WordPress.org has launched a fork of the popular WPEngine plugin to “remove trade scalping and fix a security issue,” WordPress co-founder and Automattic CEO Matt Mullenweg announced today. This "minimal" update to the Advanced Custom Fields (ACF) plugin is now called "Secure Custom Fields".
It's unclear what safety concerns Mullenweg was referring to in his post. He wrote that he was "citing point 18 of the Plugin Directory Guidelines," in which the WordPress team reserves several rights, including removing plugins or changing them "without the developer's consent." Mullenweg explained that the move is related to the recent lawsuit WPEngine filed against him and Automattic.
Similar situations have happened before, but not on such a large scale. This is a rare anomaly caused by WPEngine's legal attack, and we don't expect this to happen with other plugins.
WPEngine's ACF team claimed on X that WordPress has never "unilaterally forcibly" taken plugins away from their creators "without consent." The team then wrote that users who are not WPEngine, Flywheel or ACFPro customers need to visit the ACF website and "perform a download of the genuine version 6.3.8" following the steps it posted earlier to continue getting the update.
As the name suggests, the ACF plugin allows website creators to use custom fields when existing universal fields cannot be used. ACF's plugin overview states that this is already a native WordPress feature, but it is "not user-friendly."
Related articles: