Organizations using WordPress plug-in Advanced Custom Fields (ACF) are in the middle of an ugly and very public dispute between WP Engine (WPE), the maker of the plug-in, and Matt Mullenweg, the founder of the open source content management system.
At stake is how users of the plug-in receive security fixes and other updates going forward after Mullenweg announced his decision over the weekend to fork ACF into a new version called Secure Content Fields (SCF). He also cut off WPE’s access to WordPress.org’s update servers.
Forced Changes
Following the fork, sites that use free versions of ACF and also have auto-updates from WordPress.org enabled will automatically get switched to SCF and receive future updates for the plug-in through WordPress.org. Sites owners that want to remain on ACF and receive updates via WPE need to install an alternate update mechanism that the vendor has released.
Meanwhile, customers of the paid ACF version will continue to receive updates directly from WPE and need to do nothing differently.
Mullenweg is the founder of WordPress and CEO of Automattic, the owner of WordPress.com, which hosts a commercial version of the content management system, just like WP Engine does. In recent weeks, Mullenweg has launched a series of scathing attacks on WP Engine, a company he has described as profiting enormously off the open source software model while returning very little back to the community.
Bitter and Escalating Battle
“What WP Engine gives you is not WordPress, it’s something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it,” Mullenweg asserted in a September blog post. “This is one of the many reasons they are a cancer to WordPress, and it’s important to remember that unchecked, cancer will spread.” Mullenweg described his decision to fork ACF into a new plug-in as a move to “remove commercial upsells and fix a security problem” that WP Engine allegedly has failed to fix.
Mullenweg recently claimed that WPE needed a trademark license to continue selling services under the WordPress name and demanded 8% of the company’s revenue on a monthly basis for the right to use the name. In September, he banned WPE from accessing WordPress.org resources, citing the need for the company to have a trademark license.
WPE’s ACF team, for its part, characterized Mullenweg’s decision as violating open source guidelines and setting a troubling precedent. The company has dismissed Mullenweg’s claims about the plug-in’s security. “A plugin under active development has never been unilaterally and forcibly taken away from its creator without content in the 21 year history of WordPress,” the ACF team posted on social media site X.
In a blog post, Ian Poulson, product manager for ACF, pointed to over 15 releases and significant new functionality the ACF team has made to the free version of the plug-in over the past two years, in addition to improvements to the paid version. Mullenweg’s decision to fork ACF is “inconsistent with open source values and principles,” he noted.
“The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team,” Poulson wrote. Organizations using a free version of ACF must download version 6.3.8 from Advanced Custom Fields if they wish to continue receiving ACF-approved updates, he noted.
Earlier this month, WPE filed a lawsuit citing “abuse of power, extortion, and greed” against Automattic and Mullenweg. WPE has also sent a cease-and-desist letter to Automattic over the same issue.
User Confusion?
Stephen Kowski, field chief technology officer for SlashNext Email Security, says the dispute between WordPress and WP Engine over the Advanced Custom Fields plug-in reveals tensions in open source software management that could signal the start of a messier ongoing conflict.
“This conflict could result in user confusion and potential migration work, as automatic updates may lead to unknowing transitions to the new Secure Custom Fields plug-in,” he notes. “Users may ultimately need to do further due diligence taking into account security and migration resources if needed, in order to choose between WP Engine’s original ACF plug-in and WordPress’ forked version, Secure Custom Fields.”
Kowski perceives Mullenweg’s decision as having a twofold impact. The newly forked Secure Custom Fields plug-in addresses a security issue that WP Engine has already patched and therefore is unlikely to be of any benefit for users. “On the other hand, the update process may introduce new risks if users are not aware of the changes or do not properly transition to the new plug-in,” he says. “Users should exercise caution and carefully evaluate the plug-ins they use to ensure they are getting updates from trusted sources.”