The fight between WordPress co-creator Matthew Mullenweg and CMS hosting outfit WP Engine escalated over the weekend, with the latter seemingly made persona non grata in the WordPress community – or at least the parts of it run by Mullenweg .

The weekend’s action started on Saturday when Mullenweg – on behalf of the WordPress security team – posted news that WordPress.org would fork a plugin called “Advanced Custom Fields” (ACF) and name the new effort “Secure Custom Fields” (SCF). The forked plugin “has been updated to remove commercial upsells and fix a security problem.”

The effect of the fork is that users of ACF who relied on WordPress.org for automatic plugin updates will be moved to SCF.

But Tim Nash, a WordPress security consultant, wrote that “Secure Custom Fields is no more secure than ACF. The security patch to fix a vulnerability found by Automattic last week was already applied by the WP Engine team prior to this incident, shared with the WordPress Security Team who had ALREADY patched ACF on wordpress.org.”

So if the version of ACF hosted on WordPress.org had already been patched, why was the fork necessary?

ACF is supported by WP Engine – a private-equity-backed outfit that offers WordPress hosting and which Mullenweg has accused of profiting from the open source CMS without making appropriate contribution to its development.

Mullenweg, and Automattic – the WordPress hosting business he leads – have tried to have WP Engine do more, without success.

One of the tactics used to prod WP Engine was to bar its users from accessing resources hosted at WordPress.org – the site that serves plugins like ACF. WP Engine responded by creating its own plugin delivery and update service, and with legal action. In early October, ACF also responded by serving updates to its plugin from its own site.

While Mullenweg mentions a security issue as necessitating the fork, his post also states: “This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”

ACF product manager Iain Poulson fired back as follows:

WP Engine sponsorship erased in Australia?

Also over the weekend, WordCamp Sydney – a WordPress conference scheduled for early November – used its X account to post news that “WordPress Community Support (WCS) has removed @WPEngine as a sponsor from the #WCSyd website. It was not the organising team’s decision. We have yet to receive an official statement from @WordPress that WP Engine is banned from sponsoring Sydney.”

A person familiar with the situation told The Register that WordCamp Sydney has not been officially informed if WP Engine is banned from sponsoring the event, and that as of September 24 organizers understood there were no objections to the deal.

A second Xeet reads as follows:

That matters because after the removal of the WP Engine sponsorship, buying tickets for WordCamp Sydney required a logon to WordPress.com – which has for weeks included the checkbox pledging non-affiliation to access the site.

We understand that WordCamp Sydney was not informed of the change and awaits clarification about the checkbox.

The Register sought comment from Automattic but had not received a response at the time of publication.

Another weekend item of interest is a lawsuit filed against Automattic and WordPress.com by an outfit called Very Good Plugins that has alleged unauthorized use of the trademark for “WP Fusion”.

FOSS legend urges reconciliation

The WordPress/WP Engine fight has now raged for about three weeks, and the FOSS community is starting to consider the matter.

Ruby on Rails creator David Heinemeier Hansson has weighed in with his perspective as the originator of an open source project from which others have profited, describing the affair as “a seemingly never-ending series of dramatic overreaches and breaches of open source norms.”

Hansson described “the expropriation of the ACF plugin” as the “most unhinged” episode in this saga.

“Weaponizing open source code registries is something we simply cannot allow to form precedence,” Hansson wrote. “They must remain neutral territory. Little Switzerlands in a world of constant commercial skirmishes.”

“Using an open source project like WordPress as leverage in this contract dispute … is an endangerment of an open source peace that has reigned decades, with peace-time dividends for all,” he added. “Not since the SCO-Linux nonsense of the early 2000s have we faced such a potential explosion in fear, doubt, and uncertainty in the open source realm on basic matters everyone thought they could take for granted.”

Hansson urged Mullenweg: “Don’t turn into a mad king. I hold your work on WordPress and beyond in the highest esteem. And I recognize the temptation of gratitude grievances, arising from beneficiaries getting more from our work than they return in contributions. But that must remain a moral critique, not a commercial crusade.”

“Please don’t make me cheer for a private-equity operator like Silver Lake, Matt,” he added, before urging Mullenweg to resolve the situation.

“It’s not too late. Yes, some bridges have been burned, but look at those as sunk cost. Even in isolation, the additional expense from here on out to continue this conquest is not going to be worth it either. There’s still time to turn around. To strike a modest deal where all parties save some face. I implore you to pursue it.” ®