The dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine continues, with Mullenweg announcing that WordPress is “forking” a plug-in developed by WP Engine.

Specifically, Advanced Custom Fields — a plug-in making it easier for WordPress users to customize their edit screens — is being taken out of WP Engine’s hands and updated as a new plug-in called Secure Custom Fields.

Mullenweg wrote that this step was necessary “to remove commercial upsells and fix a security problem.”

The Advanced Custom Fields team responded on X, describing this as a situation where a plug-in “under active development” has been “unilaterally and forcibly taken away from its creator without consent,” which it said has never happened “in the 21 year history of WordPress.”

“This essential community promise has been violated, and we ask everyone to consider the ethics of such an action, and the new precedent that has been set,” the ACF team wrote.

Both Mullenweg’s blog post and a reply from WordPress claim that similar situations have, in fact, happened before, though Mullenweg added, “This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”

They also pointed to WordPress’ plug-in guidelines, which give WordPress the right to disable or remove any plug-in, remove developer access, or change a plug-in “without developer consent, in the name of public safety.”

Early Monday, after the initial announcement, WordPress offered more information about its security concerns, concluding, “[ACF’s] code is currently insecure, and it is a dereliction of their duty to customers for them to tell people to avoid Secure Custom Fields until they fix their vulnerability.”

Some background: WordPress is a free, open source content management system used by many websites (including TechCrunch), while companies like WP Engine and Mullenweg’s Automattic offer hosting and other commercial services on top. 

Last month, Mullenweg published a blog post criticizing WP Engine as a “cancer to WordPress.” His criticisms covered everything from WP Engine’s lack of support for revision history to its investor Silver Lake, but he also suggested that its “WP” branding confuses customers, making it sound like the company is officially connected to WordPress.

Cease-and-desist letters have gone both ways, with WP Engine claiming Mullenweg threatened to take a “scorched earth nuclear approach” unless the company paid to license the WordPress trademark.

WordPress banned WP Engine from accessing WordPress.org, briefly lifted the ban, then imposed it again. This essentially prevents WP Engine from updating the plug-in through WordPress.org — so it can’t offer automatic updates to address security issues.

WP Engine has, however, published a workaround for users who want to update the plug-in and continue using ACF. (It says the workaround is only necessary for ACF’s free users, as pro users will continue to receive updates through the ACF website.)

Moving forward, Mullenweg wrote that Secure Custom Fields will be available as a non-commercial plug-in: “If any developers want to get involved in maintaining and improving it, please get in touch.”

This post has been updated to include more information from WordPress.