In case you’ve been living under a rock, WP Engine, a web host running WordPress software, is pursuing a legal complaint against Automattic and WordPress co-founder Matt Mullenweg.
A recent article about the lawsuit
Until very recently, this website was hosted on WP Engine. I plan to move the content on this website away from WordPress but I haven’t yet finished my Astro.js site and Ghost blog. I moved because WP Engine asks for notice to cancel, and I figured it would be prudent to move now.
I build and fix websites for nonprofits and individuals. I am not well known. Sure, I would love more clients.
This is not the kind of attention I want.
At all.
When I moved, I stupidly forgot to proxy the DNS records in Cloudflare. The assholes at Automattic have already included all the domains hosted at WP Engine (WPE) in a CSV file they’ve posted on GitHub. They are tracking WPE domains on a website they launched called WP Engine Tracker. Every time a website leaves WP Engine, they record the move.
My best guess: when I moved, because my host’s IP address was exposed, they were able to figure out where I’d moved. They put my domain and web host name in their “ticker” on the WP Engine Tracker. It’s stored in a JSON file.
Others are saying Automattic used the wordpress.org updater api to glean this information. If this is true, it’s incredibly disturbing.
Whatever the source, someone from Automattic hand coded (hard coded) my domain name and web host in a file on GitHub.
I asked my host how Automattic was able to figure out my web host’s name. They appeared to be puzzled. So I used SecurityTrails to do a Reverse IP lookup. Wow, I discovered a lot.
I do not want to be part of this lawsuit. I have zero time for Automattic and Matt Mullenweg celebrating every time WP Engine loses a customer.
A message for Automattic and Matt
Automattic and Matt, this is despicable behaviour. You suck.
I am very tempted to move this website to Flywheel now, just to spite you. Flywheel is owned by WP Engine so that would be funny (for me at least).
Do you I have any advice for others?
If the move is tracked via the wordpress.org updater api, there’s not a lot you can do. But if your domain ends up listed on GitHub, you’re going to want to beef up site security.
If you use Cloudflare and point your domain’s A records, be sure to proxy them. The cloud will appear as orange if you’ve proxied your IP address.
If you’re a web host, you may want to check SecurityTrails and see what’s revealed in a reverse IP lookup. I am pretty freaked out by the leaking of temporary websites. I learned that 39 sites on my web host share one IP address and many of these are password-protected temporary websites. It’s not comforting at all.
I don’t know what this means for privacy laws. I don’t think it’s good.
Something else you can do
Duane Storey has a WordPress Privacy Plugin called WP API Privacy, available for download on GitHub. Install it at your own risk. It’s not meant for production sites but if your site is a small one (like mine), why not? At this point, privacy seems to be a joke so you might as well protect yourself in any way you can.
As Duane explains,
The default WordPress installation from wordpress.org automatically transmits extraneous information via various HTTP calls that occur in the admin. Some of this data may be cause for concern from a privacy perspective.
This plugin seeks to limit that information, attempting to further protect your privacy in the process. Simply install this plugin and activate it, and various aspects of WordPress that are questionable from a privacy perspective will be modified.
