Analyzing WP Engine’s second amended complaint, part 1

On Friday, October 3, WP Engine filed their Second Amended Complaint. As I anticipated, WP Engine is reasserting every claim not dismissed with prejudice. As a reminder, Judge Araceli Martínez-Olguín dismissed one claim outright (“with prejudice”) and a second without prejudice to filing it later in the case. For the other five dismissed claims, the judge gave leave for WP Engine to reassert all of them in an amended complaint.

Today, in part 1, let’s look at the Second Amended Complaint in detail. I’ll be covering just one of the reasserted claims in this post, as well as providing some thoughts on other changes within the complaint including the many, many redactions. Then, in a subscribers-only post tomorrow, I’ll cover the remaining four claims, which all relate to antitrust.

Update: I forgot to link directly to the PDF of the Second Amended Complaint. If you’d like to follow along with my commentary below, you can find the PDF on CourtListener. (h/t Brandon)

What’s new, what’s the same, what’s redacted

The PDF of the Second Amended Complaint (SAC) clocks in at 175 pages, which compares to the First Amended Complaint (FAC) at “just” 144 pages. This is a lot of writing (and reading for me!), but it’s important to note that, while there are 31 additional pages, this is not a complete rewrite. Much of the SAC is unchanged from the FAC.^[1]

This makes sense: the judge allowed nine claims to move forward in her order to dismiss and a further four were unchallenged by Automattic and Mullenweg. Why would WP Engine rework aspects that are already cleared for trial? Looking at the SAC and comparing it with the FAC, effectively every one of those thirteen claims, which the judge has already ruled on, remains unchanged. Now, WP Engine may bolster some of these thirteen claims with additional facts, but this is incidental, even if partially intentional.

There is, however, a lot of new content. And, within that new content, there are a lot of redactions.

In a separate, concurrent filing, WP Engine filed a motion asking the court to consider whether the redacted aspects should be public. On their face, the redactions are not surprising—WP Engine is citing information revealed during the discovery phase that was marked by Automattic and Mullenweg as either “confidential” or “highly confidential-attorneys eyes only”. As part of this concurrent filing, WP Engine also submitted a sealed SAC that did not include any redactions, as well as a redlined version.^[2]

What’s interesting here is that WP Engine seems to have discovered material that supports their claims in key ways. In this post, as well as in tomorrow’s, I’ll be going through the changes in the SAC. If a given section has redactions, I’ll note that and, when possible, speculate as to the nature of the redactions. But, to be clear, this is pure speculation.

The other notable aspect is that the promissory estoppel claim is unchanged. In her order to dismiss, Judge AMO only dismissed the promissory estoppel claim in part, finding that specific promises would not move on to trial. WP Engine seems to have conceded here, instead of reasserting those promises with additional supporting material.^[3]

Within the SAC, there are two key areas to cover: the re-asserted CFAA claim and the re-asserted antitrust claims. I’ll be covering the latter tomorrow, but before digging into the CFAA claim, I’d like to call attention to some small-but-interesting aspects in this filing.

Assorted updates and modifications

There are a few smaller changes that I want to call attention to. These might be meaningful in the grand scheme of this case, but they don’t seem overly meaningful within the context of the re-asserted claims.

WordPress Foundation references

While nearly all of the references to the WordPress Foundation were in the FAC, the SAC includes one small addition: on page 33 of the PDF, WP Engine adds two words to the following sentence (my emphasis):

Defendants knew that this created a risk to others in contributing to and investing in the WordPress ecosystem, that was different than if all relevant rights were owned and controlled by a properly governed charitable foundation.

I’ve written a few posts about the WordPress Foundation and, suffice it to say, I think this is a fair addition.

“Nuclear war”

At the hearing for the motion to dismiss, Automattic’s counsel went on a slight tirade, noting that the term “nuclear war” had never been used by Mullenweg. From the (unofficial) transcript:

Automattic’s Dore: Well, that’s what I was going to say. There are quotations around it. Nowhere in the complaint is Mullenweg alleged to have said nuclear war. Didn’t happen. He refers to nuclear. He refers to scorched earth. But we’ve seen over and over again nuclear war in quotes. He didn’t say it.

In the SAC, WP Engine responds to this tirade in lengthy footnote 59, on PDF page 46:

During the recent hearing before this Court, Defendants represented that “we have seen over and over again ‘nuclear war’ in quotes,” but Mullenweg ”didn’t say it” and it “[d]idn’t happen.” August 28, 2025 Hrg. Tr. at 33. According to Defendants’ counsel, Mullenweg instead only “refers to nuclear,” not “nuclear war.” Id. While WPE alleges that both threats are abhorrent and wrongful, reflecting a distinction without a difference, documents recently produced by Defendants confirm that [redacted.]

(Note that WP Engine has an official transcript, so their quotes vary from mine.)

The redaction is long, at least two and a half lines, but presumably WP Engine is in possession of documents from Automattic and/or Mullenweg that do reference “nuclear war”, and I speculate that those references pre-date the first instance of Mullenweg using the term “nuclear” in regards to his actions (or potential actions) against WP Engine.

WooCommerce and Stripe

One of Mullenweg’s secondary arguments was about WP Engine modifying a piece of code in the WooCommerce plugin, attributing Stripe transactions to WP Engine instead of Automattic/Woo.^[4] On PDF page 54 of the SAC, WP Engine adds colour to what was happening in October 2024, noting:

In a further effort to inflict harm upon WPE and the market, Defendants secretly [redacted.] Shocking documents Defendants recently produced in discovery reveal that in mid-October 2024, just days after WPE brought this lawsuit, Mullenweg [redacted.]

While we will likely have to wait until these actions are revealed at trial (or earlier, if the judge so rules), one possibility is that Mullenweg internally pushed for changes to the WooCommerce plugin itself, modifying it in a way that would prevent WP Engine customers from using the plugin.

Premeditated interference

While “Intentional Interference with Contractual Relations” is a claim that was already moving forward to trial, WP Engine bolsters this claim with additional details, which it obtained during discovery. Specifically, on PDF pages 61-62 of the SAC:

Defendants’ interference with WPE’s customer relations was no accident. Rather, as documents Defendants recently produced in discovery reveal, Defendants had been planning these wrongful actions for months. For example, in March 2024, Defendants devised a scheme to offer [redacted.] Defendants further stated in internal discussions that [redacted.] Likewise, in July 2024, Automattic’s CFO Mark Davies stated that [redacted.] Defendants’ nuclear war against WPE was thus intentional and premeditated.

This is a juicy redaction.

The March 2024 date likely references comments on an internal P2 post, which TechCrunch previously reported on. However, the referenced July 2024 statement from Davies is particularly interesting. I speculate that there was internal discussion around how to pressure WP Engine into the supposed trademark license. If that discussion included mention of WCUS, and/or putting WP Engine under the very tight timeline, it would directly contradict Mullenweg’s public statements regarding attempting to negotiate with WP Engine for “years.”

Preparing for an appeal

In the order to dismiss, Judge Araceli Martínez-Olguín dismissed two of WP Engine’s claims: the attempted extortion claim and the trademark misuse claim (as a standalone affirmative claim). In footnote 137 on PDF page 132, WP Engine starts preparing for an appeal of those decisions:

WPE’s prior Amended Complaint asserted claims for attempted extortion (Count 4) and declaratory judgment of trademark misuse (Count 16). The Court dismissed WPE’s attempted extortion claim with prejudice; the Court also dismissed WPE’s declaratory judgment of trademark misuse claim as a standalone affirmative claim, without prejudice to WPE “asserting it as an affirmative defense if appropriate later in this litigation.” Dkt. 169 at 10–12. To comply with this Court’s order (Dkt. 169), WPE has omitted from this Second Amended Complaint WPE’s attempted extortion and declaratory judgment of trademark misuse claims and renumbered its remaining claims. However, WPE expressly maintains and preserves its attempted extortion and declaratory judgment of trademark misuse claims for appeal.

This is common at this stage of the litigation. WP Engine may attempt to appeal the judge’s order in the near term, but I think it’s more likely they reserve any appeal for later in the litigation, if other aspects do not go their way.

Pineapple 🍍 on pizza 🍕

In early October 2024, Mullenweg modified the login.wordpress.org form, adding a checkbox that required every contributor to confirm that they were “not affiliated with WP Engine in any way, financially or otherwise.” The community was pretty livid about this new checkbox, and, in her preliminary injunction, the judge ultimately ordered Mullenweg to “remove the checkbox.” But, the checkbox wasn’t removed in its entirety, it was made optional and changed to “Pineapple is delicious on pizza”.

Now, because the checkbox was made optional, it met the spirit of the preliminary injunction order. However, did it meet the letter of order? I’ve been wondering when, if at all, WP Engine would note this and, here in the SAC on PDF pages 71-72, they note the following:

As part of its preliminary injunction order, the Court ordered Defendants to “remov[e] the checkbox at login.wordpress.org[.]” See Dkt. 64 at 42. Rather than comply with this Court’s order by completely removing the checkbox, Defendants responded by replacing it, simply changing the text about WPE to text about whether “Pineapple is delicious on pizza.” Community members understood Defendants’ modification to be an effort “to poke fun at a court decision” (i.e., this Court’s preliminary injunction decision), to mean “that this is all a big joke to Matt,” and that Mullenweg “is mocking the court, the judge and the entire community.” Defendants’ modified checkbox—which still appears on the login page of wordpress.org today—is reflected below:

This is unlikely to directly affect the case, but judges do not like their orders being defied or otherwise mocked. While I cannot imagine there are any immediate consequences for Mullenweg’s actions here, his actions likely diminish his standing in the eyes of the court.^[5]

The other CFAA claim

With the smaller aspects out of the way, let’s get into the major change we’re covering today: the re-asserted Computer Fraud and Abuse Act claim.

Backing up a bit, WP Engine made two CFAA claims, specifically covering two separate sections of the CFAA:

• Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(7)
• Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)

The second claim, regarding 18 U.S.C. § 1030(a)(5) is moving forward to trial—the judge did not dismiss this claim and WP Engine does not focus on bolstering it further. Thus, WP Engine is focused on re-asserting the 18 U.S.C. § 1030(a)(7) claim. Let’s first look at this part of the law:

(a) Whoever—
 
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
 
(A) threat to cause damage to a protected computer;
 
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
 
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;
 
shall be punished as provided in subsection (c) of this section.

As I wrote about previously, the judge was unpersuaded about WP Engine’s arguments covering 1030(a)(7), writing:

WPEngine cannot plausibly allege that it had a preexisting right to access and use wordpress.org or related trademarks in perpetuity for free. Indeed, several of its claims in this action seek declaratory relief as to Defendants’ trademark rights.

These two sentences actually outline what the judge is looking for, should WP Engine want this claim to move forward to trial.

As part of bolstering this claim, WP Engine starts by making a small, but meaningful, change throughout the SAC—wherever the forced takeover of ACF is referenced, WP Engine has updated the verb to “hijack.” It’s a small, but notable, change. For example, in the FAC on PDF page 71, WP Engine stated (my emphasis):

Defendants’ expropriation of ACF was carried out in retaliation against WPE: [screenshot from X]

But, in the SAC, on PDF page 77, WP Engine updates the text, changing the verb to “hijacking” and expanding (my emphasis):

Defendants’ hijacking of ACF was carried out in retaliation against WPE for its refusal to capitulate to Defendants’ extortionate demands. This is evident, for example, from Defendants’ post on X indicating that WPE could receive its ACF plugin back “[i]f WP Engine dropped its lawsuits, apologized, and got in good standing with its trademark use” (which WPE already was): [screenshot from X]

This verbiage change happens throughout the SAC, not only in this singular instance. In making this change, WP Engine is emphasizing the damage—to use the word from the CFAA—inflicted by Automattic and Mullenweg.

Much of the factual record remains otherwise unchanged for this CFAA claim. However, in stating its claim for relief, WP Engine digs in deeper. To make this claim stick (that is, go to trial), WP Engine needs to argue both that Automattic and Mullenweg were attempting to extort WP Engine, and that they “damaged” a “protected computer” owned or controlled by WP Engine. They also need to make it clear that they had “a preexisting right to access and use wordpress.org or related trademarks in perpetuity for free”, as the judge outlined.

Let’s look a bit closer at some of the additions.

The additions start on PDF page 133, with WP Engine adding a clause to the initial summary of the claim (my emphasis):

Through the acts set forth herein, Defendants caused “damage” to “protected computers” as those terms are used in 18 U.S.C. § 1030, including through Defendants’ acts to interfere with the normal operation of WPE’s computers, by blocking and interfering with access to wordpress.org’s systems, by impairing the availability of data and information needed for the normal operation of WPE’s computers, and by forcibly overwriting millions of instances of the ACF plugin with the SCF plugin.

The forcibly overwriting of ACF is well-documented and understood—WP Engine is emphasizing it here to bolster their claim. In stating Automattic and Mullenweg “impair[ed] the availability of data and information needed for the normal operation of WPE’s computers”, WP Engine references being blocked from accessing WordPress.org, which stopped their access to WordPress.org’s API, blocking access to the theme directory, plugin directory, and automatic WordPress security updates, among other things.

Updated text in this claim then goes on to document more of the allegedly extortionate timeline, from the messages sent before WordCamp US, to the WordPress.org block, noting that:

The act of banning WPE from wordpress.org was the culmination of Defendants’ threats to cause damage to WPE’s computers as conveyed in their September messages to WPE.

The timeline continues with actions on October 5 (“extortionate threats” regarding ACF) and October 12 (the actual takeover of ACF):

A few days later, on October 12, 2024, Defendants carried out their threats and hijacked WPE’s ACF plugin, taking over WPE’s plugin “slug” and directory listing on wordpress.org, causing millions of instances of the plugin on WPE’s and its users’ computers to be overwritten with SCF.

WP Engine also notes that the threats, and actions, were, effectively, a direct effect from their refusal to pay up, stating:

As described above, Defendants used the aforementioned threats as well as intimidation and fear to demand exorbitant sums of money (8% royalty on gross revenues) from WPE.
 
[…]
 
Defendants knew when they sent the messages that they were not entitled to the sums of money they were demanding. The messages were sent in an abuse of Mullenweg’s authority as the co-founder of WordPress and the CEO of Automattic.

WP Engine continues by arguing that the effort creating and maintaining its products, including ACF, as well as the assurances made on WordPress.org, mean that they had a right to “the continued normal operation of [their] own computers”, including access to WordPress.org. Further, they connect this right back to the GPL:

For example, WordPress is open source software governed by the GNU General Public License (GPL). This license granted WPE, inter alia, “the freedom to run the program for any purpose,” “the freedom to redistribute,” and “the freedom to distribute copies…to others.” By intentionally banning WPE from the WordPress community and blocking WPE from all resources on wordpress.org, Defendants wrongfully interfered with these preexisting rights granted by both the GPL and by the various promises Defendants made to the WordPress community that access to wordpress.org would be free and open to all who wished to develop plugins or build businesses using the WordPress open source software.

The GPL does grant these freedoms, but expecting those freedoms apply to closed source services—like the WordPress.org API—is a stretch. But, what happens when a closed source service is integrated so tightly with GPL-licensed software? The court will have to pull this one apart.

WP Engine continues to bolster its claim, looking further at the “purported license royalty” stating:

The impairment to the availability and integrity of data, programs, systems and information in WPE’s hosting service and its plugins constituted “damage to [] protected computer[s]” under Section 1030(a)(7) of the CFAA. Defendants’ threats were not hard bargaining or in furtherance of any legitimate business negotiations. Indeed, Mullenweg admitted that the demand for 8% of WPE’s revenue as purported license royalty was based on WPE’s income, and completely untethered to the value of the trademarks or Defendants’ actual cost or input.

But, WP Engine has to prove that this “purported license royalty” is not legitimate or necessary. Here, they include an interesting aspect:

As described above, the purported trademark license that Defendants demanded WPE sign under threat of a nuclear war was worthless. As revealed in documents produced by Defendants in this case, Defendants acknowledged internally that [redacted.] No license is needed to make nominative fair use of a trademark. For over a decade, many companies in the WordPress industry have frequently utilized the Challenged Terms, including in conjunction with other words and phrases like “managed” and “hosted,” to identify and refer to the class in WordPress-focused products and services they offer and to convey an immediate idea of the quality, characteristics, features, functions, purposes or uses of those services. Such services encompass a comprehensive suit of WordPress-related offerings that typically include publishing websites, providing automatic updates, maintaining a robust security infrastructure, monitoring and optimizing site performance and site speed, managing website content, offering developer tools, providing expert support, and more. Below are just a few examples of such uses in the industry: (Screenshots from other hosting providers follow, including 1&1, GoDaddy, and A2.)

The redaction is a full two and a half lines of text. I have to imagine that what’s been revealed internally is confirmation that WP Engine’s use of the “Challenged Terms” is considered by Automattic to be fair. Perhaps this redaction also references the “premeditated” actions discussed earlier.

The next redaction is similarly interesting:

Defendants’ hijacking of the ACF plugin on WPE’s users’ computers caused WPE proximate harm because it impaired the utility, availability, and integrity of WPE’s ACF plugin, and prevented WPE from making security updates to it. In documents produced by Defendants in this litigation, Defendants admitted [redacted.] Defendants further admitted that [redacted] meaning that Defendants’ wrongful actions also [redacted.]

Let me take a stab at what these redactions might say, given the context.

In documents produced by Defendants in this litigation, Defendants admitted [they deliberately acted to harm both WP Engine and its customers.] Defendants further admitted that [they acted without WP Engine’s consent and with no legitimate reason] meaning that Defendants’ wrongful actions also [exposed WP Engine’s customers to vulnerabilities and harm.]

Of course, I suspect the truth is a bit juicier.

Finally, WP Engine adds more about the lost upgrade path to ACF Pro, which caused financial harm, as well as the reputational harm and loss of good will.

All upgrade paths to the paid version of the ACF plugin were removed from the SCF plugin that Defendants installed onto WPE’s users’ computers without their knowledge or permission, causing financial harm and degraded the user experience and functionality of the programs running on their computers.
 
Defendants’ SCF plugin was advertised as an update to ACF and took all of ACF’s installation counts and user reviews, causing reputational harm to WPE.
 
WPE further suffered reputational harm and loss of goodwill because of its inability to update the ACF plugin, and to preserve the stability and security that it normally offers its customers and due to the interrupted service of its ACF plugin.

Taken as a whole, WP Engine has added a lot of information to bolster this CFAA claim. I’m not sure if it’s enough, because I am not a lawyer, but it certainly feels considerably harder to combat for Automattic and Mullenweg. And, the redacted pieces likely bolster their claim more than we’d expect.