In the wake of WordPress.org’s controversial takeover of WP Engine’s Advanced Custom Fields plugin, developers are pulling their plugins from the official repository, opting to take control of their distribution amid growing concerns that WordPress.org is no longer a secure place to host plugins.
The team behind Paid Memberships Pro (PMP) has closed their plugin on WordPress.org, opting to self-host the free version instead. PMP co-founder Jason Coleman announced that today’s release of version 3.3 marks the first update of the core PMP plugin served through the company’s own license server.
In a post on the PMP blog, Coleman said the company had been serving its premium plugins from its own license server for years and would now handle downloads and updates for its free core plugin. The company plans to self-host its other plugins soon as well, except for a few that are co-maintained with other developers.
On X, Coleman said the move had been planned for over a year but was expedited due to “recent events.” When asked about potentially losing users funneled from WordPress.org, he replied, “Short-term loss, long-term gain. We’ve stopped trying to have the best membership plugin for WordPress. Now, we’re focused on building the best membership platform, period.”
Jake Jackson, creator of Gravity PDF, is also now self-hosting his plugin directly from GravityPDF.com. Announcing his decision to leave WordPress.org, Jackson claimed WordPress co-founder Matt Mullenweg had “weaponized” WordPress.org by appropriating ACF, setting a “dangerous precedent, threatening the platform’s integrity and security.”
Gravity PDF, which has been active for 12 years, has over 50,000 active installs and holds a 4.9-star rating in the WordPress.org repository.
In another act of resistance against Mullenweg, who owns WordPress.org and has accused WP Engine of violating WordPress trademarks, Very Good Plugins founder Jack Arturo has filed a cease and desist letter against Automattic for unauthorized use of the WP Fusion trademark.
Arturo’s letter demands that WordPress.com immediately stop hosting and distributing his plugin, WP Fusion Lite, which WordPress.com offers via a mirror of the WordPress.org repository.
“The plugin you are hosting creates a likelihood of confusion, mistake, or deception regarding the source, sponsorship, or affiliation of the WP Fusion brand, which could damage the reputation and goodwill associated with my brand,” the letter states. “Please be advised that I will vigorously defend my trademark rights to the fullest extent of the law.”
Jack told The Repository he’s yet to receive a response from Automattic.
For some developers, the decision to leave the WordPress.org repository has been made for them as bans continue to be handed out to long-time contributors to the WordPress project.
Scott Kingsley Clark, the lead developer of Pods, was banned from WordPress.org yesterday, leaving the future of the content development framework in doubt. He said the ban and the recent addition of a contentious checkbox to WordPress.org requiring users to confirm they are not affiliated with WP Engine had put Pods at risk.
“… since we’ve used the security best-practice of having release confirmations enabled on the Pods plugins on .org since they added that feature. To confirm a release, you must log into WordPress.org,” Clark said on X.
“So this was an attack on not just me but also on the Pods project as it means we can’t do releases.”
Anticipating this lockout, Clark had already asked a long-time Pods contributor to take over Pods’ WordPress.org listing so normal release processes could continue. But Clark said, “Nothing is safe here, unsure if his account will be locked or if Pods will be closed.”
Clark’s ban comes after he announced on October 14 via the Make WordPress Core blog that he had quit contributing to WordPress and would no longer lead the development of the Fields API. In response, Mullenweg asked if Clark wanted his accounts deactivated, to which Clark replied: “I intend on continuing to develop Pods, but you own WordPress.org, so you can decide that. Without access, I won’t be able to provide updates for Pods.”
Brian Gardner, an OG premium WordPress themes pioneer and creator of StudioPress, is removing his block themes Powder and Powder Zero from the WordPress.org repository. Garder, who’s a WordPress advocate at WP Engine, has been banned from accessing WordPress.org along with other WP Engine contributors. Support and updates for his themes are now provided via the Powder website.
New tools and mirrors emerge as developers seek alternatives
The feud between Automattic and WP Engine has also spurred the creation of new tools and mirrors, offering alternatives to WordPress.org’s plugin repository.
Akshat Choudhary, CEO of WP Remote and founder of BlogVault and MalCare, recently launched Morpheus, an open source mirror that allows sites to update plugins and themes without relying on WordPress.org. “The aim is to ease community concerns and prevent rash decisions about losing access to WordPress repository updates,” Choudhary said.
Last week, Sarah Savage and Alex Sirora, the team behind AspirePress, launched AspireSync, a tool for bulk downloading plugins and themes from WordPress.org. Savage and Sirora are also building AspireCloud, their own mirror of the WordPress repository.
Other projects included in a mirrors, forks and lightbulbs list published by the WP Community Collective this week include WordPress Packagist, which has mirrored WordPress.org as a Composer repository since 2013, and WenPai.org, a Chinese-language mirror that launched in July.
In addition, developers are creating tools to decentralize plugin and theme management. Jeff Matson is working on Wormhole Sync and Wormhole API, which sync and merge plugins and themes from external sources, bypassing WordPress.org. Jesse Nickles has updated his RepoMan tool, enabling users to install plugins directly from GitHub and block WordPress.org updates.
Even long-standing projects like GitHub Updater, maintained by Andy Fragen since 2013, are feeling the effects of tension among plugin developers. The WordPress Plugin Review Team inadvertently introduced an ill-timed restriction on Git Updater headers this week, affecting Fragen’s plugin. The team partly reverted the change, ensuring that GitHub Updater remains unaffected, while continuing to explore alternative solutions to address third-party updates as part of their work on the Plugin Check plugin.
Image credit: Justin Morgan on Unsplash.
