The below was originally published in The Pragmatic Engineer. To get timely analysis on the tech industry like this, on a weekly basis: sign up to The Pragmatic Engineer Newsletter. If you are into podcasts, check out The Pragmatic Engineer Podcast.

Imagine Apple decided Spotify was a big enough business threat that it had to take unfair measures to limit Spotify’s growth on the App Store. Now imagine that Spotify sued Apple for these unfair practices. In response, Apple would then:

1. Lock Spotify out of its developer ecosystem, making it impossible for Spotify to update their app on the App Store
2. Declare “something must be done” because Spotify can no longer provide necessary updates on the App Store
3. Silently transfer ownership of the Spotify app to itself (Apple) on the App Store.
4. Modify the code so it removed ways to upgrade from free to paid Spotify features in this free app.
5. Spotify’s former users on the App Store are now Apple’s users. The only Spotify users left are those that use Spotify’s app outside of the App Store, on other platforms.
6. When questioned about fairness: claim that the App Store team acts independently to Apple!

Of course, this would never happen, right? All this would appear anticompetitive, not to mention legally dubious. And yet, substitute Apple with Automattic, App Store with WordPress.org and Spotify with one of the most popular WordPress plugins: and Automattic’s CEO is accused of orchestrating events similar to above. Taking ownership of a plugin called Advanced Custom Fields (ACF), which is built by Automattic’s largest competitor, WP Engine.

This event is shameful and unprecedented in the history of open source on the web.

Corporate conflict recap

Automattic is the creator of open source WordPress content management system (CMS), and WordPress powers an incredible 43% of webpages and 65% of CMSes. WordPress is popular for several reasons: its permissive GPL license, robust themes, lots of customization options, a strong brand, heavy development investment – and not least, for being around for 20 years.

Automattic is the VC-funded company behind WordPress, the largest ongoing contributor to the project, as well as the company that controls the commercial WordPress trademark. WP Engine is the challenger for the most popular managed WordPress hosting service – generating likely around $400M/year in revenue (as per Automattic), versus Automattic’s circa $500M/year, as per Automattic’s CEO, in a now-edited blog post. Automattic raised $980M in venture funding and was valued at $7.5B in 2021. WP Engine raised $250M in private equity funding in 2018 from Silver Lake Partners.

Automattic and WP Engine are in full-blown corporate conflict, with Automattic launching a series of attacks in the past two weeks including:

• Insult / response: Public insults from Automattic to which WP Engine responded with a cease-and-desist
• Cease-and-desists / comply: A cease-and-desist from Automattic claiming trademark infringement – to which WP Engine seems to have responded by updating trademark usage to be fair usage
• Block / workaround: the WordPress Foundation (WordPress.org) blocking WP Engine from accessing the WordPress.org plugin directory – to which WP Engine has developed their workaround to not depend on the WordPress.org plugin directory.
• Counter sue: WP Engine filed its lawsuit against Automattic, referring to “a case about abuse of power, extortion, and greed.” Some of the accusations include Automattic hiding the fact that the WordPress trademark was secretly moved back to be controlled by Automattic, and claiming that Automattic’s actions have caused economic harm for both WP Engine and the WordPress community.
• Blocked from WordPress.com: even though WP Engine lawsuit is against Automattic and its CEO, WordPress.org bans anyone affiliated with WP Engine from accessing the site and updating plugins. The WordPress.org plugin directory is how the majority of WordPress sites update their plugins.

The WordPress Foundation and Automattic are fully intertwined, and the WordPress Foundation seems to be representing Automattic’s business interests. Automattic founder and CEO Matt Mullenweg recently confirmed that he personally owns WordPress.org. Because of this intertwined nature, in the rest of the article I will refer to Automattic as the “actor,” including when actions are by WordPress.org, or the WordPress Foundation. From a business perspective, current events are driven by Automattic’s interests.

Open source theft?

On 13 October, Automattic CEO and WordPress Foundation owner, Matt Mullenweg, announced the “forking” of Advanced Custom Fields in the WordPress Slack. The response was universally negative:

The announcement began:

“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”

The ACF plugin is the most-installed plugin made by WP Engine, and the 28th most popular WordPress plugin, overall. Automattic claims that the change was a “fork.” But this is not true: Automattic did fork the plugin, which they have the right to do, and replaced the plugin in the plugin directory, and are migrating 2M+ ACF customers silently onto this fork – that is now called Secure Custom Fields. In reality, it’s hardly “just” a fork:

• URL unchanged: The URL of this project still points to ‘advanced-custom-fields’
• Reviews stay in place: All existing reviews remain as if nothing changed. Reviews that point out the heist are being actively removed
• All users silently migrated: more than 2 million customers that installed this plugin over the last decade – thanks to hard work by WP Engine – now belong to the new owner.

Going back to the example with Apple and Spotify, it’s as though Apple “commandeered” Spotify’s app with all users, while locking Spotify out of its ecosystem.

Automattic also claimed in its cease and desist that “WP Engine brings almost zero aspect of WordPress to the world.” And yet, Automattic has commandeered two million sites that use WP Engine’s contribution to WordPress: a wildly successful plugin for more than a decade. That is hardly “almost zero!”

Automattic’s actions also echo a supply chain attack in some ways. In a plugin directory, it’s considered a supply chain attack if an actor silently takes over a plugin and ships functional changes without disclosure, which is exactly what happened in this case. Automattic didn’t merely take ownership of the ACF plugin: it shipped smaller business logic changes which customers were not notified about. As a result, hundreds of sites were broken. Here’s one such story:

“Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.

EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client’s sites). Let’s see what comes next…

EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.”

There are other examples of how the silent change broke production sites. Such breakages suggest Automattic did not do proper testing for a plugin used by millions of sites. Automattic’s actions aim to reduce WP Engine’s revenue, as shown in the announcement by Matt Mullenweg which contains the phrase “to remove commercial upsells.” WP Engine generates significant revenue from its ACF Pro plugin.

Is WP Engine the only enterprise-ready WordPress hosting provider left?

All WordPress providers that use the WordPress.org plugin directory were part of what can be considered a supply chain attack, facilitated by none other than Automattic itself. There is a notable exception: WP Engine. It’s one of the few managed providers that doesn’t use the WordPress.org plugin directory for plugin updates, due to having been cut off a few weeks ago! As a result, WP Engine customers did not see the silent takeover of the ACF plugin.

This incident is a nightmare scenario for companies serious about supply chain security. Automattic has shown it’s ready to take over plugins as it pleases. It has also shown that it rolls out quiet changes with little to no testing. This would make it irresponsible for enterprises and government organizations to rely on the WordPress.org plugin directory.

Amusingly, in its war against WP Engine, Automattic might have created the single best advertisement for their chief rival. WP Engine now has proof it’s immune to unauthorized plugin takeover. And it wasn’t just the ACF plugin that can no longer be updated with the WordPress plugin directory. Packages like Nitropack and several others have also been locked out from submitting updates there: except for customers on WP Engine!

What next?

Two weeks ago, I speculated about how this conflict could end. However, I never imagined that Automattic would go as far as to use the WordPress plugin manager to commandeer another company’s plugin, and take 2 million of its users for itself.

Automattic has shown that it does not care how much it damages itself or the broader WordPress ecosystem, and that it will use the WordPress Foundation to advance its agenda. Some things could happen as a result:

• Enterprise and government customers wary of migrating to WordPress. Commandeering of a widely used WordPress plugin is unprecedented. Given that other CMSes do not have this problem: those options are a safer choice from a security perspective, and to avoid potential drama.
• WordPress competitors benefit. Competitors like Webflow, Wix, Ghost, and many others, will surely take advantage of these events to remind prospective customers they do not engage in ethically questionable behavior.
• WP Engine attempts to grow enterprise business. WP Engine emerges from these events with its reputation largely intact. If anything, WP Engine proved it remains enterprise-ready by not engaging in public taunts, and by operating a plugin ecosystem where the ACF plugin is not silently replaced. WP Engine will surely use this to make inroads at enterprises.
• Automattic looks increasingly unpredictable. Automattic’s recent actions have not been particularly rational, so it’s increasingly hard to predict what the company will do next. Every unexpected move will make it harder to close enterprise or government customers.
• Nothing changes for most WordPress sites. The vast majority of existing WordPress users and customers won’t care much about these events. Migrating away from a solution like WordPress is complex and expensive, and WordPress running on 40%+ of all websites is unlikely to change, however this conflict goes. This is also probably why Automattic is comfortable publicly escalating the conflict.

Sadly, it seems that Automattic has thrown away unwritten but valuable ethics in an effort to hit WP Engine where it hurts. But leveraging a supposedly neutral platform (the WordPress plugin manager) should not be the way to win in business – at least not in open source. Think about how Microsoft owns the similarly neutral package manager npm: what would it do to the software ecosystem if Microsoft “commandeered” a popular package of one of their competitors, to try and hurt them? If this unfathomable event were to happen, the trust in the npm package system would plummet as would its usage – plus, given Microsoft being a large player itself, antitrust regulators would also surely get involved and could proceed with penalties.

WP Engine will surely mount a legal defense, and might not have to do anything except behave in a civilized manner, in order to keep winning market share from Automattic.

I hope the combatants in this dispute calm down and stop fighting in public. Every punch landed surely hurts the rival; but more and more of these hits are bystanders as well. And the longer this drama drags on, the more neutral spectators walk away, with the intention of never coming back – to WordPress, as a whole.

Regardless of what happens, Automattic will forever be associated with being the first in crossing an ethical red line in open source web software: commandeering another team’s actively maintained plugin, using a nonprofit foundation to orchestrate a pre-meditated attack, and ignoring ethics of open source. All in the name of trying to harm their biggest competitor.

Automattic: it’s time to play fair.

I have zero affiliation with Automattic, WP Engine, WordPress, or any other companies mentioned in this article. For more details steps I take to stay unbiased in my analysis, see my ethics statement.

This was an exerpt from The Pulse #111. The full issue additionally covers:

• Industry pulse. Sudden layoffs at Meta, Spotify confirms work-from-anywhere, US mandates “click-to-cancel,” a historic SpaceX booster catch – and more.
• OpenAI’s impossible business projections. According to internal documents, OpenAI expects to generate $100B in revenue in 5 years, which is 25x more than it currently makes. This would mean OpenAI brings in more money than NVIDIA or Tesla!
• Top AI research scientists earn more than engineers. Few companies can compete with the compensation which AI startups pay ML engineers. Still, research scientists at these startups can make roughly double of the highest-paid ML engineers. It’s an interesting new dynamic.

Read the full issue here.

Related analysis on open source business model challenges from The Pragmatic Engineer:

• Elasticsearch unexpectedly goes open source again: Elastic was forced by AWS to change the permissive license of Elasticsearch to be restrictive. Three years later, this is being reversed. Could we see more such cases by open source businesses?
• Commercial open source companies in trouble? Redis Labs changed the formerly permissive open source Redis license to a restrictive one, with the goal to have cloud providers pay when they host Redis. As a response, cloud providers started the Valkey project, which could become the “new and still permissive Redis.” HashiCorp is facing similar challenges with Terraform / OpenTofu.
• Pressure on commercial open source to make more money: a divisive open source license change at HashiCorp, tension between monetization and serving free users at Insonmia, and the fall of open source Rome Tools
• The end of 0% interest rates: what it means for tech startups and the industry: many of these open source challenges are – surprisingly! – connected with interest rate changes. The end of free money puts more pressure on commercial open source to focus on profits, not just growth.

Additional independent analysis on other publications:

• Open source royalty and mad kings and Automattic is doing open source dirty by David Heinemeir Hansson (DHH), the creator of Ruby on Rails
• Is Matt Mullenweg defending WordPress or sabotaging it? by Mathew Ingram, author at The Torment Nexus
• ‘The Community Is In Chaos’ by 404Media

Subscribe to my weekly newsletter to get articles like this in your inbox. It’s a pretty good read – and the #1 tech newsletter on Substack.