An unprecedented conflict between WordPress.org and WP Engine is shaking up the WordPress ecosystem. It centers around the popular Advanced Custom Fields (ACF) plugin and has far-reaching implications for developers, users, and the broader open-source community.
Origins of the Conflict
The roots of this controversy lie in longstanding tensions between WordPress.org, led by founder Matt Mullenweg, and WP Engine, a major WordPress hosting provider. These tensions escalated in October 2024 when WordPress.org took the extraordinary step of forking ACF, a plugin used by over 2 million websites, into a new version called Secure Custom Fields (SCF). [1][4]
WordPress.org is the official website for the open-source WordPress content management system. It hosts the free WordPress software, provides a repository for themes and plugins, and offers resources for users and developers. Matt Mullenweg, co-founder of WordPress, plays a central role in WordPress.org. He claims personal ownership of the site, leads the project’s development, and significantly influences its policies and operations. Mullenweg also heads the WordPress Foundation and is CEO of Automattic, the company behind WordPress.com. His multiple roles and decision-making authority have sometimes led to controversies within the WordPress community, particularly regarding governance and the project’s future direction. [9]
WP Engine is a managed WordPress hosting provider founded in 2010 and based in Austin, Texas. It specializes in hosting websites built on the WordPress platform and manages technical aspects like updates, backups, and security.
Over time, the company has expanded its services, including acquiring other WordPress-related businesses like Delicious Brains and their plugins, such as Advanced Custom Fields (ACF), WP Migrate, and Better Search Replace. [10]
Advanced Custom Fields (ACF) is a widely-used WordPress plugin that enables users to add custom fields to various parts of the WordPress admin area. It provides a user-friendly interface for creating and managing custom fields for posts, pages, custom post types, user profiles, and more. ACF offers a range of field types and an API for developers to easily retrieve and display custom field data. The plugin’s versatility and ease of use have made it a staple in the WordPress ecosystem, allowing for greater customization and flexibility in content management.
Originally developed by Elliot Condon, ACF was acquired by Delicious Brains in 2021 and is now maintained by WP Engine, which acquired Delicious Brains in 2022. Available in both free and pro versions, it’s popular among developers and site builders for extending WordPress functionality without extensive coding.
The ACF Takeover
Invoking point 18 of the plugin directory guidelines, which gives WordPress.org authority to take over plugins if they pose security risks, Mullenweg announced the creation of Secure Custom Fields (SCF) as a stripped-down version of ACF. [1][4]
WordPress.org and Matt Mullenweg justified their takeover on two main grounds:
- Security concerns: Mullenweg cited an unspecified security vulnerability in ACF as the primary reason for the fork. [1]
- Commercialization issues: There were concerns about ACF embedding commercial upsells that do not fit in the free, open-source ecosystem. [1]
In a post published on October 12, 2024, Matt Mullenweg announced the creation of Secure Custom Fields as a fork of ACF to meet a specific critical security flaw discovered in the original plugin.
The new fork SCF replaced every installation of the ACF plugin (Installations of the paid version ACF Pro were not affected). WordPress.org took over its plugin page, including all reviews. Developers searching for Advanced Custom Fields in the plugin store would only see SCF as their first suggestion. This is also how I found out about this takeover.
WP Engine’s Response
WP Engine and the ACF development team strongly contested this move, arguing that:
- The plugin was under active development, and any security issues could have been addressed without a takeover. [1]
- This action was unprecedented in WordPress’s 21-year history. [2]
- The move was perceived as a “hostile takeover” to undermine their business. [1]
In response, WP Engine urged its users to update ACF manually through their platform, bypassing WordPress.org’s update system. [1]
Developers who use ACF Pro or websites hosted on WP Engine and Flywheel are not affected by this change and will continue to receive updates directly via WP Engine.
Those using the free version of ACF on other hostings must manually download the latest version of ACF from their site to continue to benefit from WP Engine’s updates: https://www.advancedcustomfields.com/downloads/
The WP Engine Ban from WordPress.org
In September 2024, WordPress.org took the unprecedented step of banning WP Engine from accessing its resources. This ban prevented WP Engine customers from updating and installing plugins and themes through the WordPress admin interface, potentially exposing their sites to security risks. [12]
The ban was implemented by WordPress co-founder Matt Mullenweg, who cited trademark infringement and lack of contributions to the WordPress ecosystem as reasons for the action. [12]
Mullenweg accused WP Engine of exploiting the WordPress platform without giving back to the community and demanded compensation for trademark usage.
This move sparked significant controversy within the WordPress community, with many criticizing the sudden action that affected thousands of websites. The ban highlighted the complex relationship between WordPress.org, commercial hosting providers like WP Engine, and the broader open-source community.
After facing backlash, WordPress.org temporarily lifted the ban until October 1, 2024, to allow WP Engine time to set up alternative solutions. The incident has raised questions about WordPress’s governance and the balance of power within its ecosystem. Many users are concerned about the open-source CMS WordPress being closely tied and dependent on WordPress.org.
WP Engine sues WordPress.org, Matt Mullenweg, and Automattic
In early October 2024, WP Engine filed a federal lawsuit against WordPress.org, Matt Mullenweg, and Automattic, marking a significant escalation in the ongoing conflict between the two entities. The lawsuit alleges several serious claims:
- Extortion and Unfair Competition: WP Engine accuses Mullenweg and Automattic of attempting to extract a revenue-sharing agreement (up to 8% of WP Engine’s revenue) under the threat of being blocked from essential WordPress.org resources.
- Libel and Defamation: The hosting company claims that Automattic has been spreading false information about WP Engine within the WordPress community, damaging its reputation.
- Interference with Contractual Relations: WP Engine argues that Automattic’s actions have negatively impacted its relationships with partners and customers.
- Computer Fraud and Trademark Violations: The lawsuit alleges that Automattic blocked certain technical functionalities, violating WordPress’s open nature.
WP Engine seeks to restore its access to WordPress.org resources and protect its business interests. Automattic has dismissed the lawsuit as “meritless” and vows to fight it vigorously in court. [13]
Community Reaction
This issue has deeply divided the WordPress community. Some support WordPress.org’s focus on security and open-source principles, while many view it as an overreach that threatens developer autonomy. [1]
Future Outlook
As the situation continues to evolve, several key questions remain.
How will this affect the development and maintenance of other popular plugins?
What long-term impact will this have on the relationship between WordPress.org and commercial entities in the ecosystem?
How will users and developers choose between ACF and SCF moving forward?
The resolution of this conflict may well shape the future of WordPress governance and the delicate balance between open-source ideals and commercial interests in the platform’s ecosystem.
Sources
[1] https://www.wishagency.co.uk/news-insights/wordpress-vs-wp-engine-the-title-fight-over-advanced-custom-fields/
[2] https://www.techzine.eu/news/applications/125255/wordpress-halts-acf-plugin-in-wp-engine-conflict/
[3] https://www.creolestudios.com/scf-vs-acf-why-wordpress-forked-advanced-custom-fields/
[4] https://www.lrob.fr/en/blog/news/wordpress-vs-wp-engine-conflict-acf-becomes-secure-custom-fields/
[5] https://amphibee.fr/wp-drama/
[6] https://www.advancedcustomfields.com/blog/acf-plugin-no-longer-available-on-wordpress-org/
[7] https://dev.to/matfrana/the-wordpress-wp-engine-and-acf-drama-5h88
[8] https://www.theregister.com/2024/10/14/wordpress_forks_wpengine_plugin/
[9] https://www.theverge.com/2024/10/4/24262232/matt-mullenweg-wordpress-org-wp-engine
[10] https://deliciousbrains.com/wp-engine-acquisition/
[11] https://wordpress.org/news/2024/09/wp-engine-banned/
[12] https://www.searchenginejournal.com/wordpress-bans-thousands-of-wp-engine-customers/528213/
[13] https://techcrunch.com/2024/10/18/wp-engine-files-an-injuction-to-get-its-wordpress-org-access-back/