WordPress.org's latest move involves taking control of a WP Engine plugin

Original Article ↗ Hacker News Discussion ↗

Context of the Feud

  • Conflict between WordPress leadership and a major WordPress-focused host escalates into lawsuits, trademark complaints, and now a takeover/”fork” of the popular Advanced Custom Fields (ACF) plugin into “Secure Custom Fields.”
  • Many see this not as a narrow tech issue but as part of a broader “scorched earth” campaign over money, control, and expectations of contributions to the WordPress ecosystem.

Plugin Takeover & Security Justification

  • WordPress.org locked the original maintainer out of the plugin repository, then pushed its own version under a new name while changing author attribution to “WordPress.org.”
  • A security fix involving unsafe use of $_POST was cited, but:
    • Some say the fix appears to be backported from the original vendor and not unique to WordPress.org.
    • Others argue the change is partial, amateurish, or at least not a clear basis for a forced takeover.
  • Details such as a CVE or full risk description are missing; several commenters say the “security” framing feels more like leverage than necessity.

Supply Chain & Trust Concerns

  • Many see this as a de facto supply-chain risk: users auto-update to code now controlled by a different party without an explicit opt-in.
  • Others argue it’s WordPress.org’s own infrastructure, so “attack” is overstated, but concede that trust is damaged.
  • Deleting the original changelog, removing upsell/pro references, and rewriting contributor credits are widely viewed as unethical even if technically allowed by GPL.

Licensing, “Freeloading,” and Trademarks

  • One side frames the host as “freeloading” on GPL software and not contributing enough relative to its size.
  • Others counter that:
    • GPL explicitly allows commercial use without mandatory contributions.
    • The host contributes code, plugins, developer time, and sponsorships, just not at the level leadership demands.
  • Trademark complaints (use of “WP” / “WordPress” and marketing copy) are seen by many as pretext to extract revenue or compliance, especially because some policies were reportedly changed only recently.

Governance, PR, and Leadership Behavior

  • Heavy criticism of WordPress leadership’s public behavior: confrontational social media posts, direct participation in HN threads, and apparent disregard for legal/PR advice.
  • Some compare the style to other high-profile tech CEOs, calling it erratic, ego-driven, or “post-economic.”
  • A minority defends leadership for at least “showing personality” and pushing back against perceived corporate exploitation.

Impact on Users, Developers, and Ecosystem

  • Multiple commenters mention canceling ACF subscriptions, moving projects off WordPress, or reevaluating WordPress as a strategic platform.
  • Agencies and businesses heavily invested in WordPress (especially non-expert shops) may find migration difficult, but some clients are already asking to leave.
  • Many fear long-term damage to WordPress’s reputation and plugin ecosystem; some call this “radioactive” and compare it to other OSS-community schisms (Elastic, Terraform, Redis, Drupal).
  • Suggestions include: a community fork of WordPress, multi-vendor governance/foundation, or simply abandoning WordPress for more modern CMSs—even if current alternatives have their own downsides.