WordPress forks popular WP Engine plugin 'Advanced Custom Fields' without permission, developer claims plugin was 'taken without consent'



Matt Mullenweg , the creator of WordPress , has sharply criticized WP Engine, a hosting service specializing in WordPress, and has blocked access from WP Engine . Following this issue, WordPress' Mullenweg announced that he has forked the very popular WP Engine plugin, Advanced Custom Fields (ACF) .

Secure Custom Fields – WordPress News
https://wordpress.org/news/2024/10/secure-custom-fields/



On October 12, 2024 local time, Mullenweg announced that he would fork ACF into a new plugin called 'Secure Custom Fields.'

Mullenweg cited the fact that ACF updates are now done directly from the WP Engine website as the reason for forking ACF into Secure Custom Fields. This was an issue that arose when WordPress blocked access from WP Engine, and ACF announced the change on October 3, 2024.

Therefore, WordPress has announced that if you use the WordPress.org update service, updating your plugin will switch you from ACF to Secure Custom Fields. This process will also automatically switch your plugin from ACF to Secure Custom Fields for websites that automatically update their plugins via WordPress.org.

Mr. Malenweg explained that Secure Custom Fields is 'the smallest possible change to fix security issues.' In addition, by switching from ACF to Secure Custom Fields, Secure Custom Fields will become a non-commercial plugin, so we are looking for developers who want to maintain and improve it.

Mullenweg explained that similar incidents have occurred in the past, but never on this scale. 'This is a rare and unusual situation caused by WP Engine's legal attack, and we don't expect this to happen with other plugins,' he said.

However, the ACF development team has published a blog claiming that 'the ACF plugin was plagiarized by Mr. Mullenweg.'

ACF | ACF Plugin no longer available on WordPress.org
https://www.advancedcustomfields.com/blog/acf-plugin-no-longer-available-on-wordpress-org/



ACF is a sophisticated plugin with over 200,000 lines of code that has been developed for WordPress users since 2011. Since being acquired by WP Engine, ACF has been released more than 15 times in the past two years, and new features have been added continuously.

The ACF plugin was forked by WordPress.org without the developer's consent, the developer claims. 'In the 21-year history of WordPress, we have never seen a plugin in development unilaterally removed without the author's consent,' the ACF development team said, criticizing WordPress' unilateral action.




The development team criticized Mullenweg, saying, 'Mullenweg's actions are deeply concerning and pose a significant risk of upending the entire WordPress ecosystem and causing irreparable damage. Mullenweg is attempting to unilaterally control this open platform that we and many other plugin developers and contributors have built in the spirit of sharing our plugins with others. His attempt represents a serious abuse of trust, multiple conflicts of interest, and a breach of the promise of openness and honesty in the community.'

In response to the ACF's criticism, WordPress said, 'This has happened before and is consistent with the guidelines you agree to by joining the directory. We wish you the best of luck with your version. We look forward to creating a great version for our users using the best GPL code available.' The company maintained that it was a legitimate fork that followed the guidelines.




The justification WordPress cited for the fork is the WordPress Plugin Guidelines, which state that ' WordPress reserves the right to maintain the Plugin Directory for as long as possible .' These guidelines state the rights WordPress has to ensure the quality of plugins and the safety of plugin users, and that WordPress reserves the right to 'make changes to plugins without the developer's consent in the interest of public safety.'

David Heinemeier Hansson, a developer of Basecamp and HEY , explained WordPress's block on access from WP Engine and ACF's unilateral fork as, 'Meta filed a legal battle with Microsoft (owner of GutHub and npm), and Microsoft completely banned access to repositories used by Meta employees from GitHub, and then took over Meta's React repository and forked it into its own project.' He further stated, 'It is never acceptable to weaponize an open source code registry, and the registry must remain a neutral area,' arguing that this issue is not just about WordPress and WP Engine, but could affect the entire open source project.

In response to Hanson's claims, Mullenweg said, 'Hanson claims to be an open source expert, but his toxic personality and inability to scale his team has meant that he has invented some great ideas worth about $5 trillion (about 750 trillion yen), but most of that value has been stolen by others.' He added, 'It's amazing that someone as smart as Hanson would be fooled by WP Engine's boring tactics and divert the conversation to 'GPL code' and fork issues instead of trademarks.'

In response, Hanson said, 'I'm proud to say that companies like Shopify, GitHub, Gusto, Zendesk, Instacart, Procore, Doximity, and Coinbase have all achieved billion-dollar valuations using Rails . It's incredibly satisfying to see this much value being created in a web application framework that I've been evolving and maintaining for the past 20 years. It's a wonderful honor to see my life's work come true.' He said he has no regrets about his work so far.

Software developer Gavin Anderegg also commented, 'Taking over a popular plugin is crazy, and I don't see how it's different from a supply chain attack .' 'The hijacking was caused by WordPress.org itself, which blocked access from WP Engine. WordPress just happened to discover a minor vulnerability in ACF, and ACF can't update the plugin because it's blocked from WordPress. This is why WordPress is trying to take over the ACF plugin.'

Related Posts:

in Software, Posted by logu_ii