You won’t believe the drama brewing in the WordPress world right now—it’s like a soap opera, but with more code and fewer love triangles. The main players? Matt Mullenweg, the founder of WordPress, and WP Engine, a major hosting provider. And let me tell you, things are heating up.
Here’s the latest: Mullenweg has just announced that WordPress is “forking” a popular plug-in that WP Engine developed called Advanced Custom Fields (ACF). Now, in non-tech speak, forking means they’re creating a new version of the same plug-in but without WP Engine involved. They’re calling the new plug-in Secure Custom Fields, and Mullenweg says it’s all about getting rid of those pesky upsells WP Engine has been pushing and—more importantly—fixing a serious security issue.
Naturally, WP Engine isn’t thrilled. The ACF team hopped on X (formerly Twitter, but we’re all still calling it Twitter in our hearts, right?) to express their frustration. They accused WordPress of snatching their plug-in right out of their hands without so much as a friendly conversation about it. They’re saying this has never happened before in WordPress’ 21-year history, and they’re pretty upset about the whole thing, calling it an ethical mess.
WordPress fired back, though. Mullenweg pointed out that this has happened before, though he admitted it’s rare. He also clarified that this situation is a bit of a one-off, all thanks to what he called WP Engine’s “legal attacks.” He reassured folks that WordPress doesn’t plan to take over other plug-ins willy-nilly. But hey, WordPress does have guidelines that let them remove or alter plug-ins “in the name of public safety,” so they’re saying this is all fair game.
Just to drive the point home, WordPress posted more details about the security risks with ACF. They said that WP Engine’s refusal to address these issues is a “dereliction of duty” to its users. Ouch.
Now, to fully understand what’s happening here, let’s backtrack. WordPress, as you probably know, is a free, open-source content management system—the thing that powers a huge chunk of the internet, including sites like TechCrunch. Companies like WP Engine and Mullenweg’s own Automattic build on top of that platform, offering hosting and extra services to make WordPress even more powerful.
But recently, Mullenweg hasn’t exactly been singing WP Engine’s praises. In fact, last month, he went all-in with a blog post that essentially called WP Engine a “cancer to WordPress.” No, really, he said that. He threw all kinds of criticisms their way, from their lack of support for certain features to the fact that their branding misleads people into thinking they’re officially connected to WordPress.
And if you thought things couldn’t get more intense, cease-and-desist letters started flying. At one point, WP Engine claimed that Mullenweg was threatening to go “scorched earth nuclear” unless they ponied up and paid for licensing the WordPress trademark. We’re talking full-on legal battle here.
In the middle of all this, WordPress temporarily banned WP Engine from WordPress.org, then briefly lifted the ban, only to put it back in place. This means WP Engine can’t offer automatic updates for ACF through the official WordPress channel—a pretty big deal when it comes to security fixes.
But WP Engine isn’t backing down quietly. They’ve offered a workaround for ACF users who still want to update the plug-in. Free users have to jump through a few hoops, but if you’re paying for the Pro version, you’re good to go with updates directly from the ACF website.
Meanwhile, Mullenweg is already moving forward with Secure Custom Fields, and he’s making it clear that it’s a non-commercial plug-in. In other words, no upsells, no funny business. He even invited developers to join the fun and help improve it.
And that’s where things stand—for now, at least. In the world of WordPress, it seems like anything can happen. Grab your popcorn, folks. It’s going to be a wild ride.