no board, no oversight, no removal mechanism.

In October 2024, Mullenweg told The Verge directly: "WordPress.org just belongs to me personally."[1,2]

The domain. The update servers. The plugin repository. All of it. Half the web runs on infrastructure that one person owns, with no board, no oversight structure, and no mechanism to remove him from control.[1,20]

Yes, the WordPress Foundation exists. It holds the trademarks. But it doesn't control the servers. It doesn't control the directory. It doesn't control the update mechanism. One person does. And you've now seen what he does with that control when he's angry at a competitor.

The Contribution Weapon

98.9% Reduction: Automattic's weekly WordPress core contributions dropped from 3,988 hours to 45 hours in early 2025.

In early 2025, Automattic showed exactly how much leverage they hold over the code itself. They slashed their weekly contributions to WordPress core from 3,988 hours down to 45.[1,22,23] That's a 98.9% cut. Not a budget trim. A near-total withdrawal.[5,21]

Security patches stalled. Accessibility fixes sat in queues. The roadmap slipped.[24,21] Even if contribution levels eventually recover, the message was clear: if the ecosystem won't play by Automattic's rules, Automattic will stop maintaining the ecosystem's code.

That's what happens when one company sponsors the majority of core development and controls the infrastructure. When they get angry, every site owner running WordPress pays for it.

The Legal Reckoning

The WP Engine lawsuit is grinding through discovery right now.[3,25] A jury trial is on the calendar for June 2027.[3,25] A consumer class action is also moving forward, with site owners arguing that blocking WordPress.org access caused direct financial harm to their businesses.[26,27,28]

Discovery has already surfaced the "steal every WP site" emails, the Stripe calls, and the target lists. More internal documents will come out. Whatever a jury eventually decides, the public evidence already tells a clear story. The trial will determine whether weaponizing open-source infrastructure is legal. That's a completely different question from whether it's right.

What You Should Do Now

If your business runs on WordPress, you have a single-point-of-failure problem at the infrastructure layer. Here's how you manage it.

1. Audit your update dependencies immediately. Stop guessing which plugins pull from WordPress.org. If you use WP-CLI, run this to get a clean list of everything installed and where it came from:
   wp plugin list --fields=name,status,update,version
   The ACF situation proved automatic updates can be weaponized. You need to know exactly what's pulling code into your servers.
2. Lock down business-critical plugins. If a plugin runs your checkout, your user data, or your core functionality, don't leave it on auto-update from infrastructure controlled by one person. Manage those updates manually.
3. Document your exact versions. If the directory gets interfered with again, you want to know exactly what you're running so you can restore from a known-good backup.
4. Watch the upcoming trial. The outcome will determine how much legal protection you actually have when infrastructure owners abuse their control.
5. Pressure the foundation. The WordPress Foundation should legally own and control the update servers. It doesn't. That's the only governance fix that matters. If you care about this ecosystem, that's the conversation you need to push.

The open-source software is still excellent. The community is still shipping great code. But the delivery infrastructure belongs to one person who just spent two years proving exactly how he'll weaponize that leverage.

My take? Take some time to audit your exposure. Your risk may vary...