Yesterday, WordPress co-founder Matt Mullenweg announced the forking of the Advanced Custom Fields (ACF) plugin into a new plugin called Secure Custom Fields.
In the announcement, he stated: “On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”
The post went on to explain, “This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch. Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
The ACF plugin is popular among web developers for its capabilities in customizing edit screens and managing custom field data. However, it has become embroiled in a dispute between Automattic and WP Engine, its owner. Following WP Engine’s ban, the ACF team was blocked from accessing WordPress dot org on October 03, 2024.
Next, Automattic tweeted about a vulnerability in the plugin. The tweet was later deleted. In response, the ACF team released ACF 6.3.8, a routine security release stating, “WP Engine remains blocked from accessing our plugins on the .org plugin repository and therefore this update has been shipped to WP Engine’s repository and to the ACF website.”, they said.
The ACF team also provided a copy of this update to the WordPress.org Security team, which posted it to the plugin repository.
On October 9, a mandatory affiliation checkbox was added to the WordPress.org login. Users could access their accounts only after confirming, “I am not affiliated with WP Engine in any way, financially or otherwise.”
WP Engine Reacts
WP Engine tweeted: “We have been made aware that the Advanced Custom Fields plugin on the WordPress directory has been taken over by WordPress dot org. A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21 year history of WordPress… This essential community promise has been violated, and we ask everyone to consider the ethics of such an action, and the new precedent that has been set.”
They added: “We were saddened and appalled by Matt Mullenweg’s actions this morning appropriating the Advanced Custom Fields plugin that our ACF team has been actively developing for the WordPress community since 2011.”
In response, WordPress.org noted that this is not the first occurrence of such an incident: ”This has happened several times before, and in line with the guidelines you agreed to by being in the directory. Best of luck with your version. We’re looking forward to making ours amazing for our users, using the best GPL code available.”
In a blog post on the ACF website, the team shared, “The change to our published distribution, and under our ‘slug’ which uniquely identifies the ACF plugin and code that our users trust in the WordPress.org plugin repository, is inconsistent with open source values and principles. The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team.”
Advanced Custom Fields is a sophisticated plugin with over 200,000 lines of code, which we continually develop, enhance, support and invest in to meet the needs of our users across WordPress. We’ve made 15+ releases over the past two years, since joining WP Engine, and added significant new functionality to the free plugin as well as continually improving performance and our security and testing practices to meet the ‘enterprise grade’ that our users deserve.”
Iain Poulson
The post concludes, “Mullenweg’s actions are extraordinarily concerning and pose the grave risk of upending and irreparably harming the entire WordPress ecosystem. His attempt to unilaterally take control of this open platform that we and so many other plugin developers and contributors have relied on, in the spirit of sharing plugins for all, provides further evidence of his serious abuse of trust, manifold conflicts of interest, and breach of the promises of openness and integrity in the community.”
Impact of the Fork
This development does not affect WP Engine, Flywheel hosting, or ACF PRO customers. Free plugin users can choose to install Secure Custom Fields from the plugin directory or the ACF 6.3.8 version from advancedcustomfields.com. For sites with auto-updates enabled through WordPress.org, the update will automatically transition them from Advanced Custom Fields to Secure Custom Fields.
The WordPress community is no stranger to forking; for instance, WordPress itself was forked from the b2/cafelog project, and ClassicPress was forked in response to the introduction of Gutenberg. However, the forking of the ACF plugin has sent shockwaves through the community, raising ethical questions about the decision.
Interestingly, the Securecustomfields.com domain currently redirects to the ACF website, as highlighted by Kellie Peterson on X.
The community has expressed their support and criticisms about this forking. The previous reviews of the ACF plugin are still visible under the Secure Custom Fields plugin. Following the announcement, several members posted both positive and negative reviews about the plugin in the repository while others took to X.
Colin Stewart tweeted: “In light of today’s news, since I mentioned in my previous post that I’m a member of the WordPress Security Team before anyone asks me: No, I was not aware.” Justin Sainton also tweeted along the same lines: “I do not love it. (Speaking independently, as a member of the Plugin Review Team)”
Several people also pointed out that ACF’s logos are still there in the new plugin, while WP Engine logos are still in the assets folder, while others referred to the post published by the Plugin Review Team Forked Premium Plugins Are Not Permitted.
The creator of Ruby on Rails, David Heinemeier Hansson, published Open source royalty and mad kings. WP And Legal Stuff published ACF>SCF ‘fork’ and legal risk.
Tim Nash, a WordPress security consultant, has published an advisory about the ACF changes, while James Giroux published ACF Gets A Fork By WordPress.org where he says “While emotions are high, this move highlights the importance of maintaining the security and integrity of WordPress’s ecosystem. Forking under the GPL is not unprecedented, and this action reinforces the need for WP Engine/Silver Lake to negotiate in good faith.”
Other Forks
In a blog post titled Forking is Beautiful, Matt mentioned two recent WordPress fork attempts – FreeWP & AspirePress.
About Vinny Green’s FreeWP, Matt said: “We strongly encourage anyone who disagrees with the direction WordPress is headed in to join up with Vinny and create an amazing fork of WordPress. Viva FreeWP!”
In response, Vinny took to X to clarify: “I love how I never said I was going to fork the project and only wanted to support those who did. Matt is incredible at only hearing the things he wants to hear. Thanks for the free promotion, I guess. We in the biz called that earned media.”
The FAQ section in the FreeWP website has more details about the project: “To the best of our knowledge, it is a website that starts with “freewp” and ends with “.com”. Any further details are at the discretion of the individual who manages it.”
“What’s FreeWP then? Besides a more pleasant depiction of the domain? Its burgeoning project that is dedicated to the following mission: Coming soon. And not a fork.”
So you guessed its status! But you can sign up now to get updates.
AspirePress, on the other hand, is a loosely collected group of volunteers that offer their support to the WordPress platform and it “exists to be a community of individuals focused on helping WordPress become the platform we all aspire for it to be.”
They are building a mirror of WP .org and tweeted: “In case we have’t been crystal clear, we have not forked WordPress. Rumors to the contrary are exaggerations.”
