WordPress.org’s latest move involves taking control of a WP Engine plugin
WordPress.org has taken over a popular WP Engine plugin in order “to remove commercial upsells and fix a security problem,” WordPress cofounder and Automattic CEO Matt Mullenweg announced today. This “minimal” update, which he labels a fork of the Advanced Custom Fields (ACF) plugin, is now called “Secure Custom Fields.”
It’s not clear what security problem Mullenweg is referring to in the post. He writes that he’s “invoking point 18 of the plugin directory guidelines,” in which the WordPress team reserves several rights, including removing a plugin, or changing it “without developer consent.” Mullenweg explains that the move has to do with WP Engine’s recently-filed lawsuit against him and Automattic.
Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
WP Engine’s ACF team claimed on X that WordPress has never “unilaterally and forcibly” taken a plugin “from its creator without consent.” It later wrote that those who aren’t WP Engine, Flywheel, or ACF Pro customers will need to go to the ACF site and follow steps it published earlier to “perform a 1-time download of the genuine 6.3.8 version” to keep getting updates.
As its name implies, the ACF plugin allows website creators to use custom fields when existing generic ones won’t do — something ACF’s overview of the plugin says is already a native, but “not very user friendly,” feature of WordPress.
The Verge has reached out to Automattic, WordPress.org, and WP Engine for comment.
Update October 12th: Adjusted to add clarity about Mullenweg’s use of the “fork” label.