Introduction

The ongoing conflict between organizations using the Advanced Custom Fields (ACF) plug-in for WordPress, WP Engine (WPE) [2], and Matt Mullenweg [2] [3] [6], the founder of WordPress [2] [3], has sparked significant debate within the open-source community [5]. This dispute centers around the forking of ACF into a new version called Secure Custom Fields (SCF), driven by security concerns and legal actions.

Description

Organizations using the Advanced Custom Fields (ACF) plug-in for WordPress are currently embroiled in a significant dispute involving WP Engine (WPE) and Matt Mullenweg [2], the founder of WordPress [2] [3]. On October 12, 2024 [5], Mullenweg announced the forking of ACF [2] [5] [6], resulting in a new version called Secure Custom Fields (SCF) [2] [5]. This decision aimed to eliminate commercial upsells and address a security issue within ACF’s code [4] [5] [6], which Mullenweg described as insecure and a dereliction of duty to customers [6]. The move was prompted by ongoing legal actions from WPE, which necessitated the transition. The WordPress.org team has invoked point 18 of the plugin directory guidelines, permitting changes to a plugin without the developer’s consent under certain conditions [5], to facilitate this fork.

As a result, millions of users will automatically transition from ACF to SCF, including those with automatic plugin updates enabled [3]. The SCF aims to ensure compliance with WordPress Plugin Guidelines, which allow for the removal or modification of plugins for public safety reasons [6], and to address a security issue related to the $_REQUEST variable [4], although the specific nature of the vulnerability has not been disclosed. The development team is working to remove all references to “acf” from the plugin to avoid further legal complications [1]. Developers are being sought to maintain and enhance SCF [3], which will be offered as a non-commercial plugin [6].

Mullenweg has criticized WPE for profiting from open-source software while contributing little back to the community [2]. He has accused WPE of providing a modified version of WordPress that he considers inferior and has claimed that his fork of ACF is a solution to security issues that he alleges WPE has not addressed [2]. Mullenweg has also demanded a trademark license from WPE to use the WordPress name and has restricted WPE’s access to WordPress.org resources [2]. Furthermore, WordPress has criticized WPE for not adequately informing users about the security vulnerability and stated that they had privately notified WPE about the issue without receiving a response [4].

In response, WPE has asserted that Mullenweg’s actions violate open-source principles and characterized the fork as a troubling precedent [2]. They contest that they have never forcibly taken a plugin from its creator without consent and have dismissed Mullenweg’s security claims, highlighting their ongoing development efforts for ACF [2]. WPE’s ACF team has expressed concerns that the forced transition to SCF introduces risks [2], as users may receive unapproved updates [2]. They have advised users to download the latest ACF version directly from them to ensure they receive trusted updates [2].

The conflict has raised concerns about user confusion and the potential need for migration efforts [2], as automatic updates could lead to unintended transitions to SCF [2]. Experts warn that users should carefully evaluate their plugins and update sources to mitigate risks associated with the changes [2]. In a further escalation, WPE has filed a lawsuit against Automattic and Mullenweg [2], citing “abuse of power [2], extortion [2], and greed.” The forking has sparked ethical debates within the open-source community [5], highlighting the complexities surrounding plugin forking and the decisions users now face between remaining with ACF or moving to SCF through automatic updates [5].

Conclusion

The forking of ACF into SCF has significant implications for users, developers [1] [2] [3] [5] [6], and the broader open-source community. Users must carefully assess their plugin update settings to avoid unintended transitions and potential security risks. The legal and ethical debates surrounding this issue underscore the complexities of open-source software management and the need for clear guidelines and communication. As the situation evolves, stakeholders must remain vigilant and informed to navigate the challenges and opportunities presented by this dispute.

References

[1] https://eric.mann.blog/wordpress-the-drama-continues/
[2] https://www.darkreading.com/application-security/wp-engine-accuses-wordpress-forcibily-taking-over-plug-in
[3] https://gigazine.net/gsc_news/en/20241015-wordpress-acf-plugin-fork/
[4] https://thehackernews.com/2024/10/wordpress-plugin-jetpack-patches-major.html
[5] https://softdiscover.com/news/wordpress-takes-over-acf-a-bold-move-or-an-abuse-of-power/
[6] https://finance.yahoo.com/news/latest-move-against-wp-engine-210403629.html