, ,

WordPress.org Takes Control of ACF, Sparking Community Outrage

The Advanced Custom Fields logo set against a dark blue background.

WordPress.org has taken over the free version of Advanced Custom Fields (ACF) plugin in a move WordPress co-founder Matt Mullenweg has justified for security reasons, prompting backlash.

WordPress.org has taken over the free version of WP Engine’s popular Advanced Custom Fields (ACF) plugin in a move WordPress co-founder Matt Mullenweg has justified for security reasons, prompting widespread backlash from the WordPress community, open source advocates, and tech founders.

Mullenweg announced on Saturday that WordPress.org had “forked” ACF, renaming it Secure Custom Fields. Posting on behalf of the WordPress Security Team, he cited point 18 of the plugin repository guidelines, which state that WordPress.org reserves the right to make changes to plugins without developer consent in the interest of public safety.

“Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins,” Mullenweg said.

Forking a plugin allows developers to create a new version by copying its source code, typically with modifications. The SCF plugin has been updated to remove ACF’s commercial upsells and fixes a minor security issue linked to a vulnerability patched last week.

The ACF team responded on X, claiming “A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21 year history of WordPress.”

On the ACF blog, Product Manager Iain Poulson said Mullenweg’s actions were “inconsistent with open source values and principles.”

“His attempt to unilaterally take control of this open platform that we and so many other plugin developers and contributors have relied on, in the spirit of sharing plugins for all, provides further evidence of his serious abuse of trust, manifold conflicts of interest, and breach of the promises of openness and integrity in the community,” Poulson said.

On X, WordPress.org posted that plugin takeovers had happened before, adding, “Best of luck with your version. We’re looking forward to making ours amazing for our users, using the best GPL code available.”

ACF Pro users are not affected by the takeover. Since October 3, the ACF team has been urging users to update to a new version that uses an alternative update mechanism not controlled by WordPress.org.

The takeover is the latest salvo in Mullenweg’s ongoing war with WP Engine. It comes after the hosting company was blocked from accessing WordPress.org and its resources, the introduction of a checkbox requiring anyone logging into WordPress.org to confirm they are not affiliated with WP Engine, and Automattic’s public disclosure of a vulnerability in ACF. WP Engine is suing Automattic and Mullenweg, claiming abuse of power, attempted extortion, and leveraging trademark law for anti-competitive purposes. 

The takeover wasn’t entirely unexpected. On September 28, Mullenweg asked contributors in Making WordPress Slack whether ACF Pro should be brought into WordPress, signaling his interest in merging the plugin into core. On October 5, he asked his followers on X about the best alternatives to ACF, hinting, “I suspect there are going to be millions of sites moving away from it in the coming weeks.”

Banning WP Engine from accessing WordPress.org allowed Mullenweg to engineer the takeover, first by cutting off the ACF’s team’s ability to maintain the plugin and then preventing them from patching a vulnerability, allowing Mullenweg to invoke point 18 of the plugin guidelines.

On X, security team member Colin Stewart confirmed that he didn’t know the takeover was happening. It’s understood the wider WordPress Security Team, including team rep John Blackbourn, was not consulted ahead of Saturday’s announcement.

Fork or hijacking?

While Mullenweg has described ACF’s takeover as a “fork,” others have labeled it a hijacking and even a supply chain attack.

The SCF plugin has taken over ACF’s slug in the WordPress.org repository, meaning users who search for “ACF” land on the SCF page. It also means users who had auto-updates enabled for ACF on their websites unknowingly had SCF installed over the top of it on Saturday. On Hacker News, Mullenweg said SCF was downloaded 225,000 times in the 24 hours after it went live.

In addition to using the same slug and keeping ACF’s 11+ years of ratings and reviews in the repository, the SCF plugin still includes mentions of “ACF” and uses ACF’s branding and logos, potentially violating WP Engine’s trademarks. According to lawyer and WordPress commentator Richard Best, the hosting company has trademark registrations pending for “Advanced Custom Fields” and “ACF,” and both have legal protection in the interim. A link to the “Getting Started guide” within the plugin also still points to advancedcustomfields.com.

Loyal ACF users have posted dozens of one-star reviews for the new SCF plugin, which, according to some, are being deleted. Curiously, someone may have given the ACF team a heads-up—the domain securecustomfields.com redirects to the ACF website.

The impacts of the update on users aren’t yet clear, though several agency owners have reported concerns about broken functionality after the auto-update to SCF and having to complete unscheduled maintenance on hundreds of client sites over the weekend.

Mullenweg cops criticism from tech community

While many long-time business owners in the WordPress community are keeping their heads down for fear of retaliation from Mullenweg for speaking out, others outside the community aren’t holding back.

In his latest video, YouTuber Theo Brown, whose two-hour-long interview with Mullenweg on September 29 is referenced multiple times in WP Engine’s lawsuit, appeals to Mullenweg to “put out a big formal apology, shut the f!@# up, and wait it out.”

“[This] is actually unprecedented in the history of open-source software. I’ve never seen the platform that hosts a plugin like this maliciously take over something that was being maintained properly and in good faith by its original authors purely out of spite,” said Brown.

“This is unfathomable and I am far from the only person saying this it’s basically universally agreed that this was an absolute s!@# show.”

Appealing directly to Mullenweg, Brown said, “Any further comms that is in the form of anything other than a formal apology is doing nothing other than hurting the community you spent over 20 years building.”

Ruby on Rails’ David Heinemeier Hansson, who has also created open source software, weighed in again yesterday, describing Mullenweg’s actions as “unhinged” and “a seemingly never-ending series of dramatic overreaches and breaches of open source norms.”

“For a dispute that started with a claim of ‘trademark confusion,’ there’s an incredible irony in the fact that Automattic is now hijacking users looking for ACF onto their own plugin,” Hansson said.

“Using an open source project like WordPress as leverage in this contract dispute, and weaponizing its plugin registry, is an endangerment of an open source peace that has reigned decades, with peace-time dividends for all. Not since the SCO-Linux nonsense of the early 2000s have we faced such a potential explosion in fear, doubt, and uncertainty in the open source realm on basic matters everyone thought they could take for granted.

“Please don’t make me cheer for a private-equity operator like Silver Lake, Matt. Don’t make me wish for them to file an emergency injunction to stop the expropriation of ACF.”

Other founders who’ve shared their critical takes on X include Kit founder and CEO Nathan Barry, SavvyCal founder Derrick Reimer, Fathom Analytics co-founder Jack Ellis, and The Pragmatic Engineer’s Gergely Orosz.

Meanwhile, there’s talk on Reddit about concerns that code could be pushed to WordPress core to intentionally break sites using ACF and WPTuts’ Paul Charlton has raised concerns about the potential for more top plugins to be forcibly taken over and merged into WordPress core.

Latest Stories