- Content management
The WordPress, WP Engine and ACF Drama
Intro
In this article, I aim to provide a clear explanation of the ongoing situation involving WordPress, WP Engine, and more recently, the ACF plugin. I want to emphasize that I'm not affiliated with any of the parties involved. Text enclosed in double quotation marks or block quotes is directly quoted from the original source.
As a web developer since 1996, I've witnessed WordPress's early days and used it for some time. Now, I find myself saddened and disappointed by the recent events. That's why I've chosen to present a comprehensive account of the facts to date, followed by a brief personal reflection at the end.
The Actors involved
1. WordPress
You're likely familiar with WordPress, as it is one of the most popular platforms for building websites, powering more than 40% of sites on the Internet.
WordPress began as an open-source PHP project launched in 2003 by Matt Mullenweg and Mike Little. Initially a blogging platform, it evolved into a more versatile Content Management System (CMS) with a powerful themes and plugins system. By 2011, it had become the most popular CMS worldwide.
As an open-source PHP project, WordPress can be self-hosted on any server with PHP and MySQL available. The official website for the open-source project is WordPress.org.
2. WP Engine
Hosting companies can offer plans with WordPress pre-installed. One of these companies is Automattic, owned by Matt Mullenweg (one of WordPress's original founders), which provides hosted WordPress services through WordPress.com (note the difference from the WordPress.org domain of the open-source platform).
WP Engine is another company providing WordPress hosting services. They claim to be the #1 platform for WordPress. Indeed, they're a significant player in the industry, with an annual revenue of around half a billion dollars. In 2018, WP Engine secured a $250 million investment from Silver Lake, a global private equity firm specializing in technology investments.
3. ACF
Advanced Custom Fields (ACF) is a very popular WordPress plugin. Created by Elliot Condon and later acquired by Delicious Brains in June 2021, ACF simplifies the management of structured data on WordPress pages. It allows developers to create custom field sets through an intuitive interface and retrieve their values in PHP code. Content editors can then populate these fields using the familiar WordPress admin interface.
ACF comes in two versions: a free version and a premium "Pro" version. The Pro version unlocks additional features, including the Repeater field, the Flexible Content field, and the Gallery field.
In June 2022, WP Engine acquired Advanced Custom Fields (ACF) along with the other WordPress plugins from Delicious Brains.
The Battle Unfolds: A Three-Act Drama
Act 1: The WordCamp Showdown
On September 20th, during WordCamp US 2024 in Portland, Oregon, Matt Mullenweg spoke about Silver Lake, the company behind WP Engine.
He claimed that Silver Lake contributes to WordPress for 47 hours per week (decreasing to 40), while Automattic contributes 3,786 hours weekly. Mullenweg asserted that Silver Lake "doesn't give a dang about your open source ideals, it just wants return on capital."
He then posed a provocative question to the audience: "Who are you giving your money to: someone who is going to nourish the ecosystem or someone who is going to frack every bit of value out of it until it withers?".
The talk was followed, on September 21st, by a post by Matt Mullenweg titled "WP Engine is not WordPress" where he claims that:
- WP Engine is causing confusion with the "WordPress" trademark;
- WP Engine generates half a billion dollars in revenue from WordPress hosting, yet only contributes back just 40 hours per week to the community;
- WP Engine disables content revisions by default to reduce storage costs. Mullenweg writes: “They are strip-mining the WordPress ecosystem, giving our users a crappier experience so they can make more money”. And after, “they are a cancer to WordPress, and it’s important to remember that unchecked, cancer will spread”.
Act 2: WP Engine's Response
In response, on September 23, 2024, WP Engine sent a "Cease and Desist" letter to Automattic.
The litigation counsel for WP Engine made startling claims in this document.
They alleged that:
In the days leading up to Mr. Mullenweg's September 20th keynote address at the WordCamp US Convention, Automattic suddenly began demanding that WP Engine pay Automattic large sums of money, and if it didn't, Automattic would wage a war against WP Engine.
Furthermore, they asserted that during the conference, Mullenweg sent text messages to WP Engine's CEO and board members, "threatening that if WP Engine did not agree to pay up prior to the start of Mr. Mullenweg's livestreamed keynote address at 3:45pm on September 20, he would go 'nuclear' on WP Engine."
All these alleged messages can be found on pages 3 and 4 of the document.
Act 3: Automattic's Countermove
The day after, on September 24, 2024, Automattic sent their own ”Cease and Desist” letter indicating that WP Engine’s hosting services “improperly use our Client’s WORDPRESS and WOOCOMMERCE trademarks in their marketing”.
In this context, the "Client" refers collectively to Automattic, Inc. and WooCommerce, Inc. While the "WordPress" trademark registration is owned by The WordPress Foundation (a charitable organization), Automattic holds the exclusive commercial rights to use, enforce, and sublicense it.
In the Cease and Desist letter, Automattic's lawyers demand that WP Engine stops all allegedly unauthorized use of the WordPress trademark and pay compensation for "unauthorized use of their intellectual property and unfair competition". The letter states that the specific amount will be determined once WP Engine provides an accounting as requested. It then adds, "even a mere 8% royalty on WP Engine's $400+ million in annual revenue equates to more than $32 million in annual lost licensing revenue for our Client".
The WordPress Foundation also revised its Trademark Policy page, specifically changing the section about "WP" and addressing "WP Engine" directly:
The abbreviation “WP” is not covered by the WordPress trademarks, but please don’t use it in a way that confuses people. For example, many people think WP Engine is “WordPress Engine” and officially associated with WordPress, which it’s not. They have never once even donated to the WordPress Foundation, despite making billions of revenue on top of WordPress.
Just a few days before, the same page contained a more permissive statement regarding the use of the abbreviation "WP":
The abbreviation “WP” is not covered by the WordPress trademarks and you are free to use it in any way you see fit.
For those interested in the legal aspects, you can also read the official lawsuit filed by WP Engine on October 2, 2024.
The Escalation: A Dramatic Three-Act Sequel
Until this point, the conflict had been limited to words, spoken or written, and many WordPress developers were still unaware of the situation, but events were about to take a dramatic turn.
Act 1 - The Great Block
On September 25, Matt Mullenweg escalated the issue by publishing a new post on WordPress.org titled "WP Engine is banned from WordPress.org".
The opening sentence was: "Any WP Engine customers having trouble with their sites should contact WP Engine support and ask them to fix it". This would be quite hilarious if it weren't so alarming: how could WP Engine possibly fix a block that WordPress.org intentionally implemented to restrict WP Engine's customers?
The post continued:
WP Engine wants to control your WordPress experience, they need to run their own user login system, update servers, plugin directory, theme directory, […]. Their servers can no longer access our servers for free.
Following this announcement, WordPress.org took action by blocking WP Engine's customers from accessing its resources, particularly the marketplace that enables updating and installing plugins and themes.
This ban effectively prevented WP Engine customers from accessing security updates, too, leaving their websites vulnerable to potential threats.
Of course, the community didn’t appreciate this. Consider also that even public administration websites could potentially be left vulnerable, unable to update their plugins or access important security updates. This marked the moment when I, along with many other developers, became aware of the unfolding "WordPress drama".
Act 2 - The On-Again, Off-Again Ban
The ban was lifted on September 27.
On September 30, WP Engine updated its website footer to explicitly state its lack of affiliation with the WordPress Foundation. The revised footer now clarifies that their use of the WordPress, Woo, and WooCommerce names is solely for identification purposes and does not imply endorsement by either the WordPress Foundation or WooCommerce, Inc.
On October 1, WP Engine announced they had implemented their own solution to enable plugin and theme updates and installations.
The same day, the ban was reinstated. As of this writing, it remains in effect.
Act 3 - The Checkbox
On October 8, David Heinemeier Hansson (aka "DHH", creator of Ruby on Rails and co-founder of 37signals) wrote an article titled "Automattic is doing open source dirty". In it, he argues that "Automattic demanding 8% of WP Engine's revenues because they're not 'giving back enough' to WordPress is a wanton violation of general open source ideals and the specifics of the GPL license".
The same day, WordPress.org added a new checkbox to their contributors' login page, requiring people to declare they have no association with WP Engine.
When I first saw a screenshot of this, I thought it was a joke. It wasn't.
Image credits: WordPress.org
Last-minute update (October 14): Just as I was about to hit publish, Matt Mullenweg responded to DHH's post. I'll refrain from summarizing or commenting on it: Read it yourself 😳
Update: Matt has since removed the post. To provide a glimpse of its content, I'll share a couple of key sentences:
DHH claims to be an expert on open source, but his toxic personality and inability to scale teams means that although he has invented about half a trillion dollars worth of good ideas, most of the value has been captured by others.
David, perhaps it would be good to explore with a therapist or coach why you keep having these great ideas but cannot scale them beyond a handful of niche customers. I will give full credit and respect. 37signals inspired tons of what Automattic does! We’re now half a billion in revenue. Why are you still so small?
Things get worse with ACF
On October 12, WordPress.org took over the Advanced Custom Fields (ACF) plugin. What does this mean? WordPress forked ACF—one of the most popular WordPress plugins—renamed it "Secure Custom Fields," and published it under ACF's original slug.
Image credits: WordPress.org
You can verify this yourself at https://wordpress.org/plugins/advanced-custom-fields/
The page appears identical, but now it displays "Secure Custom Fields by WordPress.org" instead of "Advanced Custom Fields". This means they've inherited ACF's 2M+ download count and high ratings. More critically, users with ACF installed will automatically update to the "new" Secure Custom Fields plugin.
The Advanced Custom Fields team stated on X "A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21-year history of WordPress."
To draw a hypothetical parallel, imagine if Microsoft were to fork an npm package and publish their fork under the same name, effectively wresting control from the original publisher, with no clear justification. Wouldn’t it be scary?
Personal Reflections
We've moved on from WordPress and are no longer a digital agency—as you'll read in the next section. So you might think I'd feel "safe" from all this WordPress drama. Instead, I'm deeply concerned about these unfolding events as they are creating ripples of uncertainty across the entire development ecosystem.
As a hosting company, I'd be concerned about offering WordPress hosting services. I might face challenges in advertising them—especially considering the WordPress Foundation's trademark applications for "managed WordPress" and "hosted WordPress"—or feel compelled to remain small to avoid drawing Automattic's attention. See the Managed WordPress trademark application and Hosted WordPress trademark application.
As a plugin development company, I'd be concerned that if my plugin becomes successful, WordPress might take control of it, eliminating the possibility of a viable freemium model.
As a WordPress developer, I'd worry that my chosen hosting platform could inadvertently infringe on trademarks, preventing me from providing timely updates to my clients.
As a corporation with a WordPress website, I'd be anxious about potential inability to access security updates or having plugins whose development slows down or stops entirely.
For the open source community at large, I feel a widespread unease about the WordPress ecosystem's current state. Open source is wonderful, but there's often a company behind these projects that might make decisions contrary to the community's wishes. While open source licenses like MIT or GPL have stood the test of time, murky areas around trademarks or contribution requirements could be discouraging. Typically, a contract with a company offers more explicit guidelines about what's allowed and what's not.
Although I'm not directly involved as a hosting company, WordPress or plugin developer, or a corporation using WordPress, these recent events have left me feeling somewhat uneasy about the broader implications for the tech ecosystem.
My Journey with WordPress
I began developing websites in 1996 at the age of 17, using my Pentium 120 with Windows 95. In 2004, while still in university, I launched my own company—I was a happy "webmaster"!
As a digital agency, we primarily created complex web applications and custom e-commerce systems (initially in ASP.NET, then Node.js and React). But occasionally, clients requested websites too, and WordPress became our go-to choice, because of its ready-made content administration. Advanced Custom Fields became our ally. It helped us overcome the challenges of a blank canvas—where clients might unleash the horrors of green text on red backgrounds in Comic Sans—by providing a more structured and clean WordPress experience.
By leveraging ACF and the ability to fetch data from REST APIs, we could create a self-hosted headless CMS. We paired this with modern React frontend frameworks like Next.js or Gatsby, offering a solid solution.
However, we eventually realized that the gray forms of ACF or a pure headless CMS weren't delivering the optimal user experience for our clients. This realization led us to develop React Bricks, a visual headless CMS based on React, transforming us from a service-based agency into a product company. But that's a tale for another time :)