Automattic is facing a class action lawsuit over its feud with WP Engine, with a cybersecurity expert accusing CEO Matt Mullenweg of waging “nuclear war” against the hosting company at the expense of hundreds of thousands of its customers.

Ryan Keller, who runs Ohio-based cybersecurity business SecureSight, has filed a federal lawsuit on behalf of WP Engine customers in the United States. The complaint alleges that Automattic deliberately sabotaged WP Engine’s business by blocking access to critical WordPress.org services, causing disruption, security risks, and financial harm.

The lawsuit, filed in the U.S. District Court for the Northern District of California, accuses Automattic of multiple counts of tortious interference and violations of California’s Unfair Competition Law. Keller is seeking financial damages for affected businesses and a permanent injunction to prevent Automattic from using its control over WordPress.org to interfere with competitors.

The class action covers all WP Engine customers in the U.S. who had active hosting plans between September 24, 2024, and December 10, 2024, a period when WP Engine lost access to plugin updates, security patches, and other essential services. The lawsuit claims that “hundreds of thousands” of WP Engine customers were affected.

Keller has retained two class action law firms—Schubert Jonckheer & Kolbe, based in San Francisco, and Tycko & Zavareei, which has offices in California and Washington, D.C. Schubert Jonckheer & Kolbe’s most significant tech-related case resulted in a $22.5 million settlement for AdWords advertisers who alleged Google placed their ads on low-quality parked domains and error pages in violation of California law, benefiting approximately 1.1 million class members. In the past year, Tycko & Zavareei has won class action cases against Apple and Meta, securing a combined $72.5 million in settlements.

Mullenweg has publicly defended his actions in recent months, arguing that he acted to protect WordPress and safeguard its long-term future. In his keynote address at WordCamp US 2024, Mullenweg accused WP Engine and its private equity backer, Silver Lake, of exploiting WordPress without giving enough back to the open source project. It was later revealed that Automattic had demanded that WP Engine pay an 8% licensing fee to use the WordPress trademarks.

But Keller’s lawsuit argues that Mullenweg weaponized his control over WordPress.org, cutting off WP Engine’s access to cripple its business and steer customers toward Automattic-owned hosting brands, including WordPress.com and Pressable. The complaint claims Automattic and Mullenweg publicly pressured WP Engine customers to leave by listing them on the WordPress Engine Tracker website, while Automattic-owned hosting brands directly solicited them with incentives to migrate.

The lawsuit describes Automattic and Mullenweg’s conduct as an abuse of the open-source internet architecture, alleging that “a single individual (Matt Mullenweg) exercises apparent singular control over what they claim to be more than 40% of all websites in the world through his personal website (WordPress.org).” It calls this level of control “an appalling deception” that is “contrary to every conceivable public policy.”

It also disputes Automattic’s justification for blocking WP Engine’s access, arguing that “a trademark dispute, even if legitimate, is not cause for the deliberate sabotage of the websites of innocent third-party individuals and companies who merely used WPE services.” The complaint calls Automattic’s trademark claims a “pretext” for harming WP Engine and its customers.

The lawsuit challenges Automattic’s influence over WordPress.org, arguing that its ability to block WP Engine’s access without oversight exposes a governance issue in WordPress, where a single company can control who has access to critical WordPress infrastructure.

Keller, who pays $3,300 per year for WP Engine’s Scale Plan, says he had to spend time and money managing security risks and considering alternative hosting providers. The lawsuit claims many small businesses were left in limbo, unsure whether WP Engine could provide stable service or if migrating would be worth the cost and disruption.

A case management conference is scheduled for May 22, 2025, in San Francisco before Judge Peter H. Kang, with both sides required to meet and discuss potential settlement options by May 1 and submit case management filings by May 15.

The Repository contacted Keller for comment but hasn’t heard back yet.

Image credit: Gianni Vascellari.

Update, February 26, 2025: Added details about the law firms Keller has retained to represent him.