The recent announcement by Matt Mullenweg, co-founder of WordPress, regarding the forking of the Advanced Custom Fields (ACF) plugin into a new entity known as Secure Custom Fields (SCF) has sparked significant conversation within the WordPress community. This decision, driven by security concerns and a commitment to maintaining the integrity of the platform, has raised important questions about the ethics of such actions and their implications for the open-source ecosystem.
In his announcement, Mullenweg stated that the decision to fork ACF was taken by the WordPress security team in accordance with the plugin directory guidelines. He emphasized that Secure Custom Fields would be a non-commercial plugin, designed specifically to address a security issue and eliminate commercial upsells that users found problematic. This move was positioned as a necessary step to protect users and ensure the safety of their data.
The backdrop to this decision is a legal dispute involving WP Engine, the owner of ACF, which has led to significant tensions between the two parties. WP Engine was banned from accessing WordPress.org resources following their legal actions against Automattic, the parent company of WordPress. This situation escalated to the point where the ACF team was unable to push updates or address vulnerabilities effectively.
Responses to this fork have been polarized. Many in the WordPress community have expressed support for Mullenweg’s decision, highlighting the importance of security in a platform that millions rely on daily. Others, however, have criticized the move as unprecedented and potentially harmful to the collaborative spirit of open-source development. WP Engine, in particular, characterized the action as a violation of community trust, arguing that the unilaterally taken control of a plugin under active development sets a troubling precedent.
The implications of this fork extend beyond just the ACF plugin. The community is watching closely to see how this situation unfolds and what it means for the future of WordPress and its ecosystem. For instance, security consultant Tim Nash suggested that while the forking of plugins is not new, the circumstances surrounding this fork underscore the need for WP Engine and Automattic to engage in good-faith negotiations to avoid such drastic measures in the future.
Interestingly, the Secure Custom Fields domain currently redirects to the ACF website, which has raised eyebrows among those observing this situation. This is indicative of the ongoing complexities as both parties navigate their respective interests and responsibilities within the WordPress community.
The forking of ACF is not an isolated incident. The WordPress ecosystem has seen other forks in its history, including ClassicPress, which emerged as a response to the introduction of the Gutenberg editor. However, the scale and visibility of the ACF situation are unprecedented, leading many to question the ethical implications of such actions.
As discussions continue, various community members have taken to social media to voice their opinions. For instance, developer Colin Stewart shared his surprise at the decision, noting that he was not informed as a member of the WordPress Security Team. Others echoed similar sentiments, emphasizing the need for transparency and communication within the community.
The community’s reaction has been further complicated by the mixed reviews appearing on the newly created Secure Custom Fields plugin page. While some users have praised the move for prioritizing security, others have expressed concerns about the integrity of the new plugin and its implications for existing installations of ACF.
In light of this upheaval, users now face a choice between continuing with the original ACF plugin, which is still available on the ACF website, or transitioning to Secure Custom Fields through the WordPress plugin directory. For many, this decision will depend on their trust in the respective teams behind these plugins and their commitment to security and ongoing support.
As the dust settles, the WordPress community is left to grapple with the ramifications of this decision. The ACF fork serves as a reminder of the delicate balance between security, collaboration, and the principles of open-source development. How this situation will ultimately influence the future of WordPress remains to be seen, but one thing is clear: the community is engaged and watching closely.
