With the nonsense between Automattic/WordPress.org/WPEngine, I took a look at the methods used to update core/plugins in WordPress. While most of WordPress can be configured and updated, it seems this has been left, intentionally or unintentionally, difficult to edit without hacking core.
Specifically:
- The 'api.wordpress.org' string appears more than twenty times in the code as a hard-coded string.
- While there are filters for installing plugins, the update appears to ONLY run through the api.wordpress.org endpoint.
- There are no obviously apparent filters or hooks for adding or changing this endpoint for updates.
While I'm sure the WPEngine engineers are working on a solution, it won't be clean or easy or without drawbacks. It's simply not easy or simple to replace this functionality.
In an ideal world, this endpoint would be customizable, or at least customizable per plugin. I can see security reasons why it's hard-coded (e.g. prevent malicious plugins from updating themselves), but tying the WordPress instance to the WordPress API without alternatives is….not the best design.
You can hook into the “http_request_args” filter and replace the URL with the one you like.
Also, you can pass the global proxy parameters.
I have published a post on how to set up a proxy: [https://www.reddit.com/r/Wordpress/comments/1fpt3y6/a_quick_fix_for_sites_hosted_on_wp_engine/](https://www.reddit.com/r/Wordpress/comments/1fpt3y6/a_quick_fix_for_sites_hosted_on_wp_engine/)
I tested it on one of the projects on WP Engine. And it works fine!
From a legal perspective I wonder what WPE’s options are. Even if they could implement some workaround to connect their customers to WP’s repo, I have a feeling they wouldn’t want to because it could be viewed as illegally accessing a service they’ve been banned from. This is terrible.
You could also just bypass this by using your own DNS resolution to resolve that IP to anywhere else, preferably a transparent proxy that would bypass any ip based blocks that would be in place