The dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine continues, with Mullenweg announcing that WordPress is “forking” a plugin developed by WP Engine.
Specifically, Advanced Custom Fields — a plugin making it easier for WordPress users to customize their edit screens — is being taken out of WP Engine’s hands and updated as a new plugin called Secure Custom Fields.
Mullenweg wrote that this step was necessary “to remove commercial upsells and fix a security problem.”
The Advanced Custom Fields team responded on X, describing this as a situation where a plugin “under active development” has been “unilaterally and forcibly taken away from its creator without consent,” which it said has never happened “in the 21 year history of WordPress.”
“This essential community promise has been violated, and we ask everyone to consider the ethics of such an action, and the new precedent that has been set,” the ACF team wrote.
Both Mullenweg’s blog post and a reply from WordPress claim that similar situations have, in fact, happened before, though Mullenweg added, “This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
They also pointed to WordPress’ plugin guidelines, which give WordPress the right to disable or remove any plugin, remove developer access, or change a plugin “without developer consent, in the name of public safety.”
Some background: WordPress is a free, open source content management system used by many websites (including TechCrunch), while companies like WP Engine and Mullenweg’s Automattic offer hosting and other commercial services on top.
Last month, Mullenweg published a blog post criticizing WP Engine as a “cancer to WordPress.” His criticisms covered everything from WP Engine’s lack of support for revision history to its investor Silver Lake, but he also suggested that its “WP” branding confuses customers, making it sound like the company is officially connected to WordPress.
Cease-and-desist letters have gone both ways, with WP Engine claiming Mullenweg threatened to take a “scorched earth nuclear approach” unless the company paid to license the WordPress trademark.
WordPress banned WP Engine from accessing WordPress.org, briefly lifted the ban, then imposed it again. This essentially prevents WP Engine from updating the plugin through WordPress.org — so it can’t offer automatic updates to address security issues.
WP Engine has, however, published a workaround for users who want to update the plugin and continue using ACF. (It says the workaround is only necessary for ACF’s free users, as pro users will continue to receive updates through the ACF website.)
Moving forward, Mullenweg wrote that Secure Custom Fields will be available as a non-commercial plugin: “If any developers want to get involved in maintaining and improving it, please get in touch.”