WordPress.org has taken control of a popular WP Engine plugin called Advanced Custom Fields (ACF) and renamed it “Secure Custom Fields.” The move was announced by WordPress co-founder and Automattic CEO Matt Mullenweg. The purpose of this update is to eliminate commercial upsells and address a security issue, although the specific security problem is not mentioned in the announcement.
Mullenweg refers to point 18 of the plugin directory guidelines, which grants WordPress the right to remove or modify a plugin without developer consent. He explains that this action is related to WP Engine’s recent lawsuit against him and Automattic.
WP Engine’s ACF team responded by stating that WordPress has never before unilaterally taken a plugin from its creator without consent. They also advised non-WP Engine, Flywheel, or ACF Pro customers to visit the ACF website for instructions on how to download the genuine 6.3.8 version in order to continue receiving updates.
The ACF plugin allows website creators to utilize custom fields when standard ones are insufficient. According to ACF’s overview, this functionality already exists within WordPress but is not very user-friendly.
The Verge has reached out for comments from Automattic, WordPress.org, and WP Engine regarding this development.
[Update October 12th: The article has been adjusted for clarity regarding Mullenweg’s use of the term “fork.”]