WordPress.org has banned WP Engine from accessing its resources and stopped delivering plugin updates to websites hosted on the platform, urging impacted users to choose other hosting providers.

The open-source project claims that the move comes in response to WP Engine’s alteration of a WordPress core feature for its own profit and its blocking of the dashboard’s news widget on thousands of sites to prevent criticism of its actions from reaching users.

The move, which is the latest in a conflict that has erupted between the two entities, essentially leaves thousands of end-users without security updates and, by extension, millions of internet users exposed to potential hacks.

WP Engine’s legal action is primarily against Automattic but it also involves issues related to how WordPress.org resources are allegedly used to harm the hoster’s reputation.

The conflict is heading towards legal trouble, as Matt Mullenweg, WordPress co-founder and CEO of Automattic, said in the blog post that “pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org’s resources.”

WordPress in turmoil

The conflict between WP Engine, WordPress.org and Automattic, the owner of WordPress.com and WooCommerce, stems from disagreements over contributions to the WordPress open-source project, brand usage, and criticism from leaders within these entities.

WP Engine, a major WordPress hosting provider, sent a cease-and-desist letter to Automattic after Mullenweg’s public criticism for allegedly profiting from WordPress without giving back sufficiently.

Mullenweg went as far as to describe WP Engine as a “cancer to WordPress” during a public event.

WP Engine responded by accusing Mullenweg of trying to coerce them into paying millions for trademark licensing and threatening them with a “scorched earth nuclear approach” if they didn’t comply​.

Automattic then hit back with its own cease-and-desist letter accusing WP Engine of infringing commercial uses of WordPress and WooCommerce trademarks and claiming to have built a business with $400 million in revenue through unauthorized use of the WordPress name.

Websites and users left exposed

Patchstack’s Oliver Sild confirmed to BleepingComputer that sites hosted on WP Engine don’t currently receive updates from WordPress.org, leaving end-users in a vulnerable position.

The security researcher commented that important security issues on WordPress themes and plugins are uncovered daily. When a fix is ready, WordPress can automatically apply the update with the patch, saving admins the trouble of checking for new versions and installing them.

Patchstack has decided to halt publishing new vulnerabilities until the problem is resolved, to prevent hackers from getting information they could leverage against unprotected websites hosted on WP Engine.

WordPress.org has placed the responsibility for solving the security issues solely upon WP Engine, advising users who have any functionality trouble with their sites to contact WP Engine’s support.

“The reason WordPress sites don’t get hacked as much anymore is we work with hosts to block vulnerabilities at the network layer, WP Engine will need to replicate that security research on their own,” Mullenweg says in the WordPress.org announcement.

The situation appears complicated, so a prompt resolution is unlikely. At the same time, WP Engine forming an effective security team to respond to customer requirements soon enough also seems unrealistic.

All that said, WP Engine customers may consider urgent measures as they explore other hosting options for their websites.