Automattic, the company behind WordPress.com, recently found its WP Engine Tracker website blocked by Cloudflare, flagged as a “suspected phishing” site. This temporary block sent ripples through the WordPress community, particularly on Reddit, where some users enthusiastically cheered Cloudflare’s move. Adding a twist to the story, a new domain similar to Automattic’s site—WPEngineTracker.com—was registered, sparking even more interest.
Background on Automattic’s WP Engine Tracker Site
Automattic, believed to be operating under the guidance of WordPress co-founder Matt Mullenweg, recently launched the WP Engine Tracker website. This site, hosted at the domain WordPressEngineTracker.com, was created to track and display the number of websites leaving WP Engine, a managed WordPress hosting provider. The site also offers hosting alternatives for WordPress users and provides a downloadable list of domains currently hosted on WP Engine, positioning itself as a resource for users considering a change in hosting services.
According to an email from an Automattic employee, the WP Engine Tracker site was developed to leverage the transparency of open-source software, which allows public access to certain data points. The email suggests that WP Engine’s recent lawsuit and alleged service issues have driven some users away from the platform. “Open source makes it possible for anyone to view granular data,” the email noted, emphasizing that “WP Engine has had no restrictions on accessing WordPress software or plugins, just as any user on WordPress.org can.”
Cloudflare’s Block and Phishing Warning
On November 9th, Cloudflare restricted access to WP Engine Tracker, displaying a warning message indicating the site was suspected of phishing. Phishing typically involves tricking users into providing sensitive information by posing as a legitimate site. Cloudflare’s message warned visitors:
“Warning: Suspected Phishing. This website has been reported for potential phishing. Phishing is when a site attempts to steal sensitive information by falsely presenting as a safe source.”
This temporary block quickly became a popular topic on the WordPress subreddit, with users both celebrating the restriction and questioning the reason for the phishing label. Comments ranged from amusement to intrigue, with users speculating on whether the block was due to prank reports or a legitimate concern. Some commenters even suggested that the block might have stemmed from potential trademark infringement rather than phishing.
One user pointed out that those who bypassed the warning encountered a “403 Forbidden” error message, meaning the server had acknowledged their request but was denying them access.
The Typosquatting Domain Issue
Further complicating the story, a user registered a similar-sounding domain, WPEngineTracker.com, on November 7th. This domain name, often called a “typosquat,” is a tactic used to catch users who might incorrectly type the original domain name. In this case, someone appeared to capitalize on the similarity between “WP Engine Tracker” and Automattic’s domain name, redirecting potential visitors to their own site.
Typosquatting is not uncommon, particularly with high-profile companies and websites. While it’s uncertain what content or intentions the typosquatted site has, it underscores the potential for brand confusion and user misdirection on the internet.
WP Engine Tracker Restored
Cloudflare’s phishing warning was eventually lifted, and the WP Engine Tracker site was back online within hours. The incident, however, highlighted the tension and competition between WP Engine and Automattic, as well as the challenges and risks of navigating internet trademarks and user-driven reporting. As Automattic’s WP Engine Tracker project resumes, its reception and implications within the hosting community continue to unfold.