On Saturday, Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields plugin. That isn’t really surprising. As we wrote recently, Matt Mullenweg can hold plugin developers’ hostage. Matt Mullenweg claimed this was done by the WordPress security team:

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.

An Automattic employee has a different story to tell. James Giroux, who seems to be providing Matt Mullenweg’s views in more detail than he does, wrote this on Saturday:

Up front, I just want to be clear that I work at Automattic and had previous knowledge that this work was being undertaken and began writing this post before the official launch. If you haven’t yet read the official post, I suggest you do.

How would he know that? He isn’t listed as being a member of the WordPress security team or any other WordPress team. He says he “is a Technical Account Manager at WordPress VIP, where he works closely with enterprise-level customers to optimize their WordPress experiences.” His knowledge raises the question of Automattic’s involvement in the takeover.

As we wrote explainer of the various different Matt Mullenweg entities, WordPress at this point could reasonably be considered an arm of Automattic. How the WordPress security team plays in to that is a largely mystery. There is almost no information on them. Other similar CMS developers provide basic information like who is on the team. Here is that for Drupal and Joomla. That doesn’t exist for WordPress. Instead, you get rather vague information. Only one person has posted on the team’s blog in the past two years. They are an Automattic employee.

Someone claiming to be on the security team claims they were not aware of this. They are not listed as being on the security team. Is that because they are not on the team or that is because that information is being properly shown? We don’t know. You should be able to determine if someone is on the team.

So is the security team an arm of Automattic and they did the takeover or was this something actually done by Automattic and then Matt Mullenweg claimed it was the security team?

We should note that the description of the plugin located the plugin’s main file now reads, “Secure Custom Fields is a fork of the Advanced Custom Fields plugin, which will be maintained by WordPress.org, for security and functionality updates.” So not Automattic, so again, how would an Automattic employee know?

The blurred lines continued in this situation. Going back to Matt Mullenweg’s post, he referenced claimed “WP Engine’s legal attacks:”

Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

Notably, the defendants in WP Engine’s lawsuit are Automattic and him. The WordPress project is not a defendant to the lawsuit. James Giroux also pushed this false line, claiming that WordPress.org was sued:

WPE/SL has sued Automattic, WordPress.org and Matt Mullenweg, not the other way around.

Matt Mullenweg appears to use WordPress.org as codeword or euphemism for his apparent personal ownership of the WordPress website, but the lawsuit doesn’t list WordPress.org as a defendant.

Here is James Giroux’s defense of what happened here:

Regardless of whether you agree with the ban on WP Engine / Silver Lake or not, it exists. The result of that ban is that folks affiliated with WPE/SL (employees and contractors, IMO) no longer have access to the infrastructure of WordPress.org. They cannot log in, update, or remove their existing plugins and themes. The ACF team have also provided an alternate way for people and teams using ACF to access ongoing updates.

While this is not the first time a ban has occurred, this is the first time it has happened where the scale of the plugin in question requires a more nuanced approach. For example, as a stop-gap, the WordPress security team recently rolled out an update to patch a vulnerability on behalf of the WPE/SL team. This worked to solve an immediate problem but it does not resolve the issue in the long term.

It goes without saying that yes, this could be fixed if WordPress.org lifted the ban on WPE/SL. However, as I have previously stated, the volume is going to continue to rise and WPE/SL is going to continue to feel the pressure to negotiate in good faith as the levers available to the Project Lead are exercised.

The Project Lead seems to refer to the Project Lead of WordPress, which would be Matt Mullenweg. But the company he runs, Automattic has put forward a timeline of negotiations that shows they were the ones conducting negotiations WP Engine, not WordPress. So WordPress has nothing to do with that. That isn’t surprising, since the negotiations were actually over a WooCommerce “Hosting Partner Program”. After the negotiations ended, Matt Mullenweg started an extortion campaign against WP Engine in his role as the CEO of Automattic. So again, WordPress has nothing to do with that.

Later in his post, James Giroux brought up the security team again:

The WordPress security team is also within its rights as described in Point 18 of the Plugin Directory guidelines to assume maintenance going forward.

So was this done by the security team or Automattic? Whatever the answer, this seems like more evidence for WP Engine’s legal claims.