,

Analysis of WP Engine Data Sparks Debate as Automattic Disputes Leak Claims

The WP Engine tracker website

Web developer Dumitru Brinzan’s analysis reveals key trends in themes, plugins, and site management among WP Engine customers, and has drawn mixed reactions.

An analysis of websites hosted by WP Engine — drawn from a CSV file available for download on Automattic’s WP Engine Tracker website — has sparked debate about data privacy and the ethical use of publicly accessible information within the WordPress community.

Web developer Dumitru Brinzan’s analysis reveals key trends in themes, plugins, and site management among WP Engine customers. It also highlights the popularity of multipurpose and page builder-friendly themes. Just 10 themes power nearly 40% of all WordPress websites hosted by WP Engine. 

Similarly, the analysis spotlights the plugins most commonly installed on WP Engine sites. Yoast SEO leads the list, installed on nearly half of all WordPress sites hosted by WP Engine, reflecting its continued dominance as a go-to tool for search engine optimization. Similarly, Elementor’s free and pro versions combined power one in five sites, reinforcing the appeal of page builders within the WordPress ecosystem.

The top 10 themes used by WP Engine customers include:

  1. Divi (71,859 sites)
  2. Hello Elementor (53,625)
  3. Astra (28,059)
  4. Avada (17,425)
  5. Beaver Builder Framework (17,291)
  6. Genesis (15,760)
  7. Salient (12,285)
  8. Pro (6,121)
  9. GeneratePress (6,058)
  10. Genesis Block Theme (6,030)

The top 10 plugins used by WP Engine customers include:

  1. Yoast SEO (337,822 sites)
  2. Elementor Page Builder (129,302)
  3. Contact Form 7 (113,770)
  4. Elementor Pro (104,180)
  5. Gravity Forms (75,777)
  6. WP Rocket (62,045)
  7. WooCommerce (60,538)
  8. Slider Revolution (60,205)
  9. Site Kit by Google (58,651)
  10. Google Analytics for WordPress (51,681)

“This data gives a clear look at how WordPress is being used, but the decision by Matt Mullenweg to leak this database has caused significant controversy,” said Brinzan.

“While the leak itself conflicts with the principles of openness and trust that the GPL embodies, it does offer a rare opportunity to analyze trends across a significant portion of WordPress websites.”

The dataset lists 726,054 unique domains, including duplicates, staging sites, and websites that no longer run WordPress. While 83.27% of the sites remain WordPress-powered, other platforms are also represented in what likely includes historical data, including Joomla (0.83%), Drupal (0.87%), Wix (0.03%), Weebly (0.73%), and Squarespace (0.02%).

The analysis also reveals that about 75,000 websites include a <meta name="robots" content="noindex"> tag, which Brinzan has interpreted as a sign that the data was not intended for public indexing. However, Automattic has dismissed this claim.

Automattic disputes data “leak” claims

Brinzan has labelled the dataset a “leak,” suggesting that sensitive information has been improperly made public. However, Automattic has strongly disputed this characterization, telling The Repository that the predominant sources used to compile the data in the CSV included BuiltWith’s list of current WP Engine customers and BuiltWith’s list of current FlyWheel customers. Automattic also accessed W3Techs’ usage statistics for WP Engine in creating the tracking site.

“All domains included in the CSV are publicly available,” an Automattic spokesperson said.

They also addressed Brinzan’s interpretation of the <meta name="robots" content="noindex"> tag: “To state they were not intended to be indexed OR publicly available is factually incorrect. Whether or not a site gets indexed on a search engine has nothing to do with a listing of where sites are hosted.”

The spokesperson denied Brinzan’s claim that its CEO Matt Mullenweg had compiled the data in the CSV file over many years. “To allege that Matt has been compiling this data for years is inappropriate,” the spokesperson said.

Speaking to The Repository, Brinzan questioned the decision to aggregate and distribute the data in an easy-to-download way. “Even if there are tools to gather data like this, why make it easy and deliver it in a convenient .csv format? Just weird,” he said.

BuiltWith currently offers a downloadable list of 1,109,643 WP Engine customers, including historical data, which may explain why domains using other platforms are listed in the WP Engine Tracker dataset. According to the BuiltWith website, the company indexes the Internet in the same way that Google does to power its search engine. 

Reactions from the WordPress community

Brinzan’s analysis offers insights intro trends in WordPress themes, plugins, and site management at scale and has drawn mixed reactions, including pride from those whose products have been listed and criticism over the manner in which the data has been shared.

Fullworks Plugins owner Alan Fuller posted on X that he was “thrilled” his plugin Stop User Enumeration was in the top 100 plugins used by WP Engine customers.

Similarly, plugin developer Ross Morsali posted on Bluesky that it was a “(tiny) silver lining” that his plugin Search Filter Pro was #76 on the plugin list.

A (tiny) silver lining in the WP Engine data leak/tracker thing – nice to see my plugin at #76 in the list.

Ross Morsali (@ross-m.bsky.social) 2024-11-16T15:46:19.139Z

Others have voiced concerns. Luehrsen // Heinrich CEO Hendrik Luehrsen noted that the dataset revealed the adoption of block themes was “neglible.”

Developer Stephanie O’Hanley criticized the tracker for listing her yet-to-be-relaunched website in its ticker.

I'm rebuilding my main website in Astro. It's not ready and because I needed to give WP Engine notice before cancelling, I moved my WordPress site yesterday.I didn't cloak it enough. Now my domain and web host show in the ticker on the WP Engine Tracker site. I am not okay with this.

stephohanley.bsky.social (@stephohanley.bsky.social) 2024-11-17T05:02:19.571Z

Meanwhile, Ben May, Managing Director of The Code Co, dismissed parts of the analysis, stating that domain lists with “noindex” tags are widely accessible and not inherently private.

WP Engine Tracker updates and legal implications

The inclusion of the CSV file on the WP Engine Tracker website has sparked broader conversations about privacy, ethics, and governance within the WordPress community, as reported by The Repository last week. Critics argue that even publicly available information, when aggregated and shared at scale, raises concerns about user trust and transparency.

Since its launch two weeks ago, the WP Engine Tracker site has undergone updates. The site now displays the decreasing number of websites hosted by WP Engine rather than the increasing number of departures. At the time this story was published, the site shows 21,060 websites have left WP Engine since September 21, 2024.

The tracker has also been cited in WP Engine’s revised lawsuit against Automattic, which now includes antitrust allegations. WP Engine has asked Automattic to shut down the tracking website, describing the publication of its customer’s information without their consent as “wrongful and reckless.”

The first court hearing in WP Engine’s lawsuit against Automattic and Mullenweg will be held on Tuesday to decide WP Engine’s petition for a preliminary injunction.

Latest Stories