In the latest move against WP Engine, WordPress is taking control of the ACF plugin

The dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine continues, with Mullenweg announcing that WordPress “forks” a plugin developed by WP Engine.

Specifically, Advanced Custom Fields — a plugin that makes it easier for WordPress users to customize edit screens — is being taken out of WP Engine’s hands and updated as a brand new plugin called Secure Custom Fields.

Mullenweg wrote that this step was obligatory “to remove commercial add-ons and fix a security issue.”

Advanced custom fields team replied on X daydescribing it as a situation where a plugin “in active development” was “unilaterally and forcibly taken away from its creator without consent”, which he claims has never happened “in WordPress’ 21-year history.”

“This important community promise has been violated, and we ask everyone to consider the ethics of this action and the setting of a new precedent,” the ACF team wrote.

Both the Mullenweg blog post and answer from WordPress claims that similar situations have occurred before, although Mullenweg added: “This is a rare and unusual situation caused by WP Engine legal attacks. We don’t anticipate this will happen with other plugins.”

They also pointed to the WordPress plugin guidelineswhich provides WordPress the right to disable or remove any plugin, remove developer access, or change a plugin “without developer consent, in the name of public safety.”

A bit of background: WordPress is a free, open-source content management system utilized by many web sites (including TechCrunch), while corporations like Mullenweg’s WP Engine and Automattic moreover offer hosting and other industrial services.

Last month, Mullenweg published a blog entry criticizing WP Engine as “WordPress cancer”. His criticisms included the whole lot from WP Engine’s lack of version history support to its Silver Lake investor, but he also suggested that its “WP” branding confuses customers by making it appear as if the company is officially connected to WordPress.

Cease and desist letters went each ways, with WP Engine claiming that Mullenweg threatened to take a “nuclear scorched earth approach” if the company didn’t pay for the WordPress trademark license.

WordPress blocked WP Engine from accessing WordPress.org, briefly lifted the ban, after which re-imposed it. This essentially prevents WP Engine from updating the plugin via WordPress.org – so it might probably’t offer automatic updates to handle security issues.

WP Engine does, nonetheless posted a workaround for users who need to update the plugin and proceed using ACF. (It says this workaround is only obligatory without spending a dime ACF users, as skilled users will proceed to receive updates through the ACF website.)

Going forward, Mullenweg wrote that Secure Custom Fields can be available as a non-commercial plugin: “If any developers want to get involved in maintaining and improving it, please contact us.”