The WordPress story escalates as the WP Engine plugin is force-forked

The battle between WordPress co-founder Matthew Mullenweg and CMS hosting outfit WP Engine escalated over the weekend, with the latter apparently Personality is non grata Within the WordPress community – or at least managed by Mullenweg.

The weekend's action began on Saturday when Mullenweg – on behalf of the WordPress security team – posted news that WordPress.org would be developing a plugin called “Advanced Custom Fields” (ACF) and the new effort was called “Secure Custom Fields” (SCF). The forked plugin has been “updated to remove commercial upsells and fix a security issue.”

The effect of the fork is that users of ACF who relied on WordPress.org for automatic plugin updates will be moved to SCF.

But WordPress security consultant Tim Nash wrote that “Secure Custom Fields is no more secure than ACF. The security patch was applied by the WP Engine team prior to this incident to fix a vulnerability found by Automattic last week, which has been shared with them. WordPress Security Team Those who have already patched ACF on wordpress.org.”

So if the version of ACF hosted on WordPress.org was already patched, why was the fork necessary?

ACF is backed by WP Engine – a private-equity-backed outfit that offers WordPress hosting and which Mullenweg has alleged profited from the open source CMS without contributing properly to its development.

Mullenweg, and Automattic – the WordPress hosting business he leads – have tried to do more with WP Engine, without success.

One of the tricks used to create WP Engine is to prevent its users from accessing resources hosted on WordPress.org – the site that serves plugins like ACF. WP Engine created its own plugin delivery and update service and responded with legal action. In early October, ACF also responded by serving plugin updates from its own site.

While Mullenweg referred to a security issue as a requirement for the fork, his post added: “This is a rare and unusual situation brought about by a legitimate attack on WP Engine, we don't expect this to happen for other plugins.”

ACF Product Manager Ian Paulson has been fired as follows:

Has WP Engine Sponsorship been Removed in Australia?

Also over the weekend, WordCamp Sydney – a WordPress conference scheduled for early November – used its X account to post news that “WordPress Community Support (WCS) has removed @WPEngine as a sponsor from the #WCSyd website. It was not the decision of the host team. We have yet to receive an official statement from @WordPress that WP Engine has been banned from sponsoring in Sydney.”

A person familiar with the situation said Register WordCamp Sydney was not officially informed if WP Engine was banned from sponsoring the event, and it was not until September 24 that organizers realized there was no objection to the agreement.

A second Xeet reads as follows:

This is important because after the removal of the WP Engine sponsorship, purchasing tickets for WordCamp Sydney required a login to WordPress.com – which included a checkbox pledging non-authorization to access the site for several weeks.

We understand that WordCamp Sydney has not been notified of the change and is awaiting clarification on the checkbox.

Register Comment was sought from Automatic but no response was received at the time of publication.

Another weekend item of interest was a lawsuit filed against Automattic and WordPress.com by an organization called Very Good Plugins alleging unauthorized use of the trademark for “WP Fusion.”

FOSS calls for a legendary reunion

The WordPress/WP Engine battle has been going on for about three weeks now, and the FOSS community is starting to weigh in.

Ruby on Rails creator David Heinemeier Hanson weighed in with his vision as a promoter of an open source project from which others have benefited, describing the affair as “a seemingly never-ending series of dramatic overreach and violations of open source rules.”

Hanson described the “confiscation of the ACF plugin” as the “most persistent” episode in the story.

“Criminalizing open source code registries is something we simply cannot allow to form a priority,” Hanson wrote. “They must have neutral zones. Little Switzerland in a world of constant commercial conflict.”

“Using an open source project like WordPress as leverage in this treaty dispute … is a threat to the open source peace that has reigned for decades, with peacetime dividends for all,” he added. “Not since the nonsense of SCO-Linux in the early 2000s have we faced such a potential explosion of fear, doubt and uncertainty in the open source world over fundamental issues that everyone thought they could accept.”

Hanson urged Mullenweg: “Don't become a mad king. I hold your work in WordPress and beyond in the highest regard. And I recognize the temptation to claim gratitude, that the beneficiaries of our work gain more than the contributions. But it's certainly a moral one. There should be criticism, not commercial crusades.”

“Please don't encourage me to have a private-equity operator like Silver Lake, Matt.,” he added, before imploring Mullenweg to resolve the situation.

“It's not too late. Yes, some bridges have been burned, but look at them as sunk costs. Even in isolation, it's not worth the extra cost from here on out to continue this victory. There's still time. A decent deal where all parties To save some face I urge you to follow it.” ®