The dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine continues, with Mullenweg announcing that WordPress is “forking” a plugin developed by WP Engine, TechCrunch reported.
Specifically, Advanced Custom Fields — a plugin making it easier for WordPress users to customize their edit screens — is being taken out of WP Engine’s hands and updated as a new plugin called Secure Custom Fields.
Mullenweg wrote that this step was necessary “to remove commercial upsells and fix a security problem.”
The Advanced Customs Fields team responded on X, describing this as a situation where a plugin “under active development” has been “unilaterally and forcibly taken away from its creator without consent,” which is said has never happened “in the 21 year history of WordPress.”
Some background: WordPress is a free, open source content management system used by many websites (including TechCrunch), while companies like WP Engine and Mullenweg’s Automattic offer hosting and other commercial services on tap.
Matt Mullenweg posted on WordPress about Secure Custom Fields:
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
On October 3rd, the ACF team announced ACF plugin updates will come directly from their website. This was also communicated via a support notice in the WordPress.org support forum on Oct. 5th. Sites that followed the ACF team’s instructions on “How to update ACF” will continue to get updates directly from WP Engine. On October 1st, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers’ sites in place of WordPress.org update service.
Sites that continue to use WordPress.org’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch Secure Custom Fields. Where sites have chosen to have plugin auto-updates from WordPress.org enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.
This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commerical plugin, and if any developers want to get involved in maintaining and improving it, please get in touch…
The Verge reported WordPress.org has taken a popular WP Engine plugin in order “to remove commercial upsells and fix a security problem,” WordPress cofounder and Automattic CEO Mark Mullenweg, announced today. This “minimal” update, which he labels a fork of the Advanced Custom Fields (ACF) plugin is now called “Secure Custom Fields.”
It’s not clear what security problem Mullenweg is referring to in the post. He writes that he’s “invoking point 18 of the plugin directory guidelines,” in which the WordPress team reserves several rights, including removing a plugin or changing it “without developer consent.”
Mullenweg explains that the move has to do with WP Engine’s recently-filed lawsuit against him and Automattic.
In my opinion, it sounds like Matt Mullenweg might be hoping to get out of a lawsuit against him and his Automattic company.