Automattic cloned WP Engine’s paid ACF Premium plugin and is distributing it for free. Many in the WordPress community disapprove of this action, expressing concerns that it undermines the plugin and theme ecosystem.
Advanced Custom Fields Plugin
Advanced Custom Fields (ACF) is a WordPress plugin that’s popular with WordPress website developers because it enables them to create custom fields that WordPress publishers and authors can use.
Custom fields allows developers to take full control of the editing screens to add things like a form for building structured data specific for a kind of WordPress page like Schema.org markup for ecommerce, news, legal or medical context. A custom field can be used to give article authors a place to enter the author name or a featured quote.
Website developers and use ACF to enable authors to add author bios, featured quotes, or article metadata like publication ****, modification data or links to sources. For example, a field for a featured quote can be used so that authors can input what the featured quote says and it’ll appear in the article using all the predefined styling. All the author needs to do is fill in the form and hit the submit button.
ACF was developed by a company named Delicious Brains which was acquired by WP Engine in 2022 which assumed responsibility for developing and updating the free and premium versions.
WordPress Freemium Ecosystem
ACF is popular because it built trust and authoritativeness as a solid plugin through the use of the freemium WordPress business model. Plugin and theme developers use the freemium business model to offer a free version of their software and a premium version that offers additional functionality. Offering a highly functional and useful free version increases the popularity and goodwill of a plugin or theme with basic users and the more advanced users are able to try the functionality of the free version then choose the premium version for the additional features. It can take years to build that goodwill, trust and authoritativeness with users.
The developers of plugins like Yoast and Wordfence spend thousands of hours developing and promoting their free plugins, which are then installed on millions of websites. They put all that effort into the free versions to upsell their premium products.
Timeline: Automattic Forks ACF
In the context of WordPress plugins and themes, the term “forking” refers to the creation of an independent version of an existing WordPress plugin or theme using the source code of the original version to create a different version. Forking is made possible with open source licenses. All plugins and themes that are derivatives of WordPress must be developed with an open source license.
Forking of a theme or plugin sometimes happens when a developer abandons their project and an interested party decides to continue developing their version of the software, a “forked” version of the original.
October 3, 2024 Automattic Releases Independent Updates
Automattic locked ACF plugin out of the WordPress.org servers, preventing ACF customers from updating their versions of the plugin directly from WordPress.org servers, forcing WP Engine to create a workaround on October 3rd.
WP Engine announced:
“On October 3, we released new versions of our widely used plugins, featuring independent update capabilities and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and don’t need to take any action, community members are encouraged to download these versions of our free, open-source plugins and updates directly from the ACF and NitroPack websites to ensure they receive updates directly from us.
If you’re running v6.3.2 or earlier of ACF, or have been forcibly switched to “Secure Custom Fields” without your consent, you can install ACF 6.3.8 directly from the ACF website, or follow these instructions to fix the issue.
These efforts support our customers and plugin users and seek to protect the community at large.”
Screenshot Of ACF Plugin Changelog Showing Lockout Workaround
On October 5th Automattic notified WP Engine of a vulnerability in the ACF plugin and announced it on a now deleted post on X (formerly Twitter).
Screenshot Of Post On X By Automattic
October 7th: WP Engine Fixes ACF Vulnerability
On October 7th, WP Engine fixed the plugin vulnerability, as noted in their changelog.
Screenshot Of ACF Changelog About Security Patch
October 12, 2024: Automattic Forks ACF
But then, on October 12th, Automattic forked WP Engine’s ACF plugin, renaming it Secure Custom Forms (SCF) and replaced the ACF plugin in the official WordPress plugin respository with their fork, using the same URL formerly used by the ACF plugin. Matt Mullenweg posted an announcement on WordPress.org citing security concerns as the reason for forking ACF but later in the announcement also citing WP Engine’s lawsuit seeking relief from Mullenweg’s actions.
Mullenweg wrote:
“On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
…This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.”
Automattic Forks Premium Version Of ACF
Social media was buzzing over the weekend because it was noticed that a new version of ACF was published on WordPress.org using a new URL (/secure-custom-fields/), marked as a beta version. David McCan of WebTNG downloaded the plugin, took a look at the code and confirmed that the new version is a fork of the paid version of ACF. He notes that the WP Engine copyright information was removed, remarking that may be a problem. He also noted that the code that checks for whether the software is paid for and licensed has also been removed.
Viewing the code, he says:
“We go to the version for secure custom fields. You see the file name is still the same ACF dot PHP, But this one. The header information says secure custom fields. It says the author is wordpress.org. There is no copyright notice in here of WP engines code, which is probably a problem.
So by removing the license check and update from WP engine, this seems like a classic case of an old plugin which is now being hosted in the WordPress plugin directory. So I’m wondering if this is even a legal fork. I’m not an expert in software licensing law, but my understanding is you need to preserve the original copyright notices when you fork a plug in. It’s one of the requirements.”
Developer Response In Facebook Group
Whether or not whether making the pro version of the plugin freely available for download is legal is something for the courts to decide. What Automattic may not have considered is that there is an impact to competitors like Meta Box Pro, who offer a similar functionality to ACF. Current users of Meta Box Pro may be incentivized to not renew their current license because they can now get similar premium features for free from WordPress.org.
Someone posted this concern in the private Dynamic WordPress group (posted here, group membership required to view), writing that they had purchased a lifetime license ($699) for Meta Box prior to Mullenweg’s dispute with WP Engine. They wrote that they feel like they made a mistake for purchasing a license for Meta Box, noting that they don’t agree with “stealing” ACF and expressed that this will cause Meta Box to lose users. A yearly subscription to Meta Box starts at $149/year.
One of the Facebook group members remarked that no, they didn’t make a bad decision by purchasing a license for Meta Box, saying that Matt Mullenweg was the one that made the poor decision. Another group member expressed that he regarded Mullenweg as an unreliable steward of the ACF fork and wouldn’t trust his fork, ACF, on any of the websites he develops.
Other developers agreed that SCF is not trustworthy enough for use on a live website, noting that many sites are having issues with the Secure Custom Fields. Someone else noted that this may end poorly for Meta Box within a year from now as SCF becomes more stable. Some members said they’re glad to have Meta Box and are glad to be uninvolved with the WordPress versus WP Engine drama.
Response On WordPress Subreddit
The response from the WordPress community on Reddit was similarly disapproving.
Members of the WordPress subreddit expressed disapproval, nobody was celebrating Mullenweg’s move.
One member posted:
“It’s crazy because they literally are suing someone else for hosting nulled plugins, and that guy had his bank accounts frozen. They are doing the same thing now over at WordPress.”
Someone else shared:
“Oh wow, so this is actually Matt putting the premium/pro version of ACF with all of it’s features that are normally behind their paywall, up for people to download and use for free on wordpress.org while calling it Secure Custom Forms Pro or whatever, completely out of spite?
This is worse than I thought it was from just seeing the title of this thread, much worse.”
Another post that’s representative of how people feel about WordPress.org distributing a premium plugin for free:
“If he wanted to shoot WordPress in the other foot, this was the perfect move.”
Whether this move will impact ACF’s competitors and the greater premium WordPress ecosystem remains to be seen. One thing is certain: most people on social media appear to disapprove of Matt Mullenweg forking a premium WordPress plugin, and, legal or not, it’s perceived as crossing a line typically associated with software piracy.
Watch David McCan inspect the code:
Featured Image by Shutterstock/LoveHex
