WordPress founder Matt Mullenweg announced the creation of a new plugin, Secure Custom Fields, in direct response to an ongoing legal battle with WP Engine. The new plugin is a fork of the widely used Advanced Custom Fields (ACF) plugin, which WP Engine developed.
Mullenweg explained that the decision to fork ACF was driven by the need to fix what he described as a security vulnerability in the original plugin and to eliminate its commercial upsells.
Mullenweg’s team has taken over the ACF plugin, which is popular for allowing users to customise their WordPress edit screens. The original plugin, however, remains in WP Engine’s hands for those who continue to use it, though they may not receive automatic updates via WordPress.org.
The response from WP Engine was swift and highly critical. The ACF team took social media, accusing Mullenweg of forcibly taking control of a plugin that was still being developed.
“This essential community promise has been violated,” they wrote, referring to WordPress’s long-standing principle of respecting the creators of plugins. The ACF team warned that this could set a dangerous precedent for future plugins, effectively giving WordPress carte blanche to seize control of other third-party plugins.
Mullenweg and WordPress responded by pointing to their existing plugin guidelines, which allow them to take over a plugin “without developer consent, in the name of public safety.” They noted that while this type of situation is rare, similar actions have been taken in the past.
Mullenweg emphasised that WP Engine’s legal actions left him no choice but to intervene in this instance.
“This is a rare and unusual situation brought on by WP Engine’s legal attacks,” Mullenweg wrote, alluding to a larger legal battle between the two companies that has escalated over recent months. “We do not anticipate this happening for other plugins.”
This fork comes amid an increasingly bitter feud between Mullenweg and WP Engine, a prominent WordPress hosting provider. In recent weeks, Mullenweg has publicly attacked WP Engine, labeling the company a “cancer to WordPress” in a blog post that also targeted its investor, Silver Lake.
The dispute has since escalated, with cease-and-desist letters being exchanged between both parties. WP Engine accused Mullenweg of threatening a “scorched earth nuclear approach” unless they paid to license the WordPress trademark.
In response, Mullenweg banned WP Engine from accessing WordPress.org, a move that was briefly reversed but quickly reinstated, cutting off WP Engine’s ability to distribute updates for ACF through WordPress.org.
WP Engine, for its part, has published a workaround that allows ACF users to manually update their plugins. This workaround primarily affects users of the free version, though pro users will still receive updates directly through WP Engine’s website.
In the News: Financial frauds in Tamil Nadu amounts to Rs. 1,116 crore