I’ve written a few times about challenges with plugins on WordPress.org. Eleven years ago, as a comparative newcomer to WordPress, I wrote “Draining the swamp,” about a difficulty with an abandoned plugin. Later, I wrote “The Changelog Is A Lie” after a user usurped a plugin, hollowed it out, and replaced it with something else. I never thought we’d be in the situation that we are today, where WordPress.org has undermined the trust in the WordPress.org plugin repository. As they first said in Black Christmas, the call is coming from inside the house.
It’s beyond the scope of this post to fully review the dispute between Matt Mullenweg and WP Engine (see this article in The Verge for a good summary as of October 4). The latest development is that Mullenweg has usurped the free version of Advanced Custom Fields on the WordPress.org repository. The official announcement implies that the ACF team abandoned the plugin. This is inaccurate at best: Mullenweg banned the WP Engine developers from the WordPress.org repository, and blocked WP Engine-hosted sites from accessing it. Under the circumstances, switching the updating mechanism away from WordPress.org was the only responsible course of action available.
It’s a neat trick. You ban a developer from the repository, then announce that you’ve found a security issue, don’t let them release a patch for that issue, and then usurp the plugin because they haven’t fixed the issue. A tweet from WordPress claims justification under Guideline 18 of the plugin guidelines. It’s difficult to see how that guideline justifies this action. The developer hasn’t abandoned the plugin. The security issue wasn’t serious, and it’s been fixed. Put another way, if this is justifiable under Guideline 18, then there is no limiting principle.
Read More