WordPress.org has launched a fork of a popular WP Engine plugin to “remove commercial upsells and fix a security issue,” WordPress co-founder and Automattic CEO Matt Mullenweg announced today. This “minimal” update to the Advanced Custom Fields (ACF) plugin is now called “Secure Custom Fields.”
It is not clear which security issue Mullenweg is referring to in the post. He writes that he relies on “point 18 of the Plugin Directory Guidelines,” in which the WordPress team reserves several rights, including removing a plugin or modifying it “without the developer’s consent.” Mullenweg explains that the move is related to WP Engine's recently filed lawsuit against him and Automattic.
Similar situations have happened before, but not to this extent. This is a rare and unusual situation caused by WP Engine's legal attacks. We don't expect this to be the case with other plugins.
WP Engine's ACF team claimed on X that WordPress has never “unilaterally and forcefully” taken a plugin “from its creator without consent.” It was later written that those who are not WP Engine, Flywheel or ACF Pro customers need to go to the ACF website and follow the previously published steps to “perform a one-time download of the original version 6.3.8” in order to keep them receiving updates.
As the name suggests, the ACF plugin allows website builders to use custom fields when existing generic fields aren't enough – according to ACF's overview of the plugin, it's already a native but “not very user-friendly” feature of WordPress.
The edge has reached out to Automattic, WordPress.org and WP Engine for comment.