ACF Plugin Forked to ‘Secure Custom Fields’ Plugin – WP Tavern
Yesterday, WordPress co-founder Matt Mullenweg announced the forking of the Superior Customized Fields (ACF) plugin into a brand new plugin known as Secure Custom Fields.
Within the announcement, he said: “On behalf of the WordPress security team, I’m asserting that we’re invoking point 18 of the plugin directory guidelines and are forking Superior Customized Fields (ACF) into a brand new plugin, Safe Customized Fields. SCF has been up to date to take away industrial upsells and repair a safety downside.”
The publish went on to clarify, “This replace is as minimal as attainable to repair the safety challenge. Going ahead, Safe Customized Fields is now a non-commercial plugin, and if any builders wish to get entangled in sustaining and bettering it, please get in contact. Related conditions have occurred earlier than, however not at this scale. It is a uncommon and strange scenario introduced on by WP Engine’s authorized assaults, we don’t anticipate this occurring for different plugins.”
The ACF plugin is common amongst internet builders for its capabilities in customizing edit screens and managing customized discipline information. Nevertheless, it has turn into embroiled in a dispute between Automattic and WP Engine, its proprietor. Following WP Engine’s ban, the ACF staff was blocked from accessing WordPress dot org on October 03, 2024.
Subsequent, Automattic tweeted a couple of vulnerability within the plugin. The tweet was later deleted. In response, the ACF staff launched ACF 6.3.8, a routine safety launch stating, “WP Engine stays blocked from accessing our plugins on the .org plugin repository and due to this fact this replace has been shipped to WP Engine’s repository and to the ACF web site.”, they mentioned.
The ACF staff additionally supplied a duplicate of this replace to the WordPress.org Safety staff, which posted it to the plugin repository.
On October 9, a mandatory affiliation checkbox was added to the WordPress.org login. Customers may entry their accounts solely after confirming, “I’m not affiliated with WP Engine in any means, financially or in any other case.”
WP Engine Reacts
WP Engine tweeted: “Now we have been made conscious that the Superior Customized Fields plugin on the WordPress listing has been taken over by WordPress dot org. A plugin underneath lively improvement has by no means been unilaterally and forcibly taken away from its creator with out consent within the 21 yr historical past of WordPress… This important group promise has been violated, and we ask everybody to contemplate the ethics of such an motion, and the brand new precedent that has been set.”
They added: “We had been saddened and appalled by Matt Mullenweg’s actions this morning appropriating the Superior Customized Fields plugin that our ACF staff has been actively growing for the WordPress group since 2011.”
In response, WordPress.org noted that this isn’t the primary incidence of such an incident: ”This has occurred a number of occasions earlier than, and in step with the guidelines you agreed to by being in the directory. Better of luck along with your model. We’re trying ahead to creating ours superb for our customers, utilizing one of the best GPL code out there.”
In a blog post on the ACF web site, the staff shared, “The change to our revealed distribution, and underneath our ‘slug’ which uniquely identifies the ACF plugin and code that our customers belief within the WordPress.org plugin repository, is inconsistent with open supply values and rules. The change made by Mullenweg is maliciously getting used to replace thousands and thousands of present installations of ACF with code that’s unapproved and untrusted by the Superior Customized Fields staff.”
Superior Customized Fields is a classy plugin with over 200,000 strains of code, which we regularly develop, improve, help and spend money on to fulfill the wants of our customers throughout WordPress. We’ve made 15+ releases over the previous two years, since becoming a member of WP Engine, and added important new performance to the free plugin in addition to regularly bettering efficiency and our safety and testing practices to fulfill the ‘enterprise grade’ that our customers deserve.”
Iain Poulson
The publish concludes, “Mullenweg’s actions are terribly regarding and pose the grave danger of upending and irreparably harming all the WordPress ecosystem. His try and unilaterally take management of this open platform that we and so many different plugin builders and contributors have relied on, within the spirit of sharing plugins for all, supplies additional proof of his severe abuse of belief, manifold conflicts of curiosity, and breach of the guarantees of openness and integrity locally.”
Influence of the Fork
This improvement doesn’t have an effect on WP Engine, Flywheel internet hosting, or ACF PRO prospects. Free plugin customers can select to put in Secure Custom Fields from the plugin directory or the ACF 6.3.8 model from advancedcustomfields.com. For websites with auto-updates enabled by way of WordPress.org, the replace will routinely transition them from Superior Customized Fields to Safe Customized Fields.
The WordPress group isn’t any stranger to forking; as an example, WordPress itself was forked from the b2/cafelog challenge, and ClassicPress was forked in response to the introduction of Gutenberg. Nevertheless, the forking of the ACF plugin has despatched shockwaves by way of the group, elevating moral questions in regards to the determination.
Apparently, the Securecustomfields.com area presently redirects to the ACF web site, as highlighted by Kellie Peterson on X.
The group has expressed their help and criticisms about this forking. The earlier evaluations of the ACF plugin are nonetheless seen underneath the Secure Custom Fields plugin. Following the announcement, a number of members posted each optimistic and destructive evaluations in regards to the plugin within the repository whereas others took to X.
Colin Stewart tweeted: “In gentle of at the moment’s information, since I discussed in my earlier publish that I’m a member of the WordPress Safety Workforce earlier than anybody asks me: No, I used to be not conscious.” Justin Sainton additionally tweeted alongside the identical strains: “I don’t like it. (Talking independently, as a member of the Plugin Overview Workforce)”
A number of individuals additionally identified that ACF’s logos are nonetheless there within the new plugin, whereas WP Engine logos are nonetheless within the belongings folder, whereas others referred to the publish revealed by the Plugin Overview Workforce Forked Premium Plugins Are Not Permitted.
The creator of Ruby on Rails, David Heinemeier Hansson, revealed Open source royalty and mad kings. WP And Authorized Stuff revealed ACF>SCF ‘fork’ and legal risk.
Tim Nash, a WordPress safety guide, has revealed an advisory about the ACF changes, whereas James Giroux revealed ACF Gets A Fork By WordPress.org the place he says “Whereas feelings are excessive, this transfer highlights the significance of sustaining the safety and integrity of WordPress’s ecosystem. Forking underneath the GPL is just not unprecedented, and this motion reinforces the necessity for WP Engine/Silver Lake to barter in good religion.”
Different Forks
In a weblog publish titled Forking is Beautiful, Matt talked about two current WordPress fork makes an attempt – FreeWP & AspirePress.
About Vinny Inexperienced’s FreeWP, Matt mentioned: “We strongly encourage anybody who disagrees with the route WordPress is headed in to hitch up with Vinny and create an incredible fork of WordPress. Viva FreeWP!”
In response, Vinny took to X to clarify: “I really like how I by no means mentioned I used to be going to fork the challenge and solely needed to help those that did. Matt is unimaginable at solely listening to the issues he needs to listen to. Thanks for the free promotion, I assume. We within the biz known as that earned media.”
The FAQ section within the FreeWP web site has extra particulars in regards to the challenge: “To one of the best of our data, it’s a web site that begins with “freewp” and ends with “.com”. Any additional particulars are on the discretion of the person who manages it.”
“What’s FreeWP then? Apart from a extra nice depiction of the area? Its burgeoning challenge that’s devoted to the next mission: Coming quickly. And never a fork.”
So that you guessed its standing! However you possibly can join now to get updates.
AspirePress, however, is a loosely collected group of volunteers that supply their help to the WordPress platform and it “exists to be a group of people centered on serving to WordPress turn into the platform all of us aspire for it to be.”
They’re constructing a mirror of WP .org and tweeted: “In case we now have’t been crystal clear, we haven’t forked WordPress. Rumors on the contrary are exaggerations.”