To me this is indistinguishable from an account takeover attack executed by an insider. I doubt any prosecutor would be interested, but to my eyes WordPress.org has violated the CFAA by accessing WordPress instances outside the bounds of their authorization. They were authorized to modify WordPress instances in ways ACF prescribed, not in ways of their own choosing.
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
IMO it's also notable that Mullenweg is in this state of mind and also has access to Tumblr data, with a history of allegedly doxxing the relationships between anonymous user blogs based on non-public information [0]. One doesn't need to agree with the moderation decision, or take sides on the political context around it, to understand that there is a tremendous amount of centralized power here, that norms are going out the window, and that an entire ecosystem is at risk.
In hindsight this should've been all the warning anyone needed.
In the future, when a BDFL telegraphs that they're willing to abuse their powers like this, we need to fork immediately. Open source is more important than any single project or any single BDFL. We can't allow open source to appear risky or unreliable relative to proprietary software, subject to the whims of volatile personalities.
Open source is kind of like libraries - an institution for the collective good people managed to erect in the past that would be neigh impossible to replicate today. Imagine convincing companies in any other industry to collaborate openly and freely with their competitors merely because it's good for society as a whole. You'd be labeled a socialist and laughed out of the room.
Companies don't, as a rule, do this in software either. They make projects open source or contribute to open source projects because it's good for them. This is just as true in other industries. This is how every industry standard and protocol or similar works. It is beneficial to the participating companies and does not threaten them.
It's not that they don't benefit from collaborating, it's that they don't benefit as much as they could by demanding a royalty or licensing fee. Why shouldn't they? Everyone expects to be paid for their services. They're leaving money on the table for the benefit of the public at large.
Most of the "open" standards from other industries that I'm familiar with require a license, and certainly aren't open to participation by anyone and everyone. Let alone allowing you to modify and redistribute them.
But in software we've created a culture with different expectations. And I don't think we should take that for granted.
I doubt the case will make it to trial. I think they'll be settling in the next few weeks. But I did double check, and you're right of course, the complaint does allege they violated the CFAA when they cut off access from WP.org infrastructure.
At the heart of this - if you consider it generously - is a principle that we can possibly all sign up to, namely that "large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
The principle however has been totally undermined by MM's actions, which have been completely out of line. His behaviour has been abhorrent. I've been shocked (possibly naively) that a single individual could have such huge power over an open source project that they could literally turn it off (referring here to the update mechanism that WPEngine was using).
I've been even more shocked and appalled by this plugin takeover. ACF is a central piece of pretty much all WP developers' / agencies toolkit. Those of us who have been in this game a long time remember WP before it, and the breath of fresh air that it was to finally be able to define complex relationships between posts and provide our users with a GUI that actually worked well for complicated sites. ACF have pushed and supported this technology for years and years - firstly under the expertise of Elliot Condon, now under the aegis of WPEngine. I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The forking of a plugin is one thing. A fair way to do this would be to fork it, and start from zero installs. Automattic could have done that, promoted the hell out of "SCF" and got users in a way that was at least slightly (?) fair.
Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft. It's outrageous, it's totally petty, and I so far haven't seen a single person being supportive of this (probably?) unilateral action by one - apparently increasingly unhinged - individual.
The wider problem of course is the effect this has on the vibrant WP ecosystem which as someone else in this thread has pointed out is a critical (erstwhile) open cornerstone of the web.
I am still hoping that this will subside into history and it'll all sort but it has left me and many WP devs I know with a pretty bitter taste.
The irony of this move is that his main argument to keep people on his side over this has been that WP Engine has not been contributing. He's been saying over and over that he's doing this because they're not giving back.
Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
But that doesn't count as giving back because... reasons.
> Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
> But that doesn't count as giving back because... reasons.
I haven't used WordPress in years, but I've seen recent comments saying that WP Engine has been using ACF to market their hosting packages, even giving customers a "4 month trial" — not something a hosting provider really wants to see.
1. Free software is an ideological battleground, and as long as you abide by the license you're fine. Most GNU packages.
2. Open Source without a single backing entity is a meritocracy (or tries, sometimes a little too hard) and you can help improve it for everyone. Like the Kernel.
3. Open Source from a single backing entity is an insurance policy against that company failing or overcharging - at least in principle - if that works is often up to adoption, see the state of various Hashicorp products and their forks. You'll also never get your PR merged if it isn't critical, you aren't a customer or the PR misaligns with the company's strategy. I've even seen this happen on an Apache project, so that's not a guarantee of being group 1 or 2.
Matt has always pretended he belongs to group 1 with incidentally aligned commercial interest, but it turns out WordPress is group 3 with a server dependency twist. He wouldn't even approve a config constant to change the default update/catalog endpoints.
This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging. I’d assume most websites that make actual money are thoroughly dependent on it.
To twist the knife on a personal spat, Mullenweg just blew up uncountable businesses on a double-holiday weekend. At this point, seriously, fuck that guy.
> This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging.
Not sure about this.
I'd assume most Wordpress sites that make actual money are dependent on WooCommerce and Easy Digital Downloads, and maybe Gravity Forms/WP Forms for member subscriptions.
None of these are reliant on ACF, and there's any number of WP plugins like this that do the whole job of some website niche or other.
(I've been doing bespoke WP builds for at least a decade -- first one probably more like 14 years ago actually -- and I've not used ACF a single time. There has always been an alternative, and for a developer it's a bad choice.)
Either way: I don't think ACF's popularity is the major factor here. It's that it's an outright abuse.
The word "gaslighting" gets overused but it applies quite well to what ACF free plugin users are experiencing here.
As to "blew up": I am not sure how many money-making ACF users this has affected, because they tend to use ACF Pro, which is a separate download.
What appears to have been removed from ACF to make this shady SCF nonsense is the upsell marketing. Not sure what other breakage there would/could have been. I have seen people say things have broken but I suspect they are relatively minor issues caused by the actual ACF security patch which is also shipped here... because they haven't changed much.
Though if Secure Custom Fields is getting the blame for the breakage, that's kismet, karma, whatever you want to call it.
Fair enough. My info might be a little out of date from my web agency chop shop days, but I do recall that for essentially any substantial site it was assumed from day 1 that it would involve an ACF install. Probably integrated it into… fifty(?) websites over the years. I don’t recall the value prop of Pro, and I actually don’t think I ever touched it myself.
Biggest value prop of Pro (for me, anyway) was the Repeater field, which lets you add a collection field.
I don't think GP's distinction of "websites that make money" == "online stores" is accurate or meaningful. I use ACF on every website, my clients are money-making businesses. Only a couple of them are running WooCommerce (and those are running ACF as well).
Nothing about running a business on WordPress makes WooCommerce and ACF mutually exclusive.
Counterpoint. Just have a look how many times ACF is mentioned (for example) in this thread [0]. ACF is massively popular. The fact you've never used it, for as long as you've been involved, is extraordinarily rare. I'm really surprised to hear you say that (but good for you if you've got the time and chops to never resort to it! That's awesome).
Looking at the code, it's not clear to me how much has broken because of the fork, and how much has broken because of the "secure context" security patch that ACF have apparently also applied in their own version.
That is, I think some of these things might have broken even with the real ACF.
The main change appears to be that if a developer has used a built-in wordpress function as a filter hook (rather than a user-defined one), that has been blocked. (This has never been a good idea, anyway; developers should not do it.) Also a filtered version of the POST variables has been passed to the callback. These are both seemingly to stop CSRF attacks.
This patch was necessary; it prevents CSRF and potentially other nasties.
I don't mean to excuse any of the other bullshit; I'm just saying that if there are "breakages" here, they are likely to do with the necessary patch that is hidden inside the gaslighting.
The official wp announcement of this said “we don’t plan on doing this to other plugins.” lol. anyone think they pinky promise? More like: build on Wordpress and unless you kiss the ring some guy named Matt will disappear your business.
Wow, this is a big deal. Matt Mullenweg taking over ACF like that? Not cool. It's not just about messing with years of hard work, but think about all those WordPress sites now running code the ACF team didn't approve. Kinda scary when you think about it. Hope this doesn't become a trend in the open-source world.
WP engine never modified WordPress. They took stock Wordpress and edited a configuration file to disable revisions. They didn’t actually change any code.
I thought they'd also modified revisions to have a limit, instead of unlimited. Even when 'enabled', it's not how the rest of the wp installs would behave (iirc). Likely there was some code change there to enable that restriction.
Matt might pontificate about "bastardizing and messing with" WordPress, but this is what he is actually referring to:
A. Single. Configuration. Option.
A. Changed. Default.
Post revisions are a configuration option in the admin panel. They are enabled by default. Some hosting providers (and I expect WPE is not the only one) set it to disabled by default.
That's it.
This is not remotely comparable.
Even without the ACF situation, Matt's description of WPE bastardizing the fundamental offering of WordPress is asinine at best, actively deceptive at worst (and that's where we seem to be, so far).
After all this drama, it feels like WordPress has reached its peak and is now starting its decline. Of course, it will take years, and the process may be volatile, but the overall trend will likely be downward.
AFAIK there is just no other free and open source CMS with a similarly mature ecosystem, which could replace WordPress. So many websites, companies and agencies are built on WordPress, it would take a decade to move away.
Creating an open registry would be nice, or even for developers to be able to host their own repos for others to install plugins from (à la Linux package managers), to avoid such centralisation.
Ideally, those repos would be hosted by each party, and then hosting providers would be able to host their own mirrors containing many packages for all the installs, giving a similar experience to what is now offered by Mr. Mullenweg's WP.org.
Wait, and the IRS is happy with all that? With an individual using company resources for what would appear to be "personal" activity outside the company? Same with the foundation?
He said that they're all his and he moves workers between them in a comment here. WP Engine mentions the tax exempt status of the foundation in their lawsuit.
The WordPress Foundation doesn't own WordPress.org. As far as I can tell it basically only owns the WordPress trademark, which it immediately turned around and gave away to Automattic in an exclusive license for unclear consideration.
WordPress.org, and therefore the entire plugin repository, is owned by just Matt and maintained by a division within Automattic. The .org-ness of it was just a smokescreen all along.
The challenge is that this drama seems to be unmasking the reality that for the past decade or more, Matt has grown used to referring to Automattic, WP.com, WP.org, and the WPF interchangably and synonymously.
Concerning is not just the things he's said, but what he has done that go along with this. Self-dealing? Improper tax accounting?
In the Reddit megathread on the recent drama, someone posted a summary of the IRS responses to inurement by the Board of Directors of a non-profit. It isn't pretty! [1]
If there is insider inurement, the IRS fine is directed to the Board of Directors (each one of them, however many) for 25% of the value of the benefit. If they do not pay in a timely manner, the bill is 200% of the inurement. Matt is the ultimate insider, "giving" the valuable trademarks to the foundation and then getting to use them for free, while leaning on other companies to pay millions. So the insider inurement is in the millions of dollars, per year, for years. Those two unknown board members of the WordPress Foundation? I hope they have great tax lawyers!
When the drama first started, I thought @photomatt’s plan might be to build ACF directly into WordPress (and maybe get rid of Gutenburg). I’m not sure if taking control of the plug-in is a step in that direction or if he probably could have incorporated ACF without taking over the plug-in. What’s the endgame?
This would be the same as Google replacing Spotify with Youtube Music on Play Store and pushing Youtube Music in its place on all Android devices. Its insane.
Even worse: It would be Google taking Spotify‘s app and renaming it YouTube Music. That’s what Matt did. They didn’t develop a new plugin and put it in place of ACF. They just took the existing one and pretend it’s theirs. It’s horrifying. How am I supposed to trust a system that’s governed by a single person that thinks this is okay?
Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
This should be the top comment. It's already scary for a package manager to take control of a community package, even more so when sites auto-update to new code... but to break existing sites by completely changing the code that is provided in an auto-update is beyond the pale.
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
> I’d love to hear how he justifies taking away this engineers’ Sunday?
His posts on slack [1] show that he sees it as "either with us or against us", and he's willing to harm users to force them to choose a side instead of staying neutral. He probably hopes that people will blame WP Engine for it.
I think his real goal is tortious interference. Hurting devs who use ACF is just a bonus.
(community member, not affiliated with WP, WPE, or A8C)
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg
"in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
Install the official free plugin from the advanced custom fields website and remove the SCF version. You won’t need to change any existing code then, and future updates will come from the plugin dev for ACF.
That's where the Sunday goes. I am trying to create an FTP script to mass update all wp-content plugins for this single package. It was on my mind but I was not expecting to have something bizarre happening from WordPress for one of the most crucial plugins in WordPress' existence.
We use the wp-cli with cron jobs such as indexing when we post with API or database-related things. Even with wp-cli we must login to SSH individually. And this doesn't give us the wp-cli option since it is 3rd party zip file. We possibly can get the file, extract, and delete the old plugin with cli, and then enable the last updated plugin with with cli again with a script. Either way, we must create a script or suck it up, go into each wp individually, and take care of it from the backend...
I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .
Matt, you say that you've had no other reports and this is the only claim on the Internet.
That's not true. You have users on the support forums reporting issues with SCF.
"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "
How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
Wordpress has a (highly effective) auto-updates mechanism for security patches.
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.
As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.
But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.
WP and/or A8C took over the existing plugin, so that sites that have auto-update on were automatically bumped to the SCF version instead of the historical ACF which obviously had a different team of maintainers
We use ACF with WP Code auto insert. ACF has prepend and append (in presentation tab) and this can be used to wrap the value with classes or other tags such as IDs, JS or others. When the ACF name changed, the prepend and append broke because prepend/append text showing must be configured in functions.php like this:
Whatever they did, it didn't work. Maybe we are over-custimizing it but it is not unheard of to use ACF with multiple other plugins such as WP Code and custom scripts.
Strongly recommend installing the genuine ACF from www.advancedcustomfields.com - the WP Engine and ACF teams have provided timely updates (even fixed Automattic’s spurious security issue in less than a day) and have uploaded a permanent fix to MM’s malicious hack of ACF to create SCF.
The initial release of SCF only applied security fixes, changed the plugin name and removed upsells. I don't think there is any change that might cause the issue you are having.
If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.
I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.
If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.
So you guys don't get sued any further for essentially hijacking a distribution channel and pushing an unauthorized version?
If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.
The whole thing is https://plugins.trac.wordpress.org/changeset/3167679/advance... it's very close to functionality wise right now to ACF. Not identical, already. While I am not a lawyer it almost certainly violates the ACF trademark as the code and reviews contains a lot of reference to ACF and the Advanced Custom Fields trademark which is literally the project slug. Some suspect a request for emergency injunction might follow next week. And most certainly it also violates community trust very, very big time.
This on top of the "swear fealty" checkbox on login which caused multiple high profile contributors to leave and now shut the accessibility team down https://i.imgur.com/0jCZnlm.png
They added a checkbox to the wordpress.org login page https://login.wordpress.org/ stating "I am not affiliated with WP Engine in any way, financially or otherwise.", you can't login to the site without checking it.
I am sorry to say this but: be gone wordpress. always getting hacked, if you get featured somewhere your website will always go down, regardless if you are on shared hosting or a hetzner dedi. it is just too complex, it wants to do it all and sometimes it works.. until it doesnt.
if you still want to use it and like the design options just install the "Export to Static" plugin and build your website locally then create a static copy and upload it...
While all of this is very bad, I still dislike the post. „Since 2011“, for example. The plugin was sold two times in the last two years and ended up in the hands of WPEngine in the end. Since then, it has been a bumpy road with ACF, even before this (hugely unsettling!) incident.
I don't know what you mean by "bumpy road". ACF has been solid for years, and has received excellent care and updates since moving to Delicious Brains and then WP Engine.
My opinion as well as many as my peers is that ACF could have been rolled into core or bought by Matt long long before it was acquired by WPE, which most of us found as a good thing, being that its a critical plugin and gained long term support.
Plugins have bumps, that's part of the growth, and some of the changes ACF have made as of recent years, even the ones I disagree with, seem well intentioned and not malicious. I can't say the same for what is happening right now.
To me this is indistinguishable from an account takeover attack executed by an insider. I doubt any prosecutor would be interested, but to my eyes WordPress.org has violated the CFAA by accessing WordPress instances outside the bounds of their authorization. They were authorized to modify WordPress instances in ways ACF prescribed, not in ways of their own choosing.
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
IMO it's also notable that Mullenweg is in this state of mind and also has access to Tumblr data, with a history of allegedly doxxing the relationships between anonymous user blogs based on non-public information [0]. One doesn't need to agree with the moderation decision, or take sides on the political context around it, to understand that there is a tremendous amount of centralized power here, that norms are going out the window, and that an entire ecosystem is at risk.
[0] https://techcrunch.com/2024/02/22/tumblr-ceo-publicly-spars-...
In hindsight this should've been all the warning anyone needed.
In the future, when a BDFL telegraphs that they're willing to abuse their powers like this, we need to fork immediately. Open source is more important than any single project or any single BDFL. We can't allow open source to appear risky or unreliable relative to proprietary software, subject to the whims of volatile personalities.
Open source is kind of like libraries - an institution for the collective good people managed to erect in the past that would be neigh impossible to replicate today. Imagine convincing companies in any other industry to collaborate openly and freely with their competitors merely because it's good for society as a whole. You'd be labeled a socialist and laughed out of the room.
If we lose it, it's probably gone for good.
Companies don't, as a rule, do this in software either. They make projects open source or contribute to open source projects because it's good for them. This is just as true in other industries. This is how every industry standard and protocol or similar works. It is beneficial to the participating companies and does not threaten them.
It's not that they don't benefit from collaborating, it's that they don't benefit as much as they could by demanding a royalty or licensing fee. Why shouldn't they? Everyone expects to be paid for their services. They're leaving money on the table for the benefit of the public at large.
Most of the "open" standards from other industries that I'm familiar with require a license, and certainly aren't open to participation by anyone and everyone. Let alone allowing you to modify and redistribute them.
But in software we've created a culture with different expectations. And I don't think we should take that for granted.
Well, they're literally getting sued with one of the counts being computer fraud so it's going to end up in front of a judge at some point.
I doubt the case will make it to trial. I think they'll be settling in the next few weeks. But I did double check, and you're right of course, the complaint does allege they violated the CFAA when they cut off access from WP.org infrastructure.
people will move to drupal
Long time WordPress agency owner here.
At the heart of this - if you consider it generously - is a principle that we can possibly all sign up to, namely that "large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
The principle however has been totally undermined by MM's actions, which have been completely out of line. His behaviour has been abhorrent. I've been shocked (possibly naively) that a single individual could have such huge power over an open source project that they could literally turn it off (referring here to the update mechanism that WPEngine was using).
I've been even more shocked and appalled by this plugin takeover. ACF is a central piece of pretty much all WP developers' / agencies toolkit. Those of us who have been in this game a long time remember WP before it, and the breath of fresh air that it was to finally be able to define complex relationships between posts and provide our users with a GUI that actually worked well for complicated sites. ACF have pushed and supported this technology for years and years - firstly under the expertise of Elliot Condon, now under the aegis of WPEngine. I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The forking of a plugin is one thing. A fair way to do this would be to fork it, and start from zero installs. Automattic could have done that, promoted the hell out of "SCF" and got users in a way that was at least slightly (?) fair.
Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft. It's outrageous, it's totally petty, and I so far haven't seen a single person being supportive of this (probably?) unilateral action by one - apparently increasingly unhinged - individual.
The wider problem of course is the effect this has on the vibrant WP ecosystem which as someone else in this thread has pointed out is a critical (erstwhile) open cornerstone of the web.
I am still hoping that this will subside into history and it'll all sort but it has left me and many WP devs I know with a pretty bitter taste.
The irony of this move is that his main argument to keep people on his side over this has been that WP Engine has not been contributing. He's been saying over and over that he's doing this because they're not giving back.
Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
But that doesn't count as giving back because... reasons.
> Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
> But that doesn't count as giving back because... reasons.
I haven't used WordPress in years, but I've seen recent comments saying that WP Engine has been using ACF to market their hosting packages, even giving customers a "4 month trial" — not something a hosting provider really wants to see.
> Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft.
He probably is trying to make a point what WPEngine is doing (based on his own perspective)
This is the same person that plasters the 4 freedoms of free software on his about page like they're the core of his personal credo.
https://wordpress.org/about/
There are certain implied rules to FOSS:
1. Free software is an ideological battleground, and as long as you abide by the license you're fine. Most GNU packages.
2. Open Source without a single backing entity is a meritocracy (or tries, sometimes a little too hard) and you can help improve it for everyone. Like the Kernel.
3. Open Source from a single backing entity is an insurance policy against that company failing or overcharging - at least in principle - if that works is often up to adoption, see the state of various Hashicorp products and their forks. You'll also never get your PR merged if it isn't critical, you aren't a customer or the PR misaligns with the company's strategy. I've even seen this happen on an Apache project, so that's not a guarantee of being group 1 or 2.
Matt has always pretended he belongs to group 1 with incidentally aligned commercial interest, but it turns out WordPress is group 3 with a server dependency twist. He wouldn't even approve a config constant to change the default update/catalog endpoints.
This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging. I’d assume most websites that make actual money are thoroughly dependent on it.
To twist the knife on a personal spat, Mullenweg just blew up uncountable businesses on a double-holiday weekend. At this point, seriously, fuck that guy.
> This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging.
Not sure about this.
I'd assume most Wordpress sites that make actual money are dependent on WooCommerce and Easy Digital Downloads, and maybe Gravity Forms/WP Forms for member subscriptions.
None of these are reliant on ACF, and there's any number of WP plugins like this that do the whole job of some website niche or other.
(I've been doing bespoke WP builds for at least a decade -- first one probably more like 14 years ago actually -- and I've not used ACF a single time. There has always been an alternative, and for a developer it's a bad choice.)
Either way: I don't think ACF's popularity is the major factor here. It's that it's an outright abuse.
The word "gaslighting" gets overused but it applies quite well to what ACF free plugin users are experiencing here.
As to "blew up": I am not sure how many money-making ACF users this has affected, because they tend to use ACF Pro, which is a separate download.
What appears to have been removed from ACF to make this shady SCF nonsense is the upsell marketing. Not sure what other breakage there would/could have been. I have seen people say things have broken but I suspect they are relatively minor issues caused by the actual ACF security patch which is also shipped here... because they haven't changed much.
Though if Secure Custom Fields is getting the blame for the breakage, that's kismet, karma, whatever you want to call it.
I used to be at a website vendor house where we managed/built about 120 midsize websites (over awhile).
All of them used ACF for custom article types, testimonial types, carousels, and other random one-off “content-types”
Not trying to debate against you, just adding that wordpress usage is so wide
Fair enough. My info might be a little out of date from my web agency chop shop days, but I do recall that for essentially any substantial site it was assumed from day 1 that it would involve an ACF install. Probably integrated it into… fifty(?) websites over the years. I don’t recall the value prop of Pro, and I actually don’t think I ever touched it myself.
Biggest value prop of Pro (for me, anyway) was the Repeater field, which lets you add a collection field.
I don't think GP's distinction of "websites that make money" == "online stores" is accurate or meaningful. I use ACF on every website, my clients are money-making businesses. Only a couple of them are running WooCommerce (and those are running ACF as well).
Nothing about running a business on WordPress makes WooCommerce and ACF mutually exclusive.
Counterpoint. Just have a look how many times ACF is mentioned (for example) in this thread [0]. ACF is massively popular. The fact you've never used it, for as long as you've been involved, is extraordinarily rare. I'm really surprised to hear you say that (but good for you if you've got the time and chops to never resort to it! That's awesome).
https://www.reddit.com/r/Wordpress/comments/1cc0aor/what_are...
I might be wrong, but as best I can tell from some quick searching, ACF is the most mentioned.
They replaced ACF with a forked version so the functionality is still there. That doesn't excuse it but the situation is not so dire for users.
There are examples of things breaking in this very comment section [1].
Given how widely used ACF is, it wouldn't be surprising to learn that a lot of weekends were ruined by the "fork".
[1] https://news.ycombinator.com/item?id=41830709
Looking at the code, it's not clear to me how much has broken because of the fork, and how much has broken because of the "secure context" security patch that ACF have apparently also applied in their own version.
That is, I think some of these things might have broken even with the real ACF.
The main change appears to be that if a developer has used a built-in wordpress function as a filter hook (rather than a user-defined one), that has been blocked. (This has never been a good idea, anyway; developers should not do it.) Also a filtered version of the POST variables has been passed to the callback. These are both seemingly to stop CSRF attacks.
This patch was necessary; it prevents CSRF and potentially other nasties.
I don't mean to excuse any of the other bullshit; I'm just saying that if there are "breakages" here, they are likely to do with the necessary patch that is hidden inside the gaslighting.
Asking for a friend... What's the migration path to a different plugin look like? Seamless? Better be duckin seamless
You don't need to migrate from ACF to a different plugin, you can still access ACF and received future updates indepedent of wordpress.org. See https://www.advancedcustomfields.com/blog/installing-and-upg...
https://dorve.com/blog/ux-news-articles-archive/wp-forks-acf...
The official wp announcement of this said “we don’t plan on doing this to other plugins.” lol. anyone think they pinky promise? More like: build on Wordpress and unless you kiss the ring some guy named Matt will disappear your business.
https://x.com/WordPress/status/1845180576531468375
> Hey @WordPress. Are there any further plugins that we can expect to be forked?
> There are no others we're aware of at this time, but you are welcome to suggest some.
I thought that was satire, but they actually asked for suggestions…
Wow, this is a big deal. Matt Mullenweg taking over ACF like that? Not cool. It's not just about messing with years of hard work, but think about all those WordPress sites now running code the ACF team didn't approve. Kinda scary when you think about it. Hope this doesn't become a trend in the open-source world.
It needs to stop here.
And this is different from WP Engine modifying Wordpress exactly how?
Well, we can start with the fact that WP Engine hasn’t taken over any domain previously owned by Wordpress
WP engine never modified WordPress. They took stock Wordpress and edited a configuration file to disable revisions. They didn’t actually change any code.
I thought they'd also modified revisions to have a limit, instead of unlimited. Even when 'enabled', it's not how the rest of the wp installs would behave (iirc). Likely there was some code change there to enable that restriction.
No. They add the below to wp-config.php:
define ('WP_POST_REVISIONS', 3);
They use the parts of wordpress that are specifically built in to make modifications, as any other site maintainer would hosting their own install.
You are mistaken.
WP Engine modified their own WordPress installations.
WordPress.org modified third party WordPress installations.
Um, no: WP Engine changed a variable in wp-config
Let's be really, really clear here.
Matt might pontificate about "bastardizing and messing with" WordPress, but this is what he is actually referring to:
A. Single. Configuration. Option.
A. Changed. Default.
Post revisions are a configuration option in the admin panel. They are enabled by default. Some hosting providers (and I expect WPE is not the only one) set it to disabled by default.
That's it.
This is not remotely comparable.
Even without the ACF situation, Matt's description of WPE bastardizing the fundamental offering of WordPress is asinine at best, actively deceptive at worst (and that's where we seem to be, so far).
After all this drama, it feels like WordPress has reached its peak and is now starting its decline. Of course, it will take years, and the process may be volatile, but the overall trend will likely be downward.
AFAIK there is just no other free and open source CMS with a similarly mature ecosystem, which could replace WordPress. So many websites, companies and agencies are built on WordPress, it would take a decade to move away.
The only possibility I can think of is a fork.
Discussions:
(160 points, 23 hours ago, 174 comments) https://news.ycombinator.com/item?id=41821336
(383 points, 23 hours ago, 188 comments) https://news.ycombinator.com/item?id=41821400
I guess the only way forward for now is forking WordPress and creating a new plugin registry.
This should be rather easy, because all WordPress plugins are GPL-licensed because of the Copyleft.
I don't care about the current dispute, but wordpress.org can't be trusted any more.
Creating an open registry would be nice, or even for developers to be able to host their own repos for others to install plugins from (à la Linux package managers), to avoid such centralisation.
Ideally, those repos would be hosted by each party, and then hosting providers would be able to host their own mirrors containing many packages for all the installs, giving a similar experience to what is now offered by Mr. Mullenweg's WP.org.
Not a single serious developer would release a plugin or theme on wordpress.org after this.
It is insane how Matt once again seem totally unable to understand the difference between Autoamattic and the WordPress Foudnation.
There isn't an actual difference. He uses both of them as he sees fit.
Wait, and the IRS is happy with all that? With an individual using company resources for what would appear to be "personal" activity outside the company? Same with the foundation?
He said that they're all his and he moves workers between them in a comment here. WP Engine mentions the tax exempt status of the foundation in their lawsuit.
The WordPress Foundation doesn't own WordPress.org. As far as I can tell it basically only owns the WordPress trademark, which it immediately turned around and gave away to Automattic in an exclusive license for unclear consideration.
WordPress.org, and therefore the entire plugin repository, is owned by just Matt and maintained by a division within Automattic. The .org-ness of it was just a smokescreen all along.
The challenge is that this drama seems to be unmasking the reality that for the past decade or more, Matt has grown used to referring to Automattic, WP.com, WP.org, and the WPF interchangably and synonymously.
Concerning is not just the things he's said, but what he has done that go along with this. Self-dealing? Improper tax accounting?
In the Reddit megathread on the recent drama, someone posted a summary of the IRS responses to inurement by the Board of Directors of a non-profit. It isn't pretty! [1]
If there is insider inurement, the IRS fine is directed to the Board of Directors (each one of them, however many) for 25% of the value of the benefit. If they do not pay in a timely manner, the bill is 200% of the inurement. Matt is the ultimate insider, "giving" the valuable trademarks to the foundation and then getting to use them for free, while leaning on other companies to pay millions. So the insider inurement is in the millions of dollars, per year, for years. Those two unknown board members of the WordPress Foundation? I hope they have great tax lawyers!
[1] https://www.mercadien.com/resource/steep-penalties-for-exces...
When the drama first started, I thought @photomatt’s plan might be to build ACF directly into WordPress (and maybe get rid of Gutenburg). I’m not sure if taking control of the plug-in is a step in that direction or if he probably could have incorporated ACF without taking over the plug-in. What’s the endgame?
This would be the same as Google replacing Spotify with Youtube Music on Play Store and pushing Youtube Music in its place on all Android devices. Its insane.
Even worse: It would be Google taking Spotify‘s app and renaming it YouTube Music. That’s what Matt did. They didn’t develop a new plugin and put it in place of ACF. They just took the existing one and pretend it’s theirs. It’s horrifying. How am I supposed to trust a system that’s governed by a single person that thinks this is okay?
Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
This should be the top comment. It's already scary for a package manager to take control of a community package, even more so when sites auto-update to new code... but to break existing sites by completely changing the code that is provided in an auto-update is beyond the pale.
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
“Advanced Tortious Interference”
"Secure Tortious Interference"
Photomatt aka Matt mullenweg hangs out on HN.
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
> I’d love to hear how he justifies taking away this engineers’ Sunday?
His posts on slack [1] show that he sees it as "either with us or against us", and he's willing to harm users to force them to choose a side instead of staying neutral. He probably hopes that people will blame WP Engine for it.
I think his real goal is tortious interference. Hurting devs who use ACF is just a bonus.
[1] https://threadreaderapp.com/thread/1843963052183433331.html
(community member, not affiliated with WP, WPE, or A8C)
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg "in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
Install the official free plugin from the advanced custom fields website and remove the SCF version. You won’t need to change any existing code then, and future updates will come from the plugin dev for ACF.
That's where the Sunday goes. I am trying to create an FTP script to mass update all wp-content plugins for this single package. It was on my mind but I was not expecting to have something bizarre happening from WordPress for one of the most crucial plugins in WordPress' existence.
Have you ever looked into wp-cli? It was made for this kind of task.
We use the wp-cli with cron jobs such as indexing when we post with API or database-related things. Even with wp-cli we must login to SSH individually. And this doesn't give us the wp-cli option since it is 3rd party zip file. We possibly can get the file, extract, and delete the old plugin with cli, and then enable the last updated plugin with with cli again with a script. Either way, we must create a script or suck it up, go into each wp individually, and take care of it from the backend...
As an agency dev, this is the shit they don't think about. In my case, all that would have to be billed or go through pro-bono approval process.
"Just update it!" Until it all goes to shit, and we have to triage the whole mess.
Sorry you are dealing with this, I have spent the better part of the weekend trying to get them to understand this was inevitable.
Devs: "Don't deploy on Fridays" A8C/Matt: "We will deploy on SATURDAYS"
I've been monitoring the SCF forums as well on WPorg, and there have been no reports of issues since moving to SCF.
It would be fantastic if people could open a topic there or a thread on Slack if they face any issues.
https://wordpress.org/support/plugin/advanced-custom-fields/
pass the bill to matt when you finish fixing those broken wp.
I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .
Matt, you say that you've had no other reports and this is the only claim on the Internet.
That's not true. You have users on the support forums reporting issues with SCF.
"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "
https://wordpress.org/support/topic/plugin-hijacked-on-weeke...
He will reply that go has just “contributed their fair share of man-hours” /s
Can't wait for Matt to jump in and blame this on you.
this is my nightmare
How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
Wordpress has a (highly effective) auto-updates mechanism for security patches.
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
And in fact, very little has changed.
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
Yeah.
I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.
As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.
But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.
https://wordpress.org/plugins/advanced-custom-fields/advance... (scroll down to the bottom and you can download the previous version to diff it)
So as far as the poor benighted plugin updater is concerned, it's just a change to the display name, which is inconsequential.
[0] WP Engine do, ironically, on a pretty short timescale!
WP and/or A8C took over the existing plugin, so that sites that have auto-update on were automatically bumped to the SCF version instead of the historical ACF which obviously had a different team of maintainers
> it broke our snippets because we are using prepend and append texts to wrap our field values
Did they also rename filters and functions? I thought it was only the name and mentions of ACF in the docs. What did you rely on?
We use ACF with WP Code auto insert. ACF has prepend and append (in presentation tab) and this can be used to wrap the value with classes or other tags such as IDs, JS or others. When the ACF name changed, the prepend and append broke because prepend/append text showing must be configured in functions.php like this:
add_filter('acf/format_value/name=mysnippet1', 'mysnippet1acf', 20, 3);
function mysnippet1acf ($value, $post_id, $field) {
}Long story short, if you are using ACF with advanced features, including logic and presentation, this hostile takeover breaks it.
Doesn't even matter if you use prepend/append for the fields, our logic-based ACF fields are also broken.
Right, but why did that break? As far as I can tell that part hasn't been touched in the hostile takeover.
https://plugins.trac.wordpress.org/browser/advanced-custom-f...
It's still $this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 4 );
The file was last changed 7 weeks ago by deliciousbrains/wpengine and specifically the filter part is the same on their github.
Whatever they did, it didn't work. Maybe we are over-custimizing it but it is not unheard of to use ACF with multiple other plugins such as WP Code and custom scripts.
Strongly recommend installing the genuine ACF from www.advancedcustomfields.com - the WP Engine and ACF teams have provided timely updates (even fixed Automattic’s spurious security issue in less than a day) and have uploaded a permanent fix to MM’s malicious hack of ACF to create SCF.
The initial release of SCF only applied security fixes, changed the plugin name and removed upsells. I don't think there is any change that might cause the issue you are having.
If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.
I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.
If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.
So you guys don't get sued any further for essentially hijacking a distribution channel and pushing an unauthorized version?
If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.
As someone who doesn’t use it, were those features removed into the patch?
If they’re actively breaking people’s sites I’d hope they can get an emergency injunction ASAP, and maybe someone can start a CFAA investigation.
I don't see how Mullenweg could escape lawsuits on this one.
Hang on, the ACF plugin has been replaced by a different plugin, published by a different party? And install on every Wordpress installation?!?
The whole thing is https://plugins.trac.wordpress.org/changeset/3167679/advance... it's very close to functionality wise right now to ACF. Not identical, already. While I am not a lawyer it almost certainly violates the ACF trademark as the code and reviews contains a lot of reference to ACF and the Advanced Custom Fields trademark which is literally the project slug. Some suspect a request for emergency injunction might follow next week. And most certainly it also violates community trust very, very big time.
This on top of the "swear fealty" checkbox on login which caused multiple high profile contributors to leave and now shut the accessibility team down https://i.imgur.com/0jCZnlm.png
Excuse me for being OOTL: what "WP Engine checkbox"?
They added a checkbox to the wordpress.org login page https://login.wordpress.org/ stating "I am not affiliated with WP Engine in any way, financially or otherwise.", you can't login to the site without checking it.
And very importantly: no one knows what that checkbox means and what are the consequences of checking it.
Matt also bans anyone who asks about it.
And Matt has refused to clarify when asked about it.
Including in the (rather common!) context of developers who maintain sites hosted on WPE.
You must agree on sign up that you're not affiliated with WP Engine. WP has been having a spat with WP engine.
That's correct. But not if you were using ACF Pro.
More discussion: https://news.ycombinator.com/item?id=41821400
https://news.ycombinator.com/item?id=41821336
I am sorry to say this but: be gone wordpress. always getting hacked, if you get featured somewhere your website will always go down, regardless if you are on shared hosting or a hetzner dedi. it is just too complex, it wants to do it all and sometimes it works.. until it doesnt.
if you still want to use it and like the design options just install the "Export to Static" plugin and build your website locally then create a static copy and upload it...
"Advanced Custom Fields" developer accuses Matt Mullenweg of taking over, without consent, their WordPress plugin.
While all of this is very bad, I still dislike the post. „Since 2011“, for example. The plugin was sold two times in the last two years and ended up in the hands of WPEngine in the end. Since then, it has been a bumpy road with ACF, even before this (hugely unsettling!) incident.
I don't know what you mean by "bumpy road". ACF has been solid for years, and has received excellent care and updates since moving to Delicious Brains and then WP Engine.
My opinion as well as many as my peers is that ACF could have been rolled into core or bought by Matt long long before it was acquired by WPE, which most of us found as a good thing, being that its a critical plugin and gained long term support.
Plugins have bumps, that's part of the growth, and some of the changes ACF have made as of recent years, even the ones I disagree with, seem well intentioned and not malicious. I can't say the same for what is happening right now.
There's been nothing "bumpy" about ACF. It has been solidly supported, developed and documented for years.