LoginMatt Mullenweg and WordPress Hijack the Advanced Custom Fields Plugin
A bit of background, for those not steeped in the world of WordPress development: there exists a plugin called Advanced Custom Fields (ACF) which allows developers to create near-endless customization options for end clients in the standard page and post editor. It is hard to explain in a single paragraph β the WordPress.com guide is a good overview β but its utility is so singular as to be an essential component for many WordPress developers.
ACF was created by Elliot Condon who, in 2021, sold it to Delicious Brains. At this point, it was used on millions of websites, a few of which I built. I consider it near-irreplaceable for some specific and tricky development tasks. A year later, the entire Delicious Brains plugin catalogue was sold to WPEngine.
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
[β¦]
Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engineβs legal attacks, we do not anticipate this happening for other plugins.
This is an awfully casual way of announcing WordPress is hijacking one of the most popular third-party plugins in the directory. Mullenweg cites policy for doing so β WordPress can βmake changes to a plugin, without developer consent, in the interest of public safetyβ β but the latter paragraph I quoted above makes clear the actual motive here. The βsecurity problemβ triggering this extraordinary action is a real but modest change to expand a patch from a previous update. But WordPress has removed the ability for WPEngine to make money off its own plugin β and if users have automatic plugin updates turned on, their ACF installation will be overwritten with WordPressβ unauthorized copy.
Iain Poulson, of ACF:
The change to our published distribution, and under our βslugβ which uniquely identifies the ACF plugin and code that our users trust in the WordPress.org plugin repository, is inconsistent with open source values and principles.Β The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team.
It is nearly impossible to get me to feel sympathetic for anything touched by private equity, but Mullenweg has done just that. He really is burning all goodwill for reasons I cannot quite understand. I do understand the message he is sending, though: Mullenweg is prepared to use the webβs most popular CMS and any third-party contributions as his personal weapon. Your carefully developed plugin is not safe in the WordPress ecosystem if you dare cross him or Automattic.
