Cancel

Jyolsna

ACF Plugin Forked to ‘Secure Custom Fields’ Plugin

Yesterday, WordPress co-founder Matt Mullenweg announced the forking of the Advanced Custom Fields (ACF) plugin into a new plugin called Secure Custom Fields.

In the announcement, he stated: “On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”

Point 18 of Plugin Directory Guidelines
Point 18 of Plugin Directory Guidelines

The post went on to explain, “This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch. Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”

SCF Plugin Changelog
SCF Plugin Changelog

The ACF plugin is popular among web developers for its capabilities in customizing edit screens and managing custom field data. However, it has become embroiled in a dispute between Automattic and WP Engine, its owner. Following WP Engine’s ban, the ACF team was blocked from accessing WordPress dot org on October 03, 2024.

Next, Automattic tweeted about a vulnerability in the plugin. The tweet was later deleted. In response, the ACF team released ACF 6.3.8, a routine security release stating, “WP Engine remains blocked from accessing our plugins on the .org plugin repository and therefore this update has been shipped to WP Engine’s repository and to the ACF website.”, they said.

The ACF team also provided a copy of this update to the WordPress.org Security team, which posted it to the plugin repository.

On October 9, a mandatory affiliation checkbox was added to the WordPress.org login. Users could access their accounts only after confirming, “I am not affiliated with WP Engine in any way, financially or otherwise.”

WP Engine Reacts

WP Engine tweeted: “We have been made aware that the Advanced Custom Fields plugin on the WordPress directory has been taken over by WordPress dot org. A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21 year history of WordPress… This essential community promise has been violated, and we ask everyone to consider the ethics of such an action, and the new precedent that has been set.”  

They added: “We were saddened and appalled by Matt Mullenweg’s actions this morning appropriating the Advanced Custom Fields plugin that our ACF team has been actively developing for the WordPress community since 2011.”

In response, WordPress.org noted that this is not the first occurrence of such an incident: ”This has happened several times before, and in line with the guidelines you agreed to by being in the directory. Best of luck with your version. We’re looking forward to making ours amazing for our users, using the best GPL code available.” 

In a blog post on the ACF website, the team shared, “The change to our published distribution, and under our ‘slug’ which uniquely identifies the ACF plugin and code that our users trust in the WordPress.org plugin repository, is inconsistent with open source values and principles.  The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team.”

Advanced Custom Fields is a sophisticated plugin with over 200,000 lines of code, which we continually develop, enhance, support and invest in to meet the needs of our users across WordPress.  We’ve made 15+ releases over the past two years, since joining WP Engine, and added significant new functionality to the free plugin as well as continually improving performance and our security and testing practices to meet the ‘enterprise grade’ that our users deserve.”

Iain Poulson

The post concludes, “Mullenweg’s actions are extraordinarily concerning and pose the grave risk of upending and irreparably harming the entire WordPress ecosystem.  His attempt to unilaterally take control of this open platform that we and so many other plugin developers and contributors have relied on, in the spirit of sharing plugins for all, provides further evidence of his serious abuse of trust, manifold conflicts of interest, and breach of the promises of openness and integrity in the community.”

Impact of the Fork 

This development does not affect WP Engine, Flywheel hosting, or ACF PRO customers. Free plugin users can choose to install Secure Custom Fields from the plugin directory or the ACF 6.3.8 version from advancedcustomfields.com. For sites with auto-updates enabled through WordPress.org, the update will automatically transition them from Advanced Custom Fields to Secure Custom Fields.

The WordPress community is no stranger to forking; for instance, WordPress itself was forked from the b2/cafelog project, and ClassicPress was forked in response to the introduction of Gutenberg. However, the forking of the ACF plugin has sent shockwaves through the community, raising ethical questions about the decision.

Interestingly, the Securecustomfields.com domain currently redirects to the ACF website, as highlighted by Kellie Peterson on X.

The community has expressed their support and criticisms about this forking. The previous reviews of the ACF plugin are still visible under the Secure Custom Fields plugin. Following the announcement, several members posted both positive and negative reviews about the plugin in the repository while others took to X.

SCF Reviews from Plugin Repository

Colin Stewart tweeted: “In light of today’s news, since I mentioned in my previous post that I’m a member of the WordPress Security Team before anyone asks me: No, I was not aware.” Justin Sainton also tweeted along the same lines: “I do not love it. (Speaking independently, as a member of the Plugin Review Team)”

Several people also pointed out that ACF’s logos are still there in the new plugin, while WP Engine logos are still in the assets folder, while others referred to the post published by the Plugin Review Team Forked Premium Plugins Are Not Permitted.

The creator of Ruby on Rails, David Heinemeier Hansson, published Open source royalty and mad kings. WP And Legal Stuff published ACF>SCF ‘fork’ and legal risk.

Tim Nash, a WordPress security consultant, has published an advisory about the ACF changes, while James Giroux published ACF Gets A Fork By WordPress.org where he says “While emotions are high, this move highlights the importance of maintaining the security and integrity of WordPress’s ecosystem. Forking under the GPL is not unprecedented, and this action reinforces the need for WP Engine/Silver Lake to negotiate in good faith.”

Other Forks

In a blog post titled Forking is Beautiful, Matt mentioned two recent WordPress fork attempts – FreeWP & AspirePress.

About Vinny Green’s FreeWP, Matt said: “We strongly encourage anyone who disagrees with the direction WordPress is headed in to join up with Vinny and create an amazing fork of WordPress. Viva FreeWP!”

In response, Vinny took to X to clarify: “I love how I never said I was going to fork the project and only wanted to support those who did. Matt is incredible at only hearing the things he wants to hear. Thanks for the free promotion, I guess. We in the biz called that earned media.”

The FAQ section in the FreeWP website has more details about the project: “To the best of our knowledge, it is a website that starts with “freewp” and ends with “.com”. Any further details are at the discretion of the individual who manages it.”

“What’s FreeWP then? Besides a more pleasant depiction of the domain? Its burgeoning project that is dedicated to the following mission: Coming soon. And not a fork.”

So you guessed its status! But you can sign up now to get updates.

AspirePress, on the other hand, is a loosely collected group of volunteers that offer their support to the WordPress platform and it “exists to be a community of individuals focused on helping WordPress become the platform we all aspire for it to be.”

They are building a mirror of WP .org and tweeted: “In case we have’t been crystal clear, we have not forked WordPress. Rumors to the contrary are exaggerations.”

Category: ,
Tags:

SHARE THIS:

LIKE THIS

12 Comments

12 Comments

  • Author
    Posts
    • Bruce
      October 13, 2024 at 10:08 PMView in Forum

      “Yesterday, WordPress co-founder Matt Mullenweg announced the forking of the Advanced Custom Fields (ACF) plugin into a new plugin called Secure Custom Fields.”

      That’s not what happened. Nothing was “forked”. He just renamed the plugin on WordPress.org.

      Reply
      • Steven Gliebe
        January 2, 2025 at 10:34 PMView in Forum

        It is really shocking, taking over the entire repo, renaming it (except for that stubborn slug) and even keeping all the reviews. The checkbox on login is eyebrow-raising but this is a straight up hijack. Total disregard for the users.

        Reply
    • Drew
      October 13, 2024 at 10:08 PMView in Forum

      Thanks for this confirmation that WordPress.org is now an entirely ethics-free endeavour. My relationship with WordPress is now over and my sites will be redeveloped using other platforms.

      Reply
    • Mike Tiegner
      October 13, 2024 at 10:08 PMView in Forum

      This is theft. It is wrong. It is an assault on the millions of ACF users. It is a hostile takeover; NOT a fork. It is vengeful, and mean spirited. MM has lost all of my respect, and this will affect the contributions of the entire community; not just WP Engine.

      Perhaps WP Engine will fork WordPress; create its own repo; then provide lucrative benefits to all plugin providers to abandon WordPress.org and place their plugins in a new repo. Touche!

      Perhaps WP Engine will contact the Class Action Lawsuit lawyers, and on behalf of the ACF community who has been harmed by these wrongful actions, file a Class Action suit against Automattic, MM and WordPress.org.

      When the Mad King goes nuclear against millions of users he is now impacting the entire ecosystem. Shame on you MM…

      Reply
    • Ivan Petrovski
      October 14, 2024 at 1:39 PMView in Forum

      We need to stop this aggression, Matt behaves like Putin – taking whatever he thinks is his. No regard and respect to the law. This will end very bad for him. Bad leadership, bad leader!

      Reply
    • Elsie G
      October 17, 2024 at 11:12 AMView in Forum

      As if there isn’t enough pressure on me from new platforms that want to steal business from me, but now the platform I use is embroiled in a pissing match by an ego-driven manchild. Can someone stop this guy? He’s going to burn this place down with his behavior.

      Reply
    • Will
      January 2, 2025 at 10:29 PMView in Forum

      This is an embarrassment for MM and a slap in the face to WordPress and the wider open-source community. His attempts at justification are insulting. He should just own it with a statement like ‘yes, this is a corporate power play, deal with it or get out’.

      Reply
    • kk
      January 2, 2025 at 10:33 PMView in Forum

      Whf, time to get away from WordPress shit, what other cms should i use similar to this shit?

      Reply
    • Steven Gliebe
      January 2, 2025 at 10:34 PMView in Forum

      GPL allows it, so it’s ethical?

      This is comparable to when Woo forked another e-commerce plugin then hired away its developers. I doubt this fork will move forward nearly as well as ACF because it was not really forked in the to improve things as in the spirit of the GPL. It was forked to punish a competitor of the regrettably named WordPress.com.

      I hate to criticize but nearly all of this has been ugly behavior by someone who otherwise has been rational and polite. Please reconsider your tactics.

      Reply
    • Steven Gliebe
      January 2, 2025 at 10:34 PMView in Forum

      Just had my review of Secure Custom Fields deleted by a moderator who said it was a review of Matt and that I could review Matt on social media. Since I’m not on social media and apparently am not allowed to use Matt’s name in a plugin review, I’ll post it here.

      “This was a highly successful and useful plugin that helped make WordPress more than a blog by making it easy to add custom fields and post types.

      I cannot recommend it because it is no longer controlled by its owners. WordPress.org, under the leadership of Automattic’s CEO, has renamed the plugin and taken it over entirely. They did not fork it and make a new plugin on WordPress.org.

      They are doing this to punish a competitor of Automattic, plain and simple. Go to Advanced Custom Fields website to get the real thing. The free version is there and they provide a separate plugin for automatically updating it from their server.

      It is sad to see how Matt Mullenweg has behaved and I hope he turns this around. He’s done a great job for two decades up until this point.”

      Hopefully this comment will not also be censored (Matt controls this blog too) because if WordPress is not free and open and the community cannot say their opinion on a plugin, then you can all go to hell and I will go to Texas.

      Reply
    • Bastian
      January 2, 2025 at 10:34 PMView in Forum

      It’s sad to see Mr. Mullenweg turning into a sort of Elon Musk-type character.

      Reply
    • Lily Wright
      January 2, 2025 at 10:35 PMView in Forum

      Thanks for this confirmation that WordPress.org is now an entirely ethics-free endeavour.

      Reply
  • Author
    Posts

View in Forum

  • The topic ‘ACF Plugin Forked to ‘Secure Custom Fields’ Plugin’ is closed to new replies.

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Get updates from WP Tavern

Subscribe now to receive email updates directly in your inbox.

Continue reading