In a surprise announcement, WordPress co-founder Matt Mullenweg revealed a new fork of the popular Advanced Custom Fields (ACF) plugin, named Secure Custom Fields (SCF), in response to an ongoing legal dispute with WP Engine, ACF’s parent company. The new fork, which addresses a security issue in ACF and removes commercial upsells, marks a unique moment in the WordPress community as WordPress.org assumes control of a third-party plugin’s development and distribution.
The decision to fork ACF stems from a legal and security dispute involving WP Engine, which has been barred from accessing the WordPress.org platform. The ban means WP Engine and its affiliated developers cannot directly update plugins in the repository, an issue that arose recently when a security vulnerability was found in ACF. To address the vulnerability while bypassing WP Engine’s involvement, WordPress opted to fork ACF and create SCF, a non-commercial variant of the plugin designed to maintain ACF’s core functionality without the upsells that WP Engine had included.
“This update is as minimal as possible to fix the security issue,” Mullenweg stated in the official announcement. He encouraged developers to join the effort to maintain SCF as a secure, non-commercial alternative to ACF. Although this move is highly unusual, WordPress’s Plugin Directory guidelines allow the organization to take over plugin maintenance in specific situations, including security concerns.
WP Engine responded with sharp criticism, accusing WordPress.org of violating open-source principles by appropriating ACF. The company asserted that it had been actively developing ACF since acquiring it and was blindsided by the forced fork. In a series of public statements, WP Engine highlighted that no prior action in WordPress’s 21-year history had involved taking a plugin from its creator without consent, arguing that the move sets a dangerous precedent.
“This essential community promise has been violated,” WP Engine declared, urging the WordPress community to reflect on the ethical implications of WordPress’s decision. In contrast, WordPress maintains that the fork was necessary to resolve an immediate security risk affecting over two million users of ACF.
The forking of ACF has sent ripples through the WordPress ecosystem. Reactions have been mixed, with some supporting the need for secure software management and others alarmed at the precedent of WordPress.org intervening in third-party plugins. Security team members voiced varying levels of support and concern, emphasizing the broader implications for plugin developers. Colin Stewart, a member of the WordPress Security Team, tweeted that he was unaware of the decision before the announcement, adding fuel to the debate.
Prominent voices in the WordPress community, including security consultant Tim Nash, have echoed concerns about transparency and communication between WordPress and its ecosystem’s stakeholders. As SCF officially rolls out, plugin developers are questioning if WordPress could take similar actions with other plugins in the future. Although Mullenweg clarified that this action is “rare and unusual,” the move underscores a shifting power dynamic that WP Engine describes as a violation of the open-source ethos.
For ACF’s millions of users, the fork represents both a choice and a challenge. Users can continue with SCF from the WordPress repository, receiving critical updates and security patches, or opt to install ACF 6.3.8, the latest version from WP Engine’s repository. However, for users who rely on automatic updates, the transition to SCF is unavoidable unless manually managed. WP Engine reassured its customers that this change would not impact ACF PRO users, who receive their updates directly from the company’s servers.
While forking has a long history in open-source projects, as evidenced by WordPress itself, the scale and nature of ACF’s forking are unprecedented within the WordPress community. By creating SCF, WordPress emphasizes security and independence from commercial interests, a stance that has triggered widespread debate. Some community members see this as a necessary move to protect user security, while others worry about WordPress’s expanded role in overseeing and controlling plugin development.
As both SCF and ACF continue independently, the community will likely keep a close eye on the evolution of this dispute, watching for potential impacts on WordPress governance, plugin development practices, and the boundaries of open-source collaboration.