WordPress.org takes control of a WP Engine plugin.

WordPress.org has taken control of a popular plugin from WP Engine with the aim of "eliminating commercial upsells and addressing a security issue," as announced today by Matt Mullenweg, co-founder of WordPress and CEO of Automattic. This update, which he describes as a "fork" of the Advanced Custom Fields (ACF) plugin, is now referred to as "Secure Custom Fields."

The specific security issue Mullenweg refers to in his post has not been detailed. He mentions that "point 18 of the plugin directory guidelines is being invoked," which grants the WordPress team several rights, including the ability to remove or modify a plugin "without the developer's consent." Mullenweg also notes that this action is related to the recent lawsuit filed against him and Automattic by WP Engine.

Such situations have occurred in the past, although not on this scale. This is a rare and specific case arising from WP Engine's legal attacks, and it is not expected to happen with other plugins.

The ACF team at WP Engine stated on X that WordPress had never "unilaterally and forcibly taken a plugin from its creator without consent." They clarified that those who are not customers of WP Engine, Flywheel, or ACF Pro will need to go to the ACF site and follow the steps they previously published to "perform a one-time download of the genuine version 6.3.8" in order to continue receiving updates.

As its name suggests, the ACF plugin allows website creators to use custom fields when the existing generic fields are not adequate, a feature that, according to ACF's description, is already native to WordPress, although "not very easy to use."