Latest Posts

The GPL and nulled plugins

Published by Richard Best

When a leading proponent of open source says something about the GPL, people notice

When one of the world’s leading proponents of open source software and the GPL makes pronouncements of what the GPL does and does not allow, many people will have a look and some may take it on blind faith to be correct. It’s pretty important, therefore, that what such proponents say about the GPL is in fact correct.

On 1 November, one of the world’s leading proponents of open source software and the GPL said this (the second paragraph is referring to litigation in the Netherlands by, it seems, Automattic and WooCommerce, against Festinger Vault):

“A quick followup on my prior conversation with Theo.

During that chat, I talked briefly about a trademark infringer that was also distributing nulled plugins. I said “Not illegal. Legal under the GPL. But they weren’t changing the names. They were selling their customers Pro Plugins with the licensing stuff nulled out.”

I want to be clear that my reference to legality and GPL was solely focused on the copying and modifying of the code. That is one of the key freedoms of open source and GPL: the right to copy and modify GPL code.

I was not speaking about their right to charge money for nulled plugins. GPLv2 prohibits that because they aren’t providing physical copies or support. This is very different from reputable web hosts, who provide hosting and support for websites and e-commerce stores.”

Pronouncements need to be correct

From a GPL perspective, if someone purchases pro plugins, and then removes the likes of licence activation key processes, and then charges a fee for access to them, that is okay in relation to the modification and distribution of the software. As long as the requirements of the GPL continue to be met, it is not a breach of the GPL. The main requirements are:

  • Copying and distribution: You may copy and distribute the program as long as you comply with some copyright notice and disclaimer requirements. Those requirements are that you publish on each copy an appropriate copyright notice and disclaimer of warranty, keep intact all notices that refer to the GPL and the absence of any warranty, and give recipients a copy of the GPL along with the program. (Section 1)
  • Modifications / derivative works: You may modify the Program or any part of it and distribute the modifications or new work as long as modified files contain notices regarding the existence and date of changes and any work that you distribute that contains or is derived from the Program or any part of it is licensed as a whole at no charge to all third parties under the GPL. (Section 2)

GPLv2 does not prohibit people charging money for access to nulled plugins, at least if – by ‘nulled’ – we are only talking about things like removing licence activation key processes (but not removing GPL licensing statements etc).

The statement in clause 1 of GPL v2 that “you may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee” does not prevent a seller of nulled plugins from charging a fee for digital access to them.

Importantly, the reference to “physical copies” was not intended to refer only to something we can touch in the physical world, like ‘distribution in a physical medium only’. It was intended to cover digital transfers and downloads as well. This is clear from footnote 41 at pages 11-12 of the Free Software Foundation’s document “GPLv3 Second Discussion Draft Rationale”.

In the GPLv3, the language was changed to make this clear:

“You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.”

In this context, note that many plugins are licensed under ‘GPLv2 or any later version’. For these plugins there would, therefore, be nothing to stop an onseller/reseller from relying on the GPLv3 wording instead of the GPLv2 wording. (That’s not necessary, but they could if they wanted to.)

Important caveats

This doesn’t mean that people can onsell/resell pro plugins in any way they like. This was the main point I think Matt was making in the interview with Theo, specifically in relation to trademarks.

I addressed the important caveats in a post in 2015 “Readers ask: About reselling commercial plugins (updated)”. That’s a long post that discusses various topics, but the key points for present purposes were these:

“The short version is this: if the plugin in question is 100% GPL-licensed then, yes, that would be permissible under the GPL. This is one of the freedoms that the GPL confers on recipients of GPL’d software. However, the person who … changes the code and sells it, would need to be careful:

    • to comply with the GPL’s notice and other requirements;
    • not infringe any trademark (if one exists) or other branding rights;
    • not pass off any relationship with the original plugin developer or its business that doesn’t exist;
    • not breach any fair trading laws that might apply in the person’s country; and
    • not infringe any copyright in non-code files that accompany the plugin that are not under the GPL (e.g., help files), if that is in fact the case.”

The 2015 post included discussion with some leading theme and plugin shops of the practice of people reselling their commercial themes and plugins. If you’re interested in that general topic, you might want to take a look.

Why was the post published?

At first I didn’t understand why the post I’ve quoted was published. I am speculating here, but my guess is it was published in the light of what’s happening in the case in the Netherlands against Festinger Vault. I cannot verify the accuracy of this, but the founder of Festinger Vault has said in an announcement post that they have been subject to an “ex-parte ruling that imposed overwhelming financial penalties of $25,000 per day”, forcing them to temporarily suspend their services. Festinger Vault is challenging Automattic and WooCommerce’s claims, and in that context has said:

“A relevant part of our defense is that Automattic’s CEO admitted publicly in a video interview that Festinger Vault’s activities are “legal under the GPL.” Yet, despite this, they continue to use their trademark claims to try to silence us.”

It appears from an update announcement “that the second short hearing on lifting the ex-parte ruling of $25k per day is scheduled for November 27th, 2024.”

It will be interesting to learn more about this in late November or December.

To avoid doubt, I am not making any comment in this post on what appear to be Automattic and WooCommerce’s trademark-related claims against Festinger Vault. I am only commenting on the statement in the blog post about the GPL.

The “not affiliated” checkbox and the GDPR

Published by Richard Best

TL;DR

The punchline of this post is that the operator(s) of WordPress.org may, through the “I am not affiliated…” checkbox, be breaching Europe’s General Data Protection Regulation (GDPR), and that is something of which the board of Automattic ought to be aware. Let me explain.

The “not affiliated” checkbox

As is well known across the community, on or around 8 October, the login screen on WordPress.org was amended to look like this (originally it linked to the WP Engine lawsuit, but that was subsequently removed):

Application of the GDPR

First of all, there is a strong argument that the operator(s) of WordPress.org are subject to the GDPR in relation to their processing of EU residents’ personal data through WordPress.org. For example, there are localised versions of WordPress.org translated into the languages of some EU member states (e.g., de.wordpress.org/) and so services are being actively offered to EU residents, and the WordPress.org privacy statement appears to have been written on the assumption the GDPR applies.

Personal data processing through the checkbox

Under the GDPR, “personal data” is any information relating to an identified or identifiable natural person. Large numbers of WordPress.org users are identifiable through the usernames or email addresses they use to log in for developer access or to access the forums. Information as to whether such a person is not affiliated with WP Engine in any way, financially or otherwise, can be considered “personal data” about that person.

Requiring EU residents to click the “I am not affiliated with WP Engine in any way” checkbox amounts to the processing of personal data about those residents (and the login with this checkbox is appearing in European member states — I’ve checked). MM was asked whether the checkbox value is stored and he said no, but others dispute that (e.g., “‘it’s not being stored’ is bullshi[*], as logins get logged and a check is required for login, so it is being stored”). Regardless of whether the specific checkbox value is being stored, the fact remains that, from the date the mandatory checkbox was implemented, every single person whose login screen has that checkbox and who logs into WordPress.org having clicked the checkbox can be taken to have clicked the checkbox and so, in this way, personal data is being processed.

Under Article 5(1) of the GDPR, personal data shall be “processed lawfully, fairly and in a transparent manner”, “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”, and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

Under article 6, processing shall be lawful only if and to the extent that at least one of the grounds listed in article 6(1) applies. There are six grounds which can be summarised as:

  • consent
  • necessary for the performance of a contract
  • necessary for compliance with a legal obligation
  • necessary to protect the vital interests of the data subject or another natural person
  • necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

There is a strong argument that none of these grounds applies. One might argue that the ‘legitimate interests’ ground applies but, in my view, in all the circumstances surrounding the checkbox, any such argument would be weak and probably fail.

I note, in this context, that the argument that WP Engine is attacking WordPress.org, that as a result WP Engine no longer has free access to WordPress.org’s resources, and that that justifies inclusion of the checkbox, is weak. So far as public attacks are concerned, the incontrovertible fact is that MM attacked WP Engine first, not the other way around. WP Engine’s cease and desist letter and, later following further attacks, its lawsuit, were in response to the attack upon it. In any case, and bearing in mind the ambiguity around the wording of the checkbox, there is no obvious reason why the operator(s) of WordPress.org needed to prevent all people with any kind of ‘affiliation’ with WP Engine from logging in, in order to prevent WP Engine itself from having free access to, or benefitting from others’ free access to, WordPress.org’s resources. People might have some loose affiliation with WP Engine that could not have any bearing on the ability of WP Engine itself to access or benefit from others’ access to WordPress.org resources.

Sure, as the owner/operator of the WordPress.org website, MM is able to deny WP Engine staff, contractors, and investors access to WordPress.org, but it does not follow from that that MM is able, in substance, to obtain an item of personal data (‘I am not affiliated with WP Engine’) from every single identifiable person who logs in to WordPress.org. Doing so is simply not necessary for the purposes of MM’s interests, even if they could be described as ‘legitimate’.

Breaches of the GDPR

There is a strong argument, therefore, that — in relation to EU (and UK) residents — collecting/processing this item of personal data is contrary to the GDPR. (It may also be contrary to the privacy laws of some other jurisdictions.)

It is also arguable that article 13 of the GDPR is being breached, because no information is provided at the point of collection as to “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” and other matters listed in article 13. The generic information in WordPress.org’s general privacy policy predates the checkbox, does not refer to it, and so does not clearly apply to it.

It is noteworthy that the owner/controller of WordPress.org is also the CEO of Automattic which is a clear competitor to WP Engine and a named defendant in the lawsuit in relation to which the checkbox is said to be a response. One assumes members of Automattic’s board are aware of and willing to accept the GDPR-related risk (on the basis that, in substance, it is a controller or joint controller). If I was a board member, this is not a risk I would willingly accept, but obviously that’s not a call for me.

Not legal advice and no attack on WordPress.org

Nothing in this post should be construed as legal advice. If any reader needs legal advice, they should consult a lawyer in their own jurisdiction. And to avoid doubt, I am not attacking WordPress.org or those who run it, regardless of what they may perceive. WordPress.org is awesome and for nearly two decades those behind it have been on a pedestal in my mind, revered for all they’ve achieved. But at some point, users’ privacy rights need to be respected, and enough has to be enough. Whilst one person may own and control the WordPress.org website, in substance it is the home for large parts of a global ecosystem. I suggest that foisting unreasonable requirements on members of that ecosystem, many of whom have helped make WordPress what it is today, needs to stop.

The ACF>SCF ‘fork’ and legal risk

Published by Richard Best

What the…

Just when the community thought things couldn’t get more disruptive – because they’re already mighty disruptive – they have. Automattic’s CEO has forked (or purported to fork) the incredibly popular Advanced Custom Fields plugin on the WordPress.org plugins repository, calling the new version ‘Secure Custom Fields’. Advanced Custom Fields is a WP Engine plugin (WP Engine acquired it from Delicious Brains in 2022), so no surprises as to why he has done this.

Freedom of speech

Before I proceed, let me say something of freedom of speech.

I anticipate (rightly or wrongly) that MM/Automattic’s defence to some of the allegations against it in WP Engine’s court filing will be premised on first amendment / freedom of speech grounds. Fair enough.

By contrast, we are seeing people in the WordPress community, who are exercising their right to freedom of speech to comment on what they’re seeing unfold, being shut out of WordPress.org communities, Slack groups, and Twitter/X feeds, or otherwise being spoken to with hostility, even when they are trying to help. That doesn’t sit well with WordPress.org’s Community Code of Conduct.

I have thought long and hard about whether to publish this post, because I fear I will be shut out too. I hope that won’t happen and I would encourage those who may not like this post to consider the questions I’m raising openly and non-defensively. Until recently, WordPress has been a large village of sorts where people help each other out. That can include pointing things out that perhaps not even lawyers closely enmeshed with client strategy have considered.

In that vein, one might look at the issues I’ve raised as not only being risks, but risks that are capable of being mitigated.

Key facts

Here are what appear to be the key facts:

1. Announcement: On 12 October, MM released a post on WordPress.org stating:

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.

This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

(I understand at least some members of the WordPress security team were unaware of this development.)

2. Minimal changes: It seems clear that minimal changes have been made to ACF. The changelog says this:

Changelog

6.3.6.2

Release Date 12th October 2024

  • Security – Harden fix in 6.3.6.1 to cover $_REQUEST as well.
  • Fork – Change name of plugin to Secure Custom Fields.

3. No new and separate listing or repository:

Ethics

Regardless of what the GPL may allow (more on that below), people are and will be questioning the ethics of this so-called fork, despite what they may feel about WP Engine’s level of contribution to the community. We’re not talking here about a small plugin that was in dire need of updates. We’re talking about one of the most popular plugins in the ecosystem with 2 million+ users, a long and trusted development history behind it, and trusted developers maintaining it.

I’ve been using WordPress since 2005 and, in that time, I’ve felt there’s an unwritten (and non-legal) rule in the WordPress community which can be summarised as: ‘don’t do this sort of shi*, regardless of what the GPL allows’. Indeed, that unwritten rule is one of the reasons people frown on so-called GPL vaults, that take and resell pro/commercial plugins.  Imagine the furore if, say, Rocket Genius were to take Restrict Content Pro and relabel and sell it as something else. It could (assuming RCL is 100% GPL), but Rocket Genius would never do anything like that.

Putting ethics to one side, though, what kinds of objections might the lawyers have? Can it be said this is all kosher because the GPL allows anyone to make a fork? Well, no, in my view it’s not that simple… . I’ve set out some initial thoughts below but I don’t mean to present them as definitive. Instead, I’ve pitched my thoughts as questions for consideration.

Legal risk

So, what might be wrong with this in legal terms?

One can certainly argue that the invocation of guideline 18 of the WordPress Plugin Directory Guidelines is unconvincing but I’m not going to dwell on that because, at the end of the day, MM controls WordPress.org and so, arguably, has the power to remove and replace a plugin if he wants to (subject perhaps to promissory estoppel arguments to the contrary but I’m not sure how strong/weak they’d be under US law). However, that power and how it’s exercised has its limits, because applicable laws still apply.

These are the questions I would be asking if I were the owner of a plugin that suffered this fate:

1. Is this actually a ‘fork’ and, if not, what might the consequences of that be?

If a repository operator takes a third party’s existing codebase which that third party put in the repository and is actively maintaining and developing, and takes control of and changes that actual codebase rather than duplicating it in a separate repository (or sub-repository) and then modifying it, is that a true fork and, if not, is it permitted by the GPL?

The GPL allows you to “modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work” as long as certain conditions are met. Whilst MM/WordPress.org permitted WP Engine and earlier owners of ACF to have ACF hosted on WordPress.org, arguably that did not make the version on WordPress.org ‘MM’s copy’ or ‘WordPress.org’s copy’. Arguably it was the official third party source. If that is right, has MM/WordPress.org ‘modified their own copy’? I cannot answer this decisively as there are some technical details I’m unaware of and arguments can be made both ways, but you see the point right? If MM/WordPress.org have not modified their own copy, then questions of copyright infringement may arise. I emphasise, though, that I cannot express a decisive view on this issue and, if there is a risk here, there’s probably a way for MM/WordPress.org to mitigate it.

2. Is trademark infringement occurring?

‘Advanced Custom Fields’ and ‘ACF’ are clearly trademarks. They don’t have to be registered to be protected by law. WP Engine has registrations pending but the marks still have legal protection in the interim. Whilst MM has changed the plugin name to SCF (certainly a required move), ‘ACF’ and ‘advanced-custom-fields’ are still being used throughout the SCF listing and in the downloaded source code. Whether this would be enough to constitute trademark infringement would likely depend on whether the use of the marks is occurring ‘in commerce’ (taking all the context into account, arguably it is despite the fact that SCF is a free plugin ) and is (to summarise) ‘likely to cause confusion, or to cause mistake …’. I don’t have enough information to comment further on that.

One might note in this context, though, that guideline 17 in the Detailed Plugin Guidelines states:

17. Plugins must respect trademarks, copyrights, and project names.

The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed. For example, the WordPress Foundation has trademarked the term “WordPress” and it is a violation to use “wordpress” in a domain name. This policy extends to plugin slugs, and we will not permit a slug to begin with another product’s term.

For example only employees of Super Sandbox should use the slug “super-sandbox,” or their brand in a context such as “Super Sandbox Dancing Sloths.” Non-employees should use a format such as “Dancing Sloths for Superbox” instead to avoid potentially misleading users into believing the plugin was developed by Super Sandbox. Similarly, if you don’t represent the “MellowYellowSandbox.js” project, it’s inappropriate to use that as the name of your plugin.

Original branding is recommended as it not only helps to avoid confusion, but is more memorable to the user.

At the moment, SCF is using the ACF slug: 


3. Has there been a breach of copyright in the ACF plugin listing?

If, as it appears, the SCF plugin listing is the same as the prior ACF listing but with names and acronyms switched, there is an argument (how strong I’m not sure) that WP Engine’s copyright in the listing (itself an original copyright literary work) has been infringed. There are no terms of use on WordPress.org that permit this to occur. A plugin owner clearly grants an implied licence to the operators of WordPress.org to use its listing content for the purposes of describing the plugin in the listing, but it is not clear that the operators can copy that listing content and use it more or less verbatim when making a purported ‘fork’.

The counter-argument is that the bulk of the plugin listing comes from the readme.txt file bundled with the plugin and that, the argument runs, is captured by the plugin’s GPL licensing and so can be reproduced.

I won’t seek to resolve those competing arguments here but I do note that the readme file content is only a subset of the content in the WordPress.org plugin listing and associated support forum. For example, none of the answers to the support requests over the years by the owners of ACF are covered by the GPL licence and there’s an argument that the implied licence to WordPress.org to publish them is limited to the support provided in connection with the ACF plugin itself and not a fork.

4. Misleading conduct in commerce?

The name given to the ‘fork’ (Secure Custom Fields), together with the first paragraph of the release post and a later statement in the post that the “update is as minimal as possible to fix the security issue”, might be considered by some as a misleading implication that ACF is not sufficiently secure.

Automattic had (publicly)-notified a security issue with ACF which WP Engine promptly fixed. That fix was implemented before any announcement of the SCF ‘fork’, and the SCF changelog simply says “harden fix in 6.3.6.1 to cover $_REQUEST as well”. This, as I understand it, can only be described as minimal, and certainly not of any magnitude to warrant a fork on security grounds.

Any argument that this has nothing to do with commerce would probably be weak, because the announcement post on WordPress.org states:

“Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”

That paragraph seems to betray the real reason for what’s happening here. Security does not seem to be the driving reason. Rather, the fork stems from the fight with WP Engine which, in my view, is undeniably occurring in a commercial context.

Whether the security-related implication (assuming others see that) would fall foul of applicable fair tradings laws is something for local lawyers to assess.

Chess anyone?

My final thought for now is that, to some extent, this feel likes the next move in a somewhat intense game of chess. As we know, chess is a game in which one looks many steps ahead to predict one’s opponent’s next moves. Litigation lawyers will know full well what one such next move might be, but MM/Automattic’s lawyers will already have predicted that… .

Postscript

In this post I have intentionally not discussed possible causes of action that plugin users or WP Engine may have in relation to, for example:

  • having software on their websites auto-updated without their consent to a purported fork which could change over time at the hands of different developers and which now has different functionality (i.e., no commercial upsells);
  • having their sites break as a result of such auto-updated changeover; or
  • in the case of WP Engine, having a substantial user base diverted to SCF (through auto or manual updates), resulting in potential lost commercial opportunity in relation to upsells and the loss of an avenue through which to communicate with a large ACF user base.

Looking at the WordPress ecosystem as feudal in nature

Published by Richard Best

The audio above is an interactive discussion of the post below, created by Google’s awesome new Notebook LM. It’s not quite 100% accurate of what I say below, but it’s pretty close.

We have no entitlement to WordPress

The first thing to get out of the way, before descending into feudalism, is that we have no entitlement to WordPress. Three forces may combine to give people a sense of entitlement, but the truth is something different.

The three forces

The three forces are the GPL, longevity, and community:

  • Force 1 – the GPL: Anyone who gets their hands on a copy of WordPress can do whatever they want with it as long as they comply with the terms of the GPL (and don’t do anything that, properly construed, infringes the WordPress trademarks). They can turn features off and on, host it as a SaaS offering, fork it, etc. That’s the beauty of the GPL.
  • Force 2 – longevity: When people have been using WordPress for so long, and with so many free benefits, it’s natural perhaps to develop a feeling of ‘WordPress will always be there when I want it’. For theme and plugin developers and WordPress hosts, that includes access to WordPress.org, despite the fact that – until very recently – many of us (myself included) had not appreciated that one person owns and funds WordPress.org.
  • Force 3 – community: The third and perhaps even more significant component of this is that, given that WordPress is truly the fruits of so many individual labours (most notably, but not only, the tireless work of core developers from around the world) and that it floats within such an enormous ecosystem, the sense of community can be akin to being part of a wave that’s carrying everyone along in unison.

Entitlement

These combined forces – the GPL freedoms, the longevity of WordPress, and the enormous community on which it surfs – can morph into a sense of entitlement. I am not using the word ‘entitlement’ in a negative or pejorative sense. I simply mean that people may think they have a right to it, including a right to developer access to WordPress.org and server-to-server access to WordPress.org. To my mind, it’s completely understandable for people to have acquired some sense of entitlement (not in a bad way, just in a ‘I have every right to this like everyone else’ kind of way).

There is no entitlement

However, the reality is that, for 99 point something % of the population, ongoing use of WordPress is a privilege, to which we have no entitlement. In practical terms, the GPL freedoms make no difference to that. Why? Because the vast majority of the global population is simply not in a position to maintain the WordPress core, to fork WordPress into something else, to maintain the themes and plugins on which they rely, to identify security risks and patch them, or to replicate the functionality of WordPress.org on which we’ve all come to rely.

And so, the vast vast vast majority of us remained privileged. Not entitled. We are akin to serfs in a feudal system. Those who till the land may contribute to its upkeep, but most of them are serfs nevertheless.

The resemblance to feudalism¹

I mean no offence in using the analogy, but the governance of WordPress can be considered feudal in nature. It began at the hands of someone with a benevolent vision who, through toil and sacrifice, created something that, in a very real sense, would change the world, and over time and through that toil and sacrifice, he would become king and assemble a close group of lords (in this sense, the king was self-made through conquest, rather than a product of ascendence, but let’s ignore that for now). To maintain that power, he needed support. Skilled developers and others came to his aid, and the fruits of that support is free access by anyone in the world to the software created by the king and those who have rallied around him to support his vision.

At the end of the day, though, nearly all of us but the king and his lords are serfs, and we have no real power over the thing on which we have come to depend: WordPress. We are allowed to live on the land of WordPress, but it is not truly ‘ours’, we have no contractual right to its upkeep, and we face ongoing risk of the privilege being withdrawn or of being taxed for ongoing receipt. There’s zero complaint or criticism here. It’s just fact.

From feudalism to democracy

If we cast our minds back in history we remember that, over time and as a result of various factors, feudalism would come to be replaced with a more democratic way of life. The factors prompting change included:

  • Growth of trade and commerce: As trade expanded during the late Middle Ages, urban centres grew, and a new class of wealthy merchants and artisans emerged. This middle class (the bourgeoisie) gained economic power and began challenging the dominance of the feudal lords.
  • Decline of feudal land ownership: The feudal system was built on a land-based economy, with nobles controlling lands and serfs working them. The Black Death and agricultural changes reduced the population, leading to a labor shortage that weakened the manorial system. Serfs gained more bargaining power, and in some cases, even abandoned feudal obligations altogether, moving to cities where wealth was not tied to land.
  • Magna Carta and early legal reforms: Documents like the Magna Carta (1215) limited the power of kings and granted certain rights to nobles, sowing the seeds for broader legal and political frameworks that emphasised individual rights and rule of law.
  • The Renaissance: Beginning in the 14th century, the Renaissance sparked a renewed interest in classical Greek and Roman ideas, including those about governance and citizenship. Humanism promoted the idea that individuals had value and should participate in public life.
  • The Enlightenment: In the 17th and 18th centuries, Enlightenment thinkers such as John Locke, Jean-Jacques Rousseau, Montesquieu, and Voltaire began promoting ideas like liberty, equality, and popular sovereignty. Locke’s social contract theory argued that legitimate governments derive their authority from the consent of the governed, challenging the idea of divine-right monarchy and autocratic rule.
  • War: Wars and revolutions occurred.
  • Communications: The printing press and communication networks came into being.
  • End of feudal loyalties: As centralised monarchies and nation-states emerged, loyalty shifted from local feudal lords to the nation-state. This created an environment where broader political participation (through parliaments and assemblies) became possible, setting the stage for modern democracy.

Some similarities

Returning now to the MM/Automattic-WPEngine controversy, there are some interesting similarities:

  • Trade and commerce involving WordPress has soared. It has changed people’s economic fortunes, others have developed careers out of it, and entire industries have sprung up to support it.
  • At the same time, and despite its huge uptake (40+% of websites on the Internet), numerous competitors chomp at WordPress’ heals, giving the serfs far greater choice which, if exercised in ways involving a departure from WordPress, would result in a decline of the feudally-governed territory.
  • War has broken out between MM/Automattic and WP Engine. It is not the first such war, but it is the most serious to date and, if steps are not taken to quell it, things could get quite bloody (metaphorically speaking).
  • As a result of that war, people are asking for clearer rules, advance notice, no surprises, limits on expulsion, and community buy-in. Given the communication channels at our fingertips, these ideas are circulating quickly, and far and wide. What might happen? A Magna Carta of sorts springs to mind.
  • The storm is sparking a renaissance of sorts, in that people are coming to appreciate the importance of participation in the public life of WordPress, while also standing up for what they believe to be right or wrong. Obviously that is a good thing.

Will we see enlightenment?

The question that arises, then, is whether some kind of WordPress-related enlightenment is on the horizon, one that involves:

  • more distributed governance arrangements or advisory input;
  • a greater willingness on the part of some of the larger players to contribute more;
  • an agreed set of rules relating to the likes of community contribution; and
  • a legally accurate and balanced policy on trademark usage for significant commercial entities playing in the WordPress sandpit and on which the community is given an opportunity to comment (including more clarity around nominative fair use).

Such enlightenment could even include agreement between the current warring parties to mediate their differences, in the interests not only of their respective businesses but, just as importantly, the wider WordPress ecosystem on which they both rely for their survival. That would take honesty, humility, and maturity on both sides. Gaslighting would need to cease, the needs and interests of the community would need to be respected, and extreme positions would need to be dropped (and yes, we can see extreme positions on both sides). It’s easy for parties to a relationship to fight. Recognising the need for repair and taking steps to repair is harder.

Is there any chance for enlightenment? Who knows. Your guess is as good as mine. But if the answer is no, the current war will continue at great cost to both sides, many may revolt (including by leaving for more peaceful places or forking which, in my view, is in no one’s interests), loyalties will erode, and a reduction in territory may well occur. If that happens, the greatest irony will be that the very thing the current war sought to achieve as articulated at WCUS, namely, ‘survival and thriving of the commons’, may stand to be irreparably damaged by it.

Footnotes

¹ I appreciate there are some weaknesses in the analogy. For example:

  • Community collaboration: Unlike feudal systems where upward mobility was nearly impossible, the WordPress ecosystem allows for significant contribution from anyone willing to invest time and effort. Open-source projects thrive on community collaboration, which is somewhat at odds with the rigid class structures of feudalism.
  • Economic dynamics: Feudal economies were land-based and involved obligatory services and taxes. In contrast, the WordPress ecosystem operates in a digital economy with voluntary contributions and a mix of free and commercial activities. This difference might weaken the economic parallel between the two systems.
  • Legal and ethical frameworks: Modern open-source projects are governed by licenses like the GPL, which promote freedom and sharing—concepts that are fundamentally different from the restrictive and hereditary nature of feudal laws.
  • Role of competition: The presence of alternative platforms and the ease of forking open-source projects introduce competitive pressures absent in feudal societies. This competition can empower “serfs” in ways that weren’t possible historically.

Automattic’s trademarks post vs other ‘WordPress hosting’ providers

Published by Richard Best

Introduction

On 3 October 2024, an Associate General Counsel at Automattic published a useful post on “WordPress Trademarks: A Legal Perspective”.

The post is useful for a few reasons, including because it acknowledges, I believe for the first time during the current controversy, the role of nominative fair use. And so, in that sense, it contributes to the community’s understanding of Automattic’s take on the trademark issues. I have been saying for a while now that nominative fair use would likely be a central issue in any trademark litigation between Automattic and WP Engine. WP Engine’s court filing confirms that.

Why I have written this post

I have written this post because Automattic’s positions on:

  • trademark infringement in its cease and desist letter to WP Engine; and
  • nominative fair use in the post referred to above,

are potentially significant for large numbers of other WordPress hosting providers (excluding WordPress.com). As a long-time user of WordPress, it concerns me that such an important topic is not being more openly discussed by other lawyers, particularly US trademark lawyers (I am only aware of one US lawyer openly discussing these issues, in a live streamed format rather than in blog posts or articles).

Usually trademark disputes would, at least at first, be addressed in private between the trademark owner or exclusive licensee and the entity accused of trademark infringement, and more often than not other entities would not be affected by the dispute. But what we’re seeing here is quite different. We have a particularly public and potent set of allegations against one WordPress hosting provider that is potentially relevant to hundreds if not thousands of other WordPress hosting providers around the world (as well as other WordPress-related businesses who preface descriptions of their offerings with ‘WordPress’). I appreciate that Automattic’s CEO has said that only WP Engine is in the firing line and that Automattic has no beef with any other hosting provider, but other WordPress hosting companies may well be asking questions, if not feeling a measure of concern.

So this post is written with those other hosting companies in mind. It is not written for the purpose of taking sides with WP Engine or Automattic.¹

Nominative fair use

On nominative fair use, the post by Automattic’s Associate General Counsel says this:

“What about users of WordPress software?

In the bundle of sticks that is the WordPress trademarks, users of WordPress software have a twig of rights as well, called nominative fair use. This means users have the right to refer to genuine WordPress software by name. (Genuine WordPress software comes only from a WordPress Foundation- or Automattic-approved repository.) For example, they are allowed to say: “I built a website with WordPress.”

The right to nominative fair use has clear limits under the law: it doesn’t include logos and it does not include the right to use the WordPress marks in a manner that suggests one is offering a product or service that comes from WordPress or is officially affiliated with WordPress. For example, calling a service “WordPress Hosting” would not be nominative fair use because it makes many people think it is a hosting service offered by WordPress. By contrast, offering “Hosting for websites built on WordPress software” would not lead anyone to think the hosting service itself is offered by WordPress. Thus, calling a service “Hosting for websites built on WordPress software” would be fair use of the WordPress marks.”

Commentary

I agree on the basis of US materials I have reviewed that including logos is generally not covered by nominative fair use (and one can add that copying logos without permission can also amount to copyright infringement in the form of unauthorised reproduction of an artistic work). It’s also correct, in my view, to say that nominative fair use “does not include the right to use the WordPress marks in a manner that suggests one is offering a product or service that comes from WordPress or is officially affiliated with WordPress”.²

The sentence I would like to focus on is this:

“For example, calling a service ‘WordPress Hosting’ would not be nominative fair use because it makes many people think it is a hosting service offered by WordPress.”

Note the choice of words: “calling a service” rather than, for example, “describing a service as”. What exactly did Automattic’s Associate General Counsel have in mind when saying this? If he meant giving a hosting service the business name of ‘WordPress Hosting’, without qualification, then yes, that might (depending on all the circumstances) create the level of confusion or perceived affiliation required for trademark infringement. Using someone else’s trademark in the name of one’s business is generally a ‘big no no’ (despite the existence of some cases where this has been held not to infringe, as in a case involving the business name ‘Independent Volkswagen Porsche Repairs’).

However, in the WordPress hosting community, phrases like ‘WordPress Hosting’ and ‘Managed WordPress’ are not being used as business names. They are being used in the context of describing the services offered by the hosting provider, referable to the WordPress software. I am not saying this would always be covered by nominative fair use and therefore never be capable of giving rise to trademark infringement. And indeed, the risk-averse and prudent approach may be to avoid the risk of confusion or perceived affiliation by using the alternative kinds of statements to which the Associate General Counsel has referred (e.g., ‘Hosting for WordPress websites’) and/or clear disclaimers.

But, and I think this is the important point, one cannot make an absolute statement that using phrases like ‘WordPress Hosting’ would necessarily fall outside of nominative fair use and amount to trademark infringement. Trademark owners and exclusive licensees are able to control uses of their trademarks to the extent that those uses would, without permission, amount to trademark infringement, but they are not in a position to state rules as to what does and does not amount to nominative fair use. That is a matter for the courts and the application of legal principle to the facts surrounding a given use of a trademark. One cannot make absolute statements in relation to business names and, even more so, one cannot make absolute statements in relation to descriptors. Context is everything.

Now, I need to emphasise that the Associate General Counsel has not said that using phrases like ‘WordPress Hosting’ would necessarily fall outside of nominative fair use. Instead, as noted above, his sentence uses the words “calling a service ‘WordPress Hosting’ would not be nominative fair use”.

What concerns me is the particular choice of words (“calling a service …”) together with the absence of qualification when discussing phrases like ‘WordPress Hosting’. Some people may read the post as meaning that Automattic takes an absolute stance against the use of terms like ‘WordPress Hosting’ to describe hosting services for WordPress. Despite the Associate General Counsel’s choice of words, that would not be an unreasonable thing to infer. However, as I’ve said, context is everything. Context might include historic use of terms like these throughout the WordPress hosting community and, more significantly, context would include words and site get-up surrounding terms like ‘WordPress hosting’ (if any) that make it clear that the hosting service is not provided or endorsed ‘by WordPress’ (or Automattic).

It’s important to remember that this whole discussion goes to the question of confusion. As the United States Patent and Trademark Office notes, “[t]rademark infringement is the unauthorized use of a trademark or service mark on or in connection with goods and/or services in a manner that is likely to cause confusion, deception, or mistake about the source of the goods and/or services.”

If the context surrounding one’s use of terms like ‘WordPress hosting’ makes it clear to people that the hosting service is not provided ‘by WordPress’ (or Automattic, in the form of WordPress.com) and that there’s no affiliation or endorsement, then the element of actual or likely confusion may not exist and the nominative or referential or collateral use of ‘WordPress’ might be okay.

No legal advice

To be clear, I am not giving legal advice here to anyone. If any particular WordPress host (or other WordPress business) is concerned that it may be infringing the WordPress trademarks, or faces allegations that it is infringing, then it would be its responsibility to consult a US trademark lawyer if it requires legal advice. The only point I’m trying to make in this post is that the application or non-application of nominative fair use is not as simple and clearcut as Automattic’s post may be taken to suggest. Context matters, and it needs to be taken into account.

Footnotes

¹ If Automattic, or any US trademark lawyer (not acting for Automattic or WP Engine), disagrees with anything I’ve said in this post and would like me to consider amendments, feel free to let me know. I’m happy to consider them with an open mind.

² I take the reference to ‘WordPress’ in this statement to be a reference to the official WordPress project or perhaps the WordPress Foundation. ‘WordPress’ alone is not a legal entity. It would be helpful for Automattic to clarify what it means by ‘WordPress’ when stating ‘that comes from WordPress’ or ‘is afficially affiliated with WordPress’. I suggested this on X in response to Automattic’s announcement of its blog post but, to date, there has been no clarification.

WP Engine changes use of trademarks on its website

Published by Richard Best

Question from a reader

I had decided to end my posts on the Automattic-WP Engine saga but, following changes by WP Engine to its website in response to the trademark infringement allegations against them, a reader has asked for my views on why it has done this.

First things first

The first thing to note is that I have no contact with WP Engine on this and so my thoughts are opinion only. I could be wrong.

The changes

The changes WP Engine has made include:

  • changing the hero text from “We power the freedom to create on WordPress” to “We power the freedom to create”
  • changing the text underneath the hero text from “Build, power, manage and optimize extraordinary WordPress, WooCommerce and headless sites with the world’s #1 platform” to “Build, power, manage, and optimize your WordPress¹, Headless and WooCommerce¹ sites with the #1 hosting platform” (with the footnote ¹ linking to the disclaimer set out below)
  • changing the text “The most trusted WordPress platform” to “The most trusted platform for WordPress”
  • removing phrases like “Managed WordPress Platform” and “Essential WordPress Hosting”
  • changing the phrase “The Most Trusted WordPress Hosting Platform” to “The Most Trusted Hosting Platform for WordPress”
  • changing the term “Headless WordPress” to “Headless Platform”
  • changing “Powered by the Most Trusted WordPress Platform” to “The Most Trusted Platform for WordPress”
  • changing “Expert WordPress Support” to “Expert Support for WordPress”
  • changing the terms it uses for some of its hosting plans, i.e., from “Essential WordPress” to “Essential”, from “Core WordPress” to “Core”, and from “Enterprise WordPress” to “Enterprise”; and
  • added new disclaimer text:

“¹ WP Engine is a proud member and supporter of the community of WordPress® users. The WordPress® trademark is the intellectual property of the WordPress Foundation, and the Woo® and WooCommerce® trademarks are the intellectual property of WooCommerce, Inc. Uses of the WordPress®, Woo®, and WooCommerce® names in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation or WooCommerce, Inc. WP Engine is not endorsed or owned by, or affiliated with, the WordPress Foundation or WooCommerce, Inc.”

Likely reasons

The most likely and perhaps obvious reason for the changes is to reduce WP Engine’s level of trademark infringement-related risk, and almost certainly it will have done so after taking legal advice. Despite the likelihood that WP Engine and many other hosts have (rightly or wrongly) been using the word ‘WordPress’ as a shorthand way of describing their services, rather than using longer phrases like ‘Hosting for WordPress’, changing the expressions and adding the fuller disclaimer in the way WP Engine has done will likely lower its level of risk based on US case law, and doing so can be seen as a tangible response to address at least some of MM/Automattic’s concerns.

The goal will have been to reduce the risk of confusion in the minds of consumers, including the risk of consumers perceiving an affiliation with or endorsement by the likes of the WordPress Foundation, Automattic Inc, or WooCommerce Inc.

Some may say things like “Look, this is a concession by WP Engine, so clearly they were at fault!”. I make no comment on that. However, we need to appreciate that WP Engine will have found itself in a situation where it had been using WordPress-related terms for a long time and in a way commonly deployed across the industry and which, until a week or so ago, had not created the controversy that recently befell it (or at least not publicly).

So, for example, as I write this, GoDaddy is still using terms like:

  • Managed WordPress Basic
  • Managed WordPress Deluxe
  • Managed WordPress Ultimate
  • WordPress Hosting
  • WordPress Ecommerce Hosting
  • WordPress Premium Support
  • WordPress Experts.

Similarly, DreamHost uses terms like:

  • WordPress Basic
  • WordPress Business
  • Managed WordPress
  • WooCommerce Hosting.

WP Engine has changed terms like these and added a pretty clear disclaimer.

An issue for WP Engine, unlike these other hosts, is that WP Engine has been put on very clear and public notice that neither Automattic Inc nor WooCommerce Inc accepts WP Engine’s usage of the WordPress and WooCommerce trademarks in the ways it had been using them, and is claiming it is infringing the WordPress and WooCommerce trademarks. Once WP Engine is put on notice to this effect, any reliance on the likes of a past implied licence or non-enforcement of the trademarks or reliance on a particular interpretation of the WordPress Trademark Policy might be perceived as going out the window, and so WP Engine will be acting prudently to lower its level of risk. This doesn’t necessarily mean it won’t make arguments around past non-enforcement or the like if taken to court, but continuing to use terms and phrases that are now the subject of infringement claims could be considered less than prudent, especially when lower risk terms and phrases can be used.

Changing terms like “Managed WordPress” to something like “Managed Hosting for WordPress” can be seen as distancing WP Engine from a direct use of the WordPress mark, reducing the risk that consumers will think the service is officially offered or endorsed by WordPress or Automattic or that there is an affiliation with them.

Whilst WP Engine might argue nominative or referential fair use (because it’s offering hosting services for WordPress), to avail itself of that defence it still needed to only use so much of the mark as is necessary to describe its own services, and to ensure that the usage didn’t imply endorsement or affiliation. I am not expressing a view on whether it was implying anything but, by adjusting the language to emphasise that its service is independent of and not endorsed by WordPress and WooCommerce, it may better align with the requirements of nominative fair use as outlined in the likes of New Kids on the Block v. News Am. Pub., Inc., 971 F.2d 302 (9th Cir. 1992) and later cases and reduce the risk of falling foul of the WordPress Trademark Policy.

Interesting questions

Three interesting questions arise:

First, from a trademarks perspective, will the changes be enough for Automattic Inc and WooCommerce Inc? If they are not enough, presumably Automattic Inc and WooCommerce Inc will make that known (whether publicly or directly to WP Engine).

Second, to what extent will the changes do anything to bridge the deep divide that currently exists between MM/Automattic and WP Engine (which concerns more than alleged trademark infringement)? For my part, I doubt these changes alone will be enough. In addition to the issue of ‘giving back’, I’m getting the feeling from things that have been said that there are things under the public surface that have not been said. Pure speculation on my part but the jigsaw puzzle still seems to be missing some pieces.

Third, will other hosting companies like GoDaddy and DreamHost follow WP Engine, so as to lower their risk, or will they willingly enter licensing deals with Automattic Inc and WooCommerce Inc, or will they do nothing and expose themselves to risk? Whilst I understand it has been made clear to those and other hosts that only WP Engine is in the public firing line, logically, if Automattic (as exclusive commercial licensee of the WordPress trademark) and WooCommerce Inc (as owner of the Woo and WooCommerce trademarks) take action against WP Engine then, for the purposes of consistency of enforcement or other reasons, it could do the same against other hosts. I suppose that might depend on whether any particular host exceeds an enforcement threshold or criteria that Automattic appears to have set internally but, in the absence of knowing what that threshold is or receiving assurance from Automattic, we may see some other hosts taking steps to reduce their own risk.

All that said, who knows what may be happening behind closed doors or how deep the rabbit hole goes. I do not.

An invitation

If Matt or WPEngine would like me to add comment from them on the subject-matter of this post, feel free to get in touch.

I am not a US trademark lawyer, but…

Published by Richard Best

I can read

I am not a US trademark lawyer. I am, however, a lawyer who has practised in three jurisdictions, and I know how to read.

I remain of the view that, if Automattic’s infringement claims were to go to court, nominative fair use would be one of the central issues, coupled with issues relating to confusion and alleged attempts to suggest a relationship with Automattic/WordPress.com, as well as other potential defences (on which I express no firm view). Novel issues may arise as well.

In an earlier post, I proffered my preliminary view that much of the asserted trademark infringement might be categorised as nominative fair use. I should, perhaps, have said more, including that whether that defence is available would depend on a number of factors, including what each party is able to establish to the required standard (Automattic in relation to the elements it needs to establish for its claim, and WP Engine in relation to defence elements it needs to establish).

Some points

I do feel reasonably confident in making these points, but US lawyers can shoot me down if they disagree:

1. MM/Automattic is referring to 15+% confusion that WP Engine is or has an association with WordPress or Automattic or WordPress.com (I’m not sure which) to reflect the level of confusion that some courts have said is necessary for an actionable trademark infringement claim in a case like this. I cannot comment on whether the survey that has been done is reliable and acceptable evidence (I simply don’t know), but that kind of level of confusion might be required for Automattic’s infringement claims to succeed. Matt has been quite open about that. Automattic says that level of confusion exists. That is an issue of fact that would need to be established.

2. The ‘WP Engine is not WordPress’ statements are most probably being made to defeat nominative fair use arguments. The reason for that, I understand (from an article from an expert US trademark and open source lawyer), is that “[f]or the defense to apply, the trademark use must be in reference to the original product, not as a name for the infringing product” (that is, an altered version of the original). “[T]he owner of the trademark for free and open source software is well within its rights when it does not allow others to label their newly-created versions with the same mark” (PS Chestek, “The Uneasy Role of Trademarks in Free and Open Source Software: You Can Share My Code, But You Can’t Share My Brand” (2012) 102(4) The Trademark Reporter, 1028, at 1039-1040). MM/Automattic says WP Engine has materially altered the release version(s) of WordPress. WP Engine appears to deny this, stating it installs the released zip file and merely turns off revisions (and, I imagine, that doing that and the likes of turning off news and events feeds is essentially nothing more than common configuration). If this matter were to go to court, technical evidence would need to be adduced to make a determination on this issue. I don’t know the answer.

(The WooCommerce/Stripe issue might be relevant to the issue above in relation to the WooCommerce trademark infringement claim, but it doesn’t seem relevant to the WordPress trademark infringement claim.)

3. If Automattic could not establish the ‘WP Engine is not WordPress’ argument, that would not of itself resolve the question of whether everything that has happened can be defended on the basis of nominative fair use. The availability of that defence would still need to be considered in the usual way by reference to the elements that need to be established (and exactly how it would be determined might depend on the court circuit in which the case is heard).

4. If the nominative fair use defence is not available, WP Engine would likely need to consider other potential defences. I would rather not attempt to wade into them here, or express any view on them. I have alluded to one before but I do not have enough information to express a view on whether it would succeed.

5. There is a difference in what Automattic can do with the WordPress trademark as exclusive commercial licensee versus what other commercial enterprises who are not sublicensed can do, even when the nominative fair use defence applies. The exclusive commercial licence from the WordPress Foundation to Automattic is, in essence (the actual wording is longer), as follows:

‘an exclusive, sublicensable right and licence to use and otherwise exploit the trademarks identified in Exhibit A [i.e., ‘WORDPRESS’ trademarks in multiple jurisdictions] in connection with the hosting of blogs and websites that utilise any version or component of WordPress or in connection with www.wordpress.com and www.wordpress.tv (each and collectively, together with any subdomains of any of the foregoing, “Automatic Sites”), providing support for the Automatic Sites, and/or substantially similar uses in connection with the Automatic Sites’

On my reading of this, if WordPress.com’s version of WordPress were not the same as an official release version of WordPress (and I’m not saying it is), one could not really argue against Automattic that its use of ‘WordPress’ in association with WordPress.com is problematic. This is because Automattic can use the trademark “in connection with the hosting of blogs and websites that utilise any version or component of WordPress or in connection with www.wordpress.com“. By contrast, if another and non-sublicensed WordPress host were to provide customers with an altered version of WordPress, Automattic might argue that the reference to ‘WordPress’ is not to actual shipped ‘WordPress’ and so that even if, theoretically, nominative fair use may be a runner for some, it is not a runner for a web host who does that. In other words, and repeating a point above, nominative fair use could be limited to hosts who do nothing to materially alter WordPress as shipped (and assuming the elements of the defence can be established).

To be clear, I am not suggesting this difference is ‘bad’. It’s just a consequence of the rights the trademark protects and that an exclusive licensee has, versus the rights that a non-sublicensed competitor does not have and the limits of a defence it might rely on to avoid liability.

Hopefully these points are a bit more illuminating than what I’ve said in previous posts, and perhaps a bit more balanced.

Further reading

For those who really want to explore such issues further, you might want to take a look at these discussions of US law:

(Yes, I’ve been reading quite a lot about US trademark law.)

To be clear, I have not been seeking to influence any particular outcome with my posts, and I agree that whatever is best for the WordPress community is the desirable outcome. The problem is that, on the facts of what’s happening, I’m not sure what that is. I won’t explore that further here. I have been surprised by what has happened and have sought to explain what I see and think, in an attempt to help flush things out, but that is all. If MM/Automattic think anything I’ve said is palpably wrong, let me know and, if I agree, I’ll amend it.

(Updated 1 October 2024)

Dear WP Engine…

Published by Richard Best

A letter, of sorts

Dear WP Engine

I am a long-time customer. I moved my sites to WP Engine a long time ago, and have built many sites since, due to (among other things) the security you offer (and after a site that was up-to-date was hacked on another company’s inferior hosting due to a server issue). For a range of reasons, I liked the service you provide, and I still do. Having used WP Engine for so long, I don’t want to shift off it and, unless the current problems get worse and impact site availability or performance, I have no plans to do so.

Many of your customers will be aware of your cease-and-desist response to the attack on WP Engine at WCUS (personally I think it’s fair to characterise it as an ‘attack’), of Automattic’s response asserting trademark infringement, of the block on WP Engine having server-to-server access to WordPress.org, and of today’s temporary lifting of that block. I’m mindful, though, that the lifting of the block is only until “October 1, UTC 00:00”.

I, and probably many other customers, have some questions please:

1. Is WP Engine working on a permanent workaround or alternative solution to the WordPress.org block and, if so, what is it?

2. Does it make sense to put an alternative solution in place or, bearing in mind the number of sites you host, might WP Engine negotiate a WordPress.org access arrangement with WordPress.org/Automattic? Would that be preferable for the purposes of community cohesion? This could be structured in a way to avoid perceptions of subordination. For example, if WP Engine’s use of WordPress.org resources is disproportionately high as Matt appears to contend, it could be explained in other ways, including community contribution.

3. If WP Engine were to enter into such an arrangement, might it contribute to WordPress.org/Automattic’s thinking as to how all hosts with annual profit (not revenue) over a certain amount, or who otherwise place high resource demands on WordPress.org, might contribute to the running costs of WordPress.org? It would be odd for WP Engine to be subject to such an arrangement if others with similar demands on WordPress.org resources were not.

4. Have you considered creating a full listing of all your various contributions to the community (that someone cannot attack as mere marketing), perhaps using the three-part categorisation suggested by Brian Coords?

5. Have you considered trying to mediate a longer-term solution with MM/Automattic, one that addresses the complaints they’ve raised but without conceding fault and with an agreed communications plan?

6. Have you considered treating the current situation as an opportunity, not in terms of conceding you’ve done anything legally wrong, but in terms of offering to assist with the kinds of governance arrangements that Joost has suggested (not necessarily in a voting capacity, but in the form of assisting with set-up, having a trusted member like Brian Gardner on the advisory board, assisting with a Secretariat, etc)? This won’t sound palatable right now, I’m sure, but – to my mind – WP Engine has some great people within it that the community trusts and respects. Might other opportunities rise up from the ashes of the current fallout?

7. You obviously have very good lawyers backing you up. In addition to having them defend you, are you instructing them to assist you with constructive solutions (none of my business, I know)? For example, looking forward, might it be possible to divert a fractional percentage of customers’ yearly hosting plan fees into a ‘Pooled WordPress Community Fund’, perhaps up to a capped annual sum, and allow your staff or your customers to vote periodically on how that pooled fund is spent?

8. Overall, are you proposing to release further communications to your customers about what’s happening and what lies ahead? I suspect many of us would like to know.

Not a real letter of course

I imagine you are considering all these issues and more. Needless to say, I do not expect you to respond publicly to this post or directly to me, and of course I appreciate that, from the perspective of customer retention, this is a delicate situation. It’s delicate for a whole host of reasons, including the fact that it’s unprecedented in the world of WordPress, and because litigation (regardless of who brings it) would be time-consuming, costly, deepen rifts, and pose risks to both parties. As an example of the risks, WP Engine might succeed in litigation, but what impact might the existence of proceedings and the evidence that would need to be adduced by both sides have on customers and the wider community? The same applies to Automattic. For WP Engine, I can see how challenging this is when many customers will have divided loyalities, for despite everything that has happened, we would not have WordPress, or it would not be what it is today, if it weren’t for the decades of actions and financial contributions of Matt and Automattic (while not for one second overlooking all core contributors). I appreciate there are limits to the goodwill that can reasonably be attached to those contributions, but they are undeniable and so must be taken into account.

Thank you

As always, thank you to both MM/Automattic and WP Engine for the services you provide. From my perspective as someone who has used WordPress since 2005 and WPEngine for well over a decade, you’re both key players in the WordPress ecosystem.

With any luck, this will be my last post on this overall topic. Then again, who knows what might happen tomorrow…

The ‘WordPress’ trademarks and the classes of activity they cover

Published by Richard Best

The WordPress trademarks

With all this talk of Automattic, WP Engine, and trademarks, I thought it might help to share a table I’ve created that lists the WordPress trademarks, when they were registered, the goods and services or classes of activity they cover, the original owner, the current owner, and whether there have been any ‘assignments’ (transfers and the like). All information comes from the United States Patent and Trademark Office. Here it is (the text of the exclusive licence to Automattic is set out after the table):

* The licence was (get ready for some legal verbiage):

“an exclusive, fully-paid, royalty-free, perpetual, irrevocable, worldwide, sublicensable right and licence to use and otherwise exploit the trademarks identified in Exhibit A [attached to the transfer], and any and all related or similar names, marks, designs, domain names, and other rights (excluding www.wordpress.org, www.wordcamp.org and www.wordpressfoundation.org), along with all associated applications, registration and goodwill (the “Trademarks”), in connection with the hosting of blogs and websites that utilise any version or component of the WordPress open source publishing platform product or open source successor of any of the foregoing on or in connection with www.wordpress.com and www.wordpress.tv (each and collectively, together with any subdomains of any of the foregoing, “Automatic Sites”), providing support for the Automatic Sites, and/or substantially similar uses in connection with the Automatic Sites. This licence is subject in all respects to that Trademark Donation, License and Security Agreement, by and between Licensor and Licensee, effective as of June 7, 2010.”

That legal verbiage can be shortened to: an exclusive, sublicensable right and licence to use and otherwise exploit the trademarks identified in Exhibit A in connection with the hosting of blogs and websites that utilise any version or component of WordPress or in connection with www.wordpress.com and www.wordpress.tv (each and collectively, together with any subdomains of any of the foregoing, “Automatic Sites”), providing support for the Automatic Sites, and/or substantially similar uses in connection with the Automatic Sites.

Exhibit A (headed ‘Schedule A’), was as follows:

Other trademarks owned by the WordPress Foundation

The WordPress Foundation also owns trademarks for ‘OPENVERSE’, ‘BUDDYPRESS’, ‘WP-CLI’, ‘WORDCAMP’, and has applications pending for ‘bbPRESS’, ‘MANAGED WORDPRESS’, and ‘HOSTED WORDPRESS’. The applications for ‘MANAGED WORDPRESS’, and ‘HOSTED WORDPRESS’ were filed in July 2024.

WooCommerce trademarks

WooCommerce Inc owns trademarks for ‘WOO EXPRESS’, ‘WOOEXPERT’, ‘WOOCOMMERCE’ (word mark and logo mark), ‘WOOCOMMERCE PAYMENTS’, ‘WOO’ (word mark and logo mark), ‘and WOOCOMMERCE STOREFRONT’. It also has applications pending for ‘HOSTED WOO’, ‘WOOPAY’, ‘WOO PARTNER’, ‘MANAGED WOO’, ‘WOOPAYMENTS’, and ‘WOO’ (additional classes of activity). The pending applications were filed in May 2022 (‘WOOPAY’), June 2023 (‘WOOPAYMENTS’), November 2023 (‘WOO PARTNER’), January 2024 (‘WOO’), and March 2024 (‘HOSTED WOO’ and ‘MANAGED WOO’). Until checking, I hadn’t appreciated the number of trademarks owned or applied for by WooCommerce Inc.

WP Engine’s trademarks

Note also that WP Engine owns a range of trademarks: ‘WPENGINE’ (logo mark), ‘WP ENGINE’ (word mark), ‘PRESS AHEAD’, ‘EVERCACHE’, ‘GENESIS’, ‘TORQUE’, ‘ATLAS’, ‘VELOCITIZE’, ‘FROST’, ‘FAUST.JS’, ‘WP Migrate DB’, ‘WP Offload’, ‘FLYWHEEL’, and ‘STUDIOPRESS’. It has applications pending for ‘ACF’ and ‘ADVANCED CUSTOM FIELDS’, and for a couple of variants of its logo. Note that, with WP Engine owning ‘WP ENGINE’ trademarks, any argument that the name ‘WP ENGINE’ infringes ‘WORDPRESS’ trademarks seems bound to fail.

Hope this helps people’s understanding.

From cracks in the attack on WP Engine to a roundtable

Published by Richard Best

Hats off

Hats off to Matt. Despite all the heat in the community at the moment, yesterday he turned up on ThePrimeTime for an interview with ThePrimeagen to talk about the controversy. What’s more, he did that when – clearly – he was pretty exhausted.

Seven things

To my mind, some of the things he said are quite telling or otherwise warrant comment. I want to focus on seven of them.

1. Confusion over ‘WP’

When asked about the recent change in the WordPress Trademark Policy (see WordPress Foundation changes Trademark Policy to criticise WP Engine) and why there had been a change to the previous statement about ‘WP’ not being protected by the trademarks and people being able to use ‘WP’ however they want, he said:

“It still says that. So you can still use WP. You can, like I said, WP beginner, there’s lots of WP plugins. There’s lots of WP things. Just how they [WP Engine] were doing it is an egregious violation of trademarks. And as a trademark holder, you know, Automattic … owns a commercial trademark, they can choose who to go after.”

Let’s be clear. There is no trademark over ‘WP’. Owning (or, actually, having exclusive licensed rights) to ‘WordPress’ trademarks does not legally entitle Automattic to have a crack at anyone it likes who happens to be using ‘WP’. This assertion really muddies the waters.

2. Infringement okay if you’re giving back

Matt said:

“So if someone was using WP in a way that wasn’t, you know, causing harm, or maybe they’re using ‘WP’ or ‘WordPress’, but they’re also giving back to the community. Awesome. By the way WP Engine had the option in the deal I offered them. They could pay a trademark fee or they could pay that in salaries and hourly and hours of contributions or any combination.”

To me this betrays a haphazard approach to trademark enforcement. In substance, on Automattic’s view of what the trademarks enable them to do, it suggests trademark infringement is okay as long as the infringer is giving back to the community.

3. Inconsistency with cease and desist letter

Referring again to WP Engine, Matt said:

“They’ve done so little and been so successful. They built a half a billion a year business. And if you have to ask yourself, how did they build it? It’s partially on the backs of confusion with the WordPress trademark, which is what we’re trying to ask them to stop and why they’re fighting so hard to not do it.”

One can contrast this with the hyperbole in the cease and desist letter from Automattic’s lawyers to WP Engine and Silver Lake:

“WP Engine’s entire business model is predicated on using our Client’s trademarks.”

4. Trademark leveraging

When asked whether there’s a requirement for WP Engine to give back, Matt said:

“What’s a requirement? You know, is there a law that says you have to give back? No. There is a law that says you can’t violate the trademark. So that’s, that’s the law that we’re using to try to encourage them to give back.”

Is this a telling statement? Is this fight truly about trademark infringement, or is trademark law simply be used as a lever or threat to encourage (it might be more accurate to say ‘require’) WP Engine to give back to the community at a level that is acceptable to Automattic?

5. Uncharitable stab at Local

Referring to WP Engine’s provision of Local (which it purchased some time back at part of the Flywheel acquisition), Matt said:

“You know, they have this, they actually have a cool thing called Local, but if you look at Local, it just sells WP Engine hosting. Like, it’s not like … something they do as a charity for the community.”

I used Local before WP Engine bought Flywheel (which developed Local). Local Pro used to be priced at $20 per month. Following the acquisition, WP Engine made Local Pro available to everyone for free. And yes, Local does promote hosting with WP Engine, but its use is not dependent on that and it’s still a really helpful tool.

What has been said of Local could equally be said of Jetpack. They both promote paid offerings.

6. WordPress from WP Engine ‘the same thing you get from all the other hosts’

When talking about being able to get WordPress from other hosts, Matt said:

“What you get from them [WP Engine] is WordPress. It’s, by the way, it’s the same thing you get from all the other hosts. So you can get this from Bluehost or other places. So, um, and I encourage people to explore some of these other hosts because again, WordPress will work better and they all give back to the community.”

This, to me at least, is telling. The statement that ‘what you get from [WP Engine] is WordPress’, and that it’s the same thing you get from the other hosts, is starkly at odds with the post on WordPress.org and repeated assertions on X that ‘WPEngine is not WordPress’ and that what WP Engine provides is a bastardisation of WordPress. Those latter statements seem crafted with trademark infringement arguments in mind. The statements in the interview are, to my mind, more accurate.

As an aside, it also seems unlikely that all other WordPress webhosts in the world give back to the community.

7. Only one trademark licensing deal with other hosts

Matt was asked repeatedly as to whether other WordPress hosts are pursued for, or have, trademark licensing deals. To my eyes and ears, there was no clear answer to that question, other than this:

“So there’s a number of hosts that we recommend on WordPress.org. So there’s, you can assume all of those are very good relations. And I think I’ve said publicly before that Newfold Digital, which owns a bunch of hosts like HostGator, Bluehost, and other things, … they actually have a commercial license to the WordPress trademark, so they’re allowed, just like Automattic is, to use WordPress in a more commercial way. They can call things WordPress plans. They can use WordPress in their advertising, stuff like that.”

According to the updated WordPress Trademark Policy, Newfold is the only sublicensee. Newfold owns Bluehost and Hostgator, but it doesn’t own the other hosts recommended on WordPress.org, namely, Hostinger and DreamHost. According to the WordPress Trademark Policy, these companies are not sublicensees. However, let’s look at how their websites use ‘WordPress’:

  • Dreamhost uses terms like ‘Unbeatable WordPress Hosting’, ‘WordPress Plans’, ‘WordPress Basic’, ‘Managed WordPress Experience’, VPS WordPress’, ‘WordPress Hosting Plans’, ‘WordPress Business’, ‘WordPress Specialized’ (support), ‘WooCommerce Hosting’, ‘Make Selling Easier with WooCommerce + DreamPress’. They also use the Woo logo and the WordPress logo, both of which – I understand – are difficult to justify under the descriptive or normative use defence.
  • Hostinger uses terms like ‘Managed WordPress Hosting’, ‘Hosting built for WordPress’, ‘Standard WordPress acceleration’, ‘Advanced WordPress acceleration’, and ‘WooCommerce hosting’. They too use the Woo logo and the WordPress logo. And unlike WP Engine, their WooCommerce hosting page does not mention that WooCommerce is an Automattic product, nor that Automattic holds the WooCommerce trademarks.

I make these comments not to point any finger at these hosts, because their language is fairly standard across the WordPress hosting industry, and arguably a good deal of their use falls within descriptive or nominative fair use or could be defended under the laches doctrine. I make them because, in relation to the assertions of trademark infringement, it shows just how inconsistent Automattic is being in singling out WP Engine. Matt has even said this:

“I would say that every other web host in the world we have no beef with, by the way, and that none of them, all of them can, their servers can access WordPress.org servers. WordPress works just fine on every other web host in the world. This is very singular to WP Engine…. I’m fine with all of those. Those things are, they’re all… fine with all of them.”

In addition to Dreamhost and Hostinger, this must include the likes of hosts called ‘WPX’, ‘EasyWP’, ‘WPWebHost’, ‘WPMUDev’, ‘WPHost’, ‘WPCharged Managed WordPress Hosting’, ‘WP Bolt’ (which is using the WordPress logo on its homepage), among many others, and regardless of how they are using ‘WORDPRESS’ or other trademarks owned by or exclusively licensed to Automattic.

The inconsistency here is so stark it’s jawdropping.

Closing comments

As Brian Coords has explained so well, Matt had every right to block WP Engine’s access to WordPress.org. WP Engine has no enforceable right to server-to-server access to WordPress.org and no GPL-related issues arise. And from moral, emotional, and commercial perspectives, Matt may have very good grounds for feeling brassed off. He may also be right to have other concerns. But at the end of the day, and whatever the motive, these facts are also true: Automattic’s largest competitor in the WordPress hosting space is being targetted with assertions of trademark infringement when others using the trademarks in the same or similar ways are not, and is being shut out of WordPress.org, because WP Engine is not – it is said – giving enough back. This is occurring when the GPL does not require that, there are no membership rules that require that, there are no relevant terms of use governing access to WordPress.org (although, Matt, there could be…), and when WP Engine’s cease and desist letter (which is wrongly characterised as an attack on WordPress.org), was in response to a very public attack on it.

Again, I’m not writing all this to support WP Engine, and I remain steadfastly grateful for what Matt and Automattic (along with all contributors) have built. I’m writing it because we need open and considered discussion of what’s going on here. As a WP Engine customer, I am personally affected by what is happening, but my amygdala would be cranking out an anxiety response even if that weren’t the case. Why, because – in my own small way – I too have invested thousands of hours into WordPress. WordPress is responsible for livelihoods, careers, entire industries, and all manner of other things. It has been a technological saviour of sorts since the mid-2000s and it has enabled so many people to do so many things. The world is much better with WordPress in it than without. But for the ecosystem to thrive, we need stability, not division.

Whether what I’m saying is of any assistance, I don’t know. I hope it is, and that the time spent on these posts is not a complete waste of time. But I also hope that the good governance-related suggestions from Joost de Valk are taken seriously, and that Automattic and WP Engine can once again come to co-exist in peace. To my mind, this will not come from insisting on ‘pay up or else’, nor will it come from complete entrenchment on the other side, regardless of the strength or weakness of the trademark infringement assertions. And regardless of what we may think of Matt’s approach, it is clear that it is forcing an evolution of the WordPress ecosystem. It’s naive to think the fallout is only affecting Automattic, WP Engine and its customers. Nuclear fallout is wider than that, and Matt’s sweeping trademark-related statements (which in some cases far exceed the bounds of what trademarks control) will be concerning other commercial players. If the evolution is to have a positive rather than negative outcome, I suggest community members of influence should be allowed to help chart a way forward, or an expert commercial mediator should be brought in to help. That’s my 5 cents’ worth anyway.

Over and out.