When pushing a site from Local to WP Engine, Local triggers a backup on the WP Engine side before applying changes. I discovered that Local is sending the backup completion notification to no-reply@getflywheel.com — without ever informing the user or asking for their email address.
I only found this because my backup failed and I was shown the retry dialog, which exposes the “Send notification to” field pre-filled with no-reply@getflywheel.com. Under normal circumstances, when the backup succeeds, this screen never appears, and the user has no way of knowing a notification was sent to that address.
Looking at the WP Engine Hosting Platform API documentation ( Requests a new backup of a WordPress installation | Hosting Platform API ), the notification_emails field is required when creating a backup. So Local must provide an email address. But rather than prompting the user for theirs, it silently hardcodes a Flywheel-owned address.
This raises several concerns:
Transparency: Users are never informed that backup notifications are being sent to a Flywheel/WP Engine-controlled email address on their behalf.
Privacy: These notifications could contain site names, environment details, and backup timestamps — information being sent to a third-party address without consent.
Missing from privacy policy: Local’s privacy policy ( Privacy Policy - Local ) does not appear to disclose this behavior.
No user control: There is no setting in Local to configure your own notification email for WP Engine pushes.
Even if no-reply@getflywheel.com is an unmonitored inbox, the principle of sending data to an undisclosed address without user awareness or consent is problematic.
Could the team clarify:
Is this address monitored, or does it discard incoming mail?
Why isn’t the user prompted for their own email?
Can a future update either use the user’s email or make this configurable?
What steps can be taken to replicate the issue? Feel free to include screenshots, videos, etc
Set up a Local site connected to a WP Engine environment
Push the site to WP Engine
If the pre-push backup fails, click Retry — the dialog will show no-reply@getflywheel.com as the notification recipient. If it succeeds, the email address is not shown.
Hi @AG_bruce - thanks for reaching out! I’m the product manager for both Local and the WP Engine API actually, so this is right in my wheelhouse. I’m happy to answer any questions.
One question of clarification on my side:
I only found this because my backup failed and I was shown the retry dialog
Am I correct in assuming mean the retry dialog on the WP Engine User Portal (my.wpengine.com)?
You are correct, the notification_emails param is a required one, so something has to be passed. You mention prompting the user for their email - we have the user email already from the connection to WP Engine, but we intentionally choose not to use the customer’s email to avoid spamming notifications unnecessarily. The notification is sent in the WP Engine User Portal to the user and is visible in the activity log, which you shared a screenshot of.
WP Engine acquired Flywheel in 2019, so organizationally, they are equivalent. There is no user or environment-related data captured that isn’t already available to WP Engine systems internally.
We use an account we own so (a) we’re not leaking account data to other parties, (b) so notifications don’t bounce, and (c) so users aren’t spammed with messages each time they push. We use the no-reply address as incoming messages here are not acted upon and discarded.
I hope this is helpful context. To your question/feature request:
Can a future update either use the user’s email or make this configurable?
We’re always all ears for feature requests and improvements! Is the root issue here you’re not getting notifications in the WP Engine Portal? Or is the root issue that you’d prefer no notifications at all?
Am I correct in assuming mean the retry dialog on the WP Engine User Portal (my.wpengine.com)?
Yes, that is correct.
We’re always all ears for feature requests and improvements! Is the root issue here you’re not getting notifications in the WP Engine Portal? Or is the root issue that you’d prefer no notifications at all?
The root concern was privacy (and transparency), not functionality. I think it’s fine to use the no-reply address, as long as the messages are automatically and immediately discarded. It should however be mentioned to the user somewhere. An even better solution might be to make the parameter optional in the API and drop the email notification altogether from this process.
The root concern was privacy (and transparency), not functionality… an even better solution might be to make the parameter optional in the API and drop the email notification altogether from this process.
I hear you, and we (the Local engineering team) had similar thoughts when we discussed internally. I will reach out to the team at WP Engine who owns our backups systems and see if 1) there is any historical/necessary reason that is a required param and 2) if we can go ahead and make it optional.
I appreciate you reaching out and raising this feedback!
