WordPress - WP Engine fight continues with takeover of decade-old ACF plugin

Last week, WordPress added a loyalty checkbox (yes, you read that right) to its login screen. It required users to pledge they weren’t affiliated with WP Engine in any way. And now, in the latest plot twist of what has become a heated legal and open-source drama, WordPress.org has swooped in to seize control of WP Engine’s decade-old Advanced Custom Fields (ACF) plugin. If you’ve been following along, you’d be forgiven for thinking this all started over some trademark scuffle—but now, it’s escalated into something far more intense, and frankly, quite bizarre.

On October 12, WordPress co-founder Matt Mullenweg dropped a bombshell by announcing that WordPress would fork ACF into a new plugin, Secure Custom Fields (SCF), claiming to fix a security issue and — here’s the kicker — remove “commercial upsells.” Essentially, the folks at WordPress took the plugin, renamed it, and began replacing ACF installations with SCF. And just like that, years of work by WP Engine’s ACF team were sidelined.

This isn’t your typical open-source fork where two versions peacefully coexist. Nope, this is more like WordPress saying, “Thanks for the code, but we’ll take it from here,” leaving WP Engine staring blankly at the door as their plugin gets swapped out across millions of websites.

To make matters even more Shakespearean, Matt claims this is all in the name of “public safety” and is invoking Point 18 of the plugin directory guidelines, which grants WordPress the right to yank any plugin for security reasons or other concerns. But what’s really got everyone talking isn’t so much the reason behind it, but the manner in which the takeover happened.

“Serious abuse of trust!” — WP Engine’s reaction

Unsurprisingly, WP Engine isn’t taking this lying down. Iain Poulson, the face of the ACF team, didn’t mince words in his response. He labeled the move “appalling” and “malicious,” accusing Mullenweg of hijacking their creation. According to Poulson, this is a full-blown hostile takeover and a serious abuse of trust — a landmark moment in the WordPress world where one of the most popular plugins has been forcefully stripped from its creators without consent.

The ACF team was quick to reassure its WP Engine, Flywheel, and ACF PRO customers that their versions of ACF would remain unaffected and continue to receive updates. But for anyone using the free version of ACF via WordPress.org? Well, now they’re being steered into SCF territory, whether they like it or not.

In fact, WP Engine even advised users to reinstall the last “genuine” version of ACF directly from their own website for fear that the new SCF might not be… let’s say, up to snuff.

Industry voices haven’t held back either. David Heinemeier Hansson of Ruby on Rails fame chimed in on his blog, warning that Mullenweg is inching dangerously close to “mad king” territory. While he acknowledged Matt’s past triumphs and leadership in the WordPress community, he couldn’t help but point out that this latest move — effectively weaponizing open-source software — could endanger trust in the WordPress ecosystem.

Coen Jacobs, a respected WordPress developer, went a step further by detailing how this saga could erode the faith that countless developers have placed in WordPress over the years. “All your hard work, years of dedication to maintaining a popular plugin,” Jacobs wrote, “can be taken away when you find yourself in a battle with Automattic or WordPress.”

Beneath the surface of all this drama is a much bigger question: What does this mean for the future of WordPress and the thousands of developers who build their livelihoods around it? If WordPress can simply take over a plugin without warning, what’s to stop it from happening again? And more importantly, can developers continue to trust a platform where their hard-earned success can be hijacked seemingly overnight?

According to Matt, this is not the first time WordPress has had to step in and fork a plugin for security reasons, but this is by far the most extreme example especially given that WP Engine is a billion-dollar company with a powerful presence in the WordPress ecosystem.

To be clear, Mullenweg has stated that this sort of “emergency intervention” won’t become the norm. He claims the unprecedented step was necessary because of WP Engine’s alleged failure to address security vulnerabilities, but WP Engine maintains that their plugin was secure and that this move is more about legal muscle than actual safety.

In the end, it’s the millions of ACF users who are caught in the middle of this escalating spat. Whether you’re a developer who’s spent years relying on ACF or just someone running a small WordPress site, this battle has left everyone wondering which version of ACF (or SCF?) they can trust.

WP Engine has already posted instructions on how to undo the forced SCF update and restore the “genuine” ACF plugin, but that’s just one more hassle in an already messy situation.