ACF Plugin Controversy Sparks Debate in WordPress Community

Remember when the co-founder of WordPress, Matt Mullenweg, called WP Engine “a cancer to WordPress”? That bold statement earlier this year sent shockwaves through the WordPress community, but it was just the start of an ongoing saga.

The dispute continued, with Mullenweg announcing that WordPress.org would ‘fork’ the Advanced Custom Fields (ACF) plugin, which is currently owned by WP Engine.

WordPress.org defended the move, stating it was necessary to remove commercial upsells and address a security issue. However, WP Engine, ACF’s parent company, criticized the action, arguing that it undermined the spirit of open-source collaboration.

Meanwhile, the WordPress community is abuzz, filled with concerns about plugin governance and the future of developer autonomy.

Read on to uncover the full story behind this decision, the community’s diverse reactions, and its far-reaching implications for the WordPress ecosystem.

ACF Controversy: What Sparked the Debate?

The Advanced Custom Fields (ACF) plugin, a staple for countless WordPress developers, has become the subject of heated controversy. The plugin is essential for custom fields and metadata and is used by over 2 million websites.

However, a controversy erupted when WordPress.org announced its decision to take over the plugin from WP Engine, its current owner, and subsequently rebranded it as Secure Custom Fields (SCF).

Posting on behalf of the WordPress Security Team, WordPress co-founder Matt Mullenweg said,

“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”

Point 18 of Plugin Directory Guidelines

Mullenweg went on to say that the update was designed to address the security issue with minimal disruption. He emphasized that Secure Custom Fields will continue as a non-commercial plugin and encouraged developers to get involved in its maintenance and future improvements. 

He also assured the community that this is an unusual case caused by WP Engine’s legal actions and that it is unlikely to happen with other plugins. The move automatically switched millions of users from ACF to SCF, removing premium features and commercial elements.

WP Engine’s Reaction to the Fork

WP Engine voiced their disapproval through a tweet on X, stating that in WordPress’s 21-year history, no plugin under active development has ever been forcibly taken from its creator without consent.

In response, WordPress said this was not the first time such an incident had occurred, writing, “This has happened several times before, and in line with the guidelines you agreed to by being in the directory. Best of luck with your version. We’re looking forward to making ours amazing for our users, using the best GPL code available.”

Iain Poulson, Product Manager for Advanced Custom Fields, shared a blog post on the ACF website and expressed deep disappointment and strong criticism of WordPress’s decision to fork its plugin. He called it a violation of open-source principles and trust. 

He highlighted that ACF has over 200,000 lines of code and has been actively developed since 2011. He also emphasized their recent updates, including 15+ releases in two years, improving functionality, security, and performance. 

He further accused Matt Mullenweg of misusing WordPress.org to push unapproved updates to millions of ACF installations with a code that was neither authorized nor trusted by the original ACF team.

The post concluded by expressing serious concerns, stating: “Mullenweg’s actions are extraordinarily concerning and pose the grave risk of upending and irreparably harming the entire WordPress ecosystem.  His attempt to unilaterally take control of this open platform that we and so many other plugin developers and contributors have relied on, in the spirit of sharing plugins for all, provides further evidence of his serious abuse of trust, manifold conflicts of interest, and breach of the promises of openness and integrity in the community.”

Where Did All this Begin?

The controversy stems from a trademark lawsuit involving WP Engine, Automattic (parent company of WordPress), and Matt Mullenweg, which has since escalated. Following WP Engine’s ban from WordPress.org on September 25, 2024, the company was forced to develop its own independent update system for plugins, themes, and WordPress core. This ban also led to the ACF team losing access to WordPress.org.

Shortly after, Automattic highlighted a vulnerability in the ACF plugin in a now-deleted tweet. Here’s a timeline of how it all happened:

1. October 3, 2024: WP Engine announced that updates for its popular Advanced Custom Fields (ACF) plugin would no longer be available via WordPress.org, instead redirecting users to ACF’s own website for updates.
2. October 4, 2024: Automattic’s security team identifies a vulnerability in the ACF plugin. Instead of notifying ACF’s technical team, the disclosure is sent directly to WP Engine’s CEO.
3. October 5, 2024: Automattic, in a now-deleted tweet, discloses the ACF vulnerability and gives WP Engine 30 days to issue a fix before public disclosure. John Blackbourn, WordPress Core Security Team Lead, criticizes Automattic for breaching ethical guidelines in handling the disclosure.
4. October 12, 2024: Matt Mullenweg announces the forking of ACF into Secure Custom Fields (SCF) during a public address. The stated reasons include removing commercial upsells and addressing the recently reported vulnerability.

In response, the ACF team released a security update, ACF 6.3.8, through WP Engine’s repository and their own website while also providing the update to the WordPress.org Security team. 

ACF Controversy: Is It Really a Fork?

The way WordPress.org handled the Advanced Custom Fields (ACF) plugin has raised numerous questions. Many are questioning if this truly qualifies as a ‘fork’ in the traditional sense of open-source development.

Typically, a fork refers to creating an alternative version of a project while allowing the original to remain intact and giving users the freedom to choose. However, the situation with ACF deviates from this standard because:

• Complete Replacement: Instead of coexisting, the original ACF plugin was completely replaced with the Secure Custom Fields (SCF) plugin, effectively removing the original from the WordPress repository.
• Retention of User Base and Reviews: SCF retained ACF’s repository slug, user reviews, and branding, using the goodwill and trust ACF had built over time.
• Lack of Transparency: Many users and developers were unaware of the update until after it occurred. This raised concerns about how the transition was managed.
• Trademark Complications: WP Engine, the owner of ACF, has pending trademark applications for “Advanced Custom Fields” and “ACF.” Despite this, SCF continues to use elements of ACF’s branding, which could lead to potential legal conflicts.

These factors have led many users to argue that this is not a “fork” but a hostile takeover, hijacking, and supply chain attack. Critics believe that such actions can undermine the trust developers place in WordPress.org as a safe space for innovation.

Understanding the ACF Plugin Transition

Customers using WP Engine or Flywheel hosting, as well as those who have purchased ACF PRO, will not experience any direct changes. ACF PRO users will still have access to their premium features, updates, and support directly from ACF’s official platform (advancedcustomfields.com).

Free users of the ACF plugin now have two options:

• Install Secure Custom Fields (SCF): Available directly in the WordPress plugin directory, SCF will receive updates and support from the WordPress ecosystem.
• Download the Latest ACF Version: Users who want to continue using the genuine ACF plugin (rather than transitioning to SCF) must manually download the latest ACF version from its official source: advancedcustomfields.com. This ensures they have access to future updates and security patches.

If auto-updates are enabled, you will be transitioned to SCF without needing to manually change anything. However, users will lose the option to upgrade to ACF PRO later unless they reinstall the original ACF plugin from advancedcustomfields.com.

ACF Controversy: Community Reactions

The ACF plugin controversy has led to intense discussions within the community, with people expressing various opinions on platforms like Reddit and Twitter.

Many developers and users are criticizing Automattic’s forking of ACF into SCF, calling it a corporate overreach that is against the values of open source. Users have flooded the SCF page on WordPress.org with one-star reviews and harsh comments. 

Reports indicate that WordPress.org has deleted reviews, further raising questions about transparency in how this change is being handled. Another point to note is that the domain securecustomfields.com is currently redirecting to the ACF website.

Some users have pointed out how the SCF plugin still has the elements of ACF’s original branding, including the ACF logo in the WordPress menu and WP Engine logos within the assets folder. Such practices may infringe upon trademark rights and mislead users about the plugin’s origin and affiliation. 

In his blog, lawyer, and WordPress commentator Richard Best stated: “WP Engine has registrations pending, but the marks still have legal protection in the interim.” 

Source

A Reddit thread, which referred to the entire situation as a “hostile takeover,” has drawn significant attention and debate. 

Trust in the ecosystem is a big question right now. People are questioning, “If this can happen to ACF today, what’s stopping it from happening to other plugins down the line?” It’s got developers wondering if their work is really safe and whether WordPress can still be trusted to protect contributions and play fair.

On top of that, there’s a lot of concern about what this means for plugin authors. Moves like this could discourage independent developers from creating new plugins and slow down innovation. Some developers have already removed their plugins from the WordPress.org repository. This includes the BE Media from Production plugin.

And then there’s the open-source angle. Many people feel that this goes against the core values of open source. It seems like corporate interests are being put ahead of what the community actually needs, leaving people worried about what this means for the future of WordPress.

Another Reddit user was asking questions about SCF and how it relates to ACF, specifically wondering if the two are now the same plugin. This kind of question shows how unclear the transition has been and how it’s leaving people unsure about what’s actually changed and what to expect moving forward.

However, a few users think this was the right move. A Reddit comment under this thread called the move a return to community-driven development and an improvement over WP Engine’s commercial approach. Another user on X called ‘ACF forking’ a fair response to what WP Engine did.

The overwhelming sentiment has been negative, with many viewing the move as unethical and akin to theft. Some argue that even if the acquisition was necessary, its execution was flawed.

What’s Next for ACF and the WordPress Ecosystem?

The future of Advanced Custom Fields (ACF) and its WordPress.org fork, Secure Custom Fields (SCF), remains uncertain. WP Engine remains committed to developing ACF independently, while WordPres.org plans to continue supporting SCF as a free, community-driven alternative.

This division leaves developers and users facing a critical decision: which version to trust and adopt moving forward?

For many developers, this move sets a troubling precedent, raising concerns about how much control WordPress.org can exert over third-party contributions. Users, too, have been left in a state of uncertainty. 

Ultimately, how WP Engine, Automattic, and WordPress.org navigate this situation will shape the future of both ACF and the broader WordPress ecosystem. For now, the community watches closely, awaiting clarity and resolution.

At WPLift, we are committed to keeping you informed. We’re closely tracking all updates on this story, so be sure to check out our articles to stay up-to-date.