The Hidden Risks of Relying on WordPress: What Every Business Should Know

Before we break down the legal, technical, and business side of things, let’s quickly recap what happened. If you're already familiar with the story, feel free to skip ahead.

What Happened in the WordPress Drama?

Recently, a major clash rocked the WordPress community. It all started when WordPress founder Matt Mullenweg publicly criticized WP Engine, a popular hosting service, for disabling key features like revision tracking to save costs. He went as far as calling them a "cancer to WordPress," which sparked legal threats from both sides.

At the core of this conflict are trademark disputes and control over how WordPress is managed. Mullenweg even blocked WP Engine from accessing WordPress.org resources, leaving many sites unable to update their plugins and themes, which made them vulnerable to security risks. This action alarmed WP Engine users, whose sites rely on regular updates to stay secure. Without access to essential resources, these sites may miss critical updates, increasing vulnerability to hackers who often exploit outdated plugins for unauthorized access.

To add fuel to the fire, Mullenweg announced a fork of the popular Advanced Custom Fields (ACF) plugin, rebranding it as "Secure Custom Fields" without the consent of the ACF team. This sparked backlash and raised concerns about the level of control one person holds over such a widely used platform.

John O'Nolan, founder of the open-source CMS Ghost, also chimed in, criticizing the centralization of power in WordPress. He noted that “40% of the web and 80% of the CMS market shouldn’t be controlled by one person.”

Read the full tweet here.

This isn’t the first time an open-source maintainer has caused a stir, but considering WordPress powers almost 40% of the web, it’s a wake-up call. It leaves us wondering just how safe businesses are when they rely on open-source tools. Before we dive deeper, let’s quickly look at other open-source dramas that have made headlines in recent years.

Other Open Source Dramas

NPM Left-Pad Incident

Back in 2016, the left-pad incident shook the developer world when a frustrated maintainer pulled the package from npm after a dispute over how his other projects were handled. Left-pad, a small but critical utility that added padding to strings, was a dependency for thousands of projects, including major frameworks like Babel and React. The sudden removal caused widespread chaos, even impacting tech giants like Meta, PayPal, Netflix, and Spotify. This incident exposed the fragility of open-source dependencies and sparked conversations about better ways to manage critical libraries.

Source: https://x.com/iamdevloper/status/712574452697989120

Redis Licensing Change

Another big disruption came when Redis, a popular key-value database, switched from an open-source license to a dual-license model, limiting its use for commercial purposes. This change hit companies like Amazon Web Services (AWS), which previously used Redis in its solutions. Now, businesses have to either negotiate licensing terms with Redis Inc. or find alternatives. The move also raised questions about how much control open-source maintainers should have and whether this could set a precedent for more projects to follow.

Source: https://x.com/ErikBjare/status/1771474971564318842

These examples show that open-source projects, while valuable, can come with risks that businesses need to be aware of. Now, let’s break down the legal side of things and look at how licensing, trademarks, and control play into these challenges.

Legal Perspective: Can Open-Source Tools Change Their License?

Navigating the legal side of open-source projects is trickier than it looks. These projects often involve many contributors, various licenses, and even confidential agreements, so it's rarely a simple yes-or-no situation.

Take the recent WordPress vs. WP Engine battle as an example. WordPress, the software, is open-source, but the WordPress brand is protected by a trademark owned by Automattic. So while the code is free, using the WordPress name can still lead to legal issues. That's why Automattic was able to send a cease-and-desist letter to WP Engine over trademark infringement. This shows that even in the open-source world, trademarks add another layer of complexity. The code may be free, but the name? Not so much.

Now, the big question:

Can an open-source tool change its license overnight?

This can turn into a business nightmare quickly. Imagine building your entire platform on an open-source tool you trust, only to have the maintainers change the license out of the blue. Could that really happen?

The short answer is: Yes, but with some caveats.

An open-source project can change its license, but usually, the change only applies to future versions of the software. The older versions would still follow the original open-source license, meaning you could continue using them under those terms. However, any new releases could fall under a completely different set of rules.

Now, here's the tricky part: In projects with many contributors, everyone who has contributed code typically has to agree to a license change. So, while it's possible, it's not as simple as one person flipping a switch—it usually requires a more collaborative process, especially in larger projects.

This content reflects subjective opinions and is not intended as legal advice.

Our lawyer made me add this line, Gotta love those legal disclaimers!

Technical Perspective: How Feasible is it to Migrate Away from WordPress?

Some might think, “No big deal if WordPress removes the ACF plugin—we’ll just update it manually.” And yes, for some users, manually updating plugins or themes might be easy enough.

But here’s the bigger problem: What happens when security patches for core features or crucial plugins get disabled because of disputes like the one between WP Engine and WordPress? That’s not something any business can afford to risk.

So, if you're already deep in the WordPress ecosystem and looking to move away, here are a few things to keep in mind:

In short, moving away from WordPress is doable, but it comes with its own set of challenges—especially for businesses that have heavily customized their WordPress setup.

Business Perspective: What’s the Real Cost of Staying with WordPress?

When a platform as widely used as WordPress shows signs of instability—whether through disputes like the WP Engine drama or unpredictable shifts in its ecosystem—it’s time to ask: What’s the real cost of sticking around?

Conclusion

If you’re considering WordPress to launch your business online, we encourage you to think twice. The recent drama shows that relying on any single platform—especially one controlled by a few key players—comes with serious risks. And if you’re already using WordPress, it might be time to explore safer, more flexible alternatives.

We’re here to help you navigate that process, minimize your risks, and future-proof your website. Whether you need a full migration or just want to weigh your options, reach out to us and book a free consultation.