Skip to main content

WordPress recently announced a new chapter for one of its most popular plugins, Advanced Custom Fields (ACF), with a forked version called Secure Custom Fields (SCF). The fork, led by WordPress co-founder Matt Mullenweg, marks a significant development for plugin users and web developers alike. Let’s break down what happened, why it matters, and what you need to know if you’re using ACF on your site.

What Happened?
The WordPress security team, represented by Mullenweg, shared that Secure Custom Fields (SCF) was created to address a security vulnerability in ACF. The forked plugin, SCF, has been stripped of its commercial upsells, making it a fully non-commercial option on the WordPress Plugin Directory. Mullenweg explained:

“This update is as minimal as possible to fix the security issue.”

The fork comes amid a larger legal dispute involving ACF’s current owner, WP Engine. Due to the conflict, ACF was removed from the WordPress Plugin Directory, prompting this unprecedented move.

What’s the Issue Between WordPress and WP Engine?
Advanced Custom Fields, acquired by WP Engine, is a highly popular plugin among developers for customizing WordPress edit screens. However, after WP Engine’s ban from the WordPress Plugin Directory, the plugin’s future on the platform was jeopardized. WordPress.org cited “legal issues” with WP Engine, prompting the security team to step in.

WP Engine responded strongly, claiming that the move was a breach of community trust. In a tweet, WP Engine stated:

“A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21-year history of WordPress.”

WordPress, however, argued that the fork aligns with open-source guidelines, citing that similar situations have occurred, though not at this scale. WordPress responded with a reminder that by hosting ACF on WordPress.org, WP Engine had agreed to these guidelines.

Impact on ACF Users
For ACF users, here’s the essential takeaway: you now have two options.
Secure Custom Fields (SCF) is available on WordPress.org and will auto-update for users with automatic updates enabled.
Advanced Custom Fields (ACF), including its latest update (version 6.3.8), remains available on WP Engine’s own site and the ACF website.

If you’re using ACF PRO or have a WP Engine or Flywheel hosting plan, this fork doesn’t impact your services.

Community Reactions and Concerns
The WordPress community has been buzzing with mixed opinions on the fork. Some users appreciate the commitment to security, while others express concern over WordPress’s decision to fork without consulting WP Engine. Prominent figures like Colin Stewart and Justin Sainton shared their reservations publicly, noting the need for open dialogue around such moves.

The incident also sheds light on the complexities of GPL (General Public License) rules, which permit forking within open-source parameters. This debate isn’t new to the WordPress world; past forks like ClassicPress and the original WordPress fork from b2/cafelog highlight the long-standing challenges of balancing community values with business interests.

Key Takeaways for Plugin Users and Developers
1. Security First: The SCF fork addresses a security vulnerability that could impact ACF users. Updating to SCF or installing the latest ACF version from WP Engine’s repository are both ways to ensure your site’s security.

2. Open-Source Ethics Debate: WordPress’s decision raises questions about governance, creator rights, and the extent of WordPress.org’s authority over plugins on its platform.

3. Forking Is Not New: Forking has been part of the WordPress ecosystem for years, but this is one of the most significant forks in recent memory, given ACF’s popularity and WP Engine’s active involvement.

4. Community Discourse: This decision has prompted widespread discussion across developer forums and social media, with many calling for a clearer path to resolve such disputes in the future.

5. What to Watch: The evolution of Secure Custom Fields and WP Engine’s ongoing response will be important for WordPress developers and users alike.

Where to Go from Here?
If you’re an ACF user, decide whether to stick with the ACF updates provided by WP Engine or switch to SCF for a security-focused, non-commercial alternative. Both plugins remain rooted in the open-source values of WordPress, but the debate surrounding this fork serves as a reminder of the complex dynamics in the open-source community.

Keep an eye on updates from WordPress and WP Engine as this story unfolds, and stay tuned for community insights and recommendations.

Aaron Fernandes

Aaron Fernandes is a web developer, designer, and WordPress expert with over 11 years of experience.