Automattic cloned WP Engine’s paid ACF Premium plugin and is distributing it for free. Many in the WordPress community disapprove of this action, expressing concerns that it undermines the plugin and theme ecosystem.
Advanced Custom Fields Plugin
Advanced Custom Fields (ACF) is a WordPress plugin that’s popular with WordPress website developers because it enables them to create custom fields that WordPress publishers and authors can use.
Custom fields allows developers to take full control of the editing screens to add things like a form for building structured data specific for a kind of WordPress page like Schema.org markup for ecommerce, news, legal or medical context. A custom field can be used to give article authors a place to enter the author name or a featured quote.
Website developers and use ACF to enable authors to add author bios, featured quotes, or article metadata like publication date, modification data or links to sources. For example, a field for a featured quote can be used so that authors can input what the featured quote says and it’ll appear in the article using all the predefined styling. All the author needs to do is fill in the form and hit the submit button.
ACF was developed by a company named Delicious Brains which was acquired by WP Engine in 2022 which assumed responsibility for developing and updating the free and premium versions.
WordPress Freemium Ecosystem
ACF is popular because it built trust and authoritativeness as a solid plugin through the use of the freemium WordPress business model. Plugin and theme developers use the freemium business model to offer a free version of their software and a premium version that offers additional functionality. Offering a highly functional and useful free version increases the popularity and goodwill of a plugin or theme with basic users and the more advanced users are able to try the functionality of the free version then choose the premium version for the additional features. It can take years to build that goodwill, trust and authoritativeness with users.
The developers of plugins like Yoast and Wordfence spend thousands of hours developing and promoting their free plugins, which are then installed on millions of websites. They put all that effort into the free versions to upsell their premium products.
Timeline: Automattic Forks ACF
In the context of WordPress plugins and themes, the term “forking” refers to the creation of an independent version of an existing WordPress plugin or theme using the source code of the original version to create a different version. Forking is made possible with open source licenses. All plugins and themes that are derivatives of WordPress must be developed with an open source license.
Forking of a theme or plugin sometimes happens when a developer abandons their project and an interested party decides to continue developing their version of the software, a “forked” version of the original.
October 3, 2024 Automattic Releases Independent Updates
Automattic locked ACF plugin out of the WordPress.org servers, preventing ACF customers from updating their versions of the plugin directly from WordPress.org servers, forcing WP Engine to create a workaround on October 3rd.
WP Engine announced:
“On October 3, we released new versions of our widely used plugins, featuring independent update capabilities and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and don’t need to take any action, community members are encouraged to download these versions of our free, open-source plugins and updates directly from the ACF and NitroPack websites to ensure they receive updates directly from us.
If you’re running v6.3.2 or earlier of ACF, or have been forcibly switched to “Secure Custom Fields” without your consent, you can install ACF 6.3.8 directly from the ACF website, or follow these instructions to fix the issue.
These efforts support our customers and plugin users and seek to protect the community at large.”
Screenshot Of ACF Plugin Changelog Showing Lockout Workaround
On October 5th Automattic notified WP Engine of a vulnerability in the ACF plugin and announced it on a now deleted post on X (formerly Twitter).
Screenshot Of Post On X By Automattic
October 7th: WP Engine Fixes ACF Vulnerability
On October 7th, WP Engine fixed the plugin vulnerability, as noted in their changelog.
Screenshot Of ACF Changelog About Security Patch
October 12, 2024: Automattic Forks ACF
But then, on October 12th, Automattic forked WP Engine’s ACF plugin, renaming it Secure Custom Forms (SCF) and replaced the ACF plugin in the official WordPress plugin respository with their fork, using the same URL formerly used by the ACF plugin. Matt Mullenweg posted an announcement on WordPress.org citing security concerns as the reason for forking ACF but later in the announcement also citing WP Engine’s lawsuit seeking relief from Mullenweg’s actions.
Mullenweg wrote:
“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
…This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”