To me this is indistinguishable from an account takeover attack executed by an insider. I doubt any prosecutor would be interested, but to my eyes WordPress.org has violated the CFAA by accessing WordPress instances outside the bounds of their authorization. They were authorized to modify WordPress instances in ways ACF prescribed, not in ways of their own choosing.
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
This should be the top comment. It's already scary for a package manager to take control of a community package, even more so when sites auto-update to new code... but to break existing sites by completely changing the code that is provided in an auto-update is beyond the pale.
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
(community member, not affiliated with WP, WPE, or A8C)
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg
"in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
Install the official free plugin from the advanced custom fields website and remove the SCF version. You won’t need to change any existing code then, and future updates will come from the plugin dev for ACF.
How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
At the heart of this - if you consider it generously - is a principle that we can possibly all sign up to, namely that "large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
The principle however has been totally undermined by MM's actions, which have been completely out of line. His behaviour has been abhorrent. I've been shocked (possibly naively) that a single individual could have such huge power over an open source project that they could literally turn it off (referring here to the update mechanism that WPEngine was using).
I've been even more shocked and appalled by this plugin takeover. ACF is a central piece of pretty much all WP developers' / agencies toolkit. Those of us who have been in this game a long time remember WP before it, and the breath of fresh air that it was to finally be able to define complex relationships between posts and provide our users with a GUI that actually worked well for complicated sites. ACF have pushed and supported this technology for years and years - firstly under the expertise of Elliot Condon, now under the aegis of WPEngine. I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The forking of a plugin is one thing. A fair way to do this would be to fork it, and start from zero installs. Automattic could have done that, promoted the hell out of "SCF" and got users in a way that was at least slightly (?) fair.
Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft. It's outrageous, it's totally petty, and I so far haven't seen a single person being supportive of this (probably?) unilateral action by one - apparently increasingly unhinged - individual.
The wider problem of course is the effect this has on the vibrant WP ecosystem which as someone else in this thread has pointed out is a critical (erstwhile) open cornerstone of the web.
I am still hoping that this will subside into history and it'll all sort but it has left me and many WP devs I know with a pretty bitter taste.
The irony of this move is that his main argument to keep people on his side over this has been that WP Engine has not been contributing. He's been saying over and over that he's doing this because they're not giving back.
Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
But that doesn't count as giving back because... reasons.
A reasonable standard for the plugin infrastructure would be to charge and allow free access to people with sufficient contribution history.
So Matt’s company which has sufficient contribution history would get free access and WP engine could either pay for access, contribute more to WordPress, or make their own plug-in infrastructure.
"large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
...
I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The ACF team wiring that open source ACF code are on WP Engine's payroll.
The official wp announcement of this said “we don’t plan on doing this to other plugins.” lol. anyone think they pinky promise? More like: build on Wordpress and unless you kiss the ring some guy named Matt will disappear your business.
Exactly. He also ends his post with a "separate" boast about poaching one if WPE's engineers. It's so obvious that this is just a giant FU to WPE and nothing else
Wow, this is a big deal. Matt Mullenweg taking over ACF like that? Not cool. It's not just about messing with years of hard work, but think about all those WordPress sites now running code the ACF team didn't approve. Kinda scary when you think about it. Hope this doesn't become a trend in the open-source world.
This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging. I’d assume most websites that make actual money are thoroughly dependent on it.
To twist the knife on a personal spat, Mullenweg just blew up uncountable businesses on a double-holiday weekend. At this point, seriously, fuck that guy.
> This is particularly bananas as ACF is basically table stakes for doing anything beyond blogging.
Not sure about this.
I'd assume most Wordpress sites that make actual money are dependent on WooCommerce and Easy Digital Downloads, and maybe Gravity Forms/WP Forms for member subscriptions.
None of these are reliant on ACF, and there's any number of WP plugins like this that do the whole job of some website niche or other.
(I've been doing bespoke WP builds for at least a decade -- first one probably more like 14 years ago actually -- and I've not used ACF a single time. There has always been an alternative, and for a developer it's a bad choice.)
Either way: I don't think ACF's popularity is the major factor here. It's that it's an outright abuse.
The word "gaslighting" gets overused but it applies quite well to what ACF free plugin users are experiencing here.
As to "blew up": I am not sure how many money-making ACF users this has affected, because they tend to use ACF Pro, which is a separate download.
What appears to have been removed from ACF to make this shady SCF nonsense is the upsell marketing. Not sure what other breakage there would/could have been. I have seen people say things have broken but I suspect they are relatively minor issues caused by the actual ACF security patch which is also shipped here... because they haven't changed much.
Though if Secure Custom Fields is getting the blame for the breakage, that's kismet, karma, whatever you want to call it.
The whole thing is https://plugins.trac.wordpress.org/changeset/3167679/advance... it's very close to functionality wise right now to ACF. Not identical, already. While I am not a lawyer it almost certainly violates the ACF trademark as the code and reviews contains a lot of reference to ACF and the Advanced Custom Fields trademark which is literally the project slug. Some suspect a request for emergency injunction might follow next week. And most certainly it also violates community trust very, very big time.
This on top of the "swear fealty" checkbox on login which caused multiple high profile contributors to leave and now shut the accessibility team down https://i.imgur.com/0jCZnlm.png
After all this drama, it feels like WordPress has reached its peak and is now starting its decline. Of course, it will take years, and the process may be volatile, but the overall trend will likely be downward.
AFAIK there is just no other free and open source CMS with a similarly mature ecosystem, which could replace WordPress. So many websites, companies and agencies are built on WordPress, it would take a decade to move away.
This would be the same as Google replacing Spotify with Youtube Music on Play Store and pushing Youtube Music in its place on all Android devices. Its insane.
The challenge is that this drama seems to be unmasking the reality that for the past decade or more, Matt has grown used to referring to Automattic, WP.com, WP.org, and the WPF interchangably and synonymously.
Concerning is not just the things he's said, but what he has done that go along with this. Self-dealing? Improper tax accounting?
The WordPress Foundation doesn't own WordPress.org. As far as I can tell it basically only owns the WordPress trademark, which it immediately turned around and gave away to Automattic in an exclusive license for unclear consideration.
WordPress.org, and therefore the entire plugin repository, is owned by just Matt and maintained by a division within Automattic. The .org-ness of it was just a smokescreen all along.
When the drama first started, I thought @photomatt’s plan might be to build ACF directly into WordPress (and maybe get rid of Gutenburg). I’m not sure if taking control of the plug-in is a step in that direction or if he probably could have incorporated ACF without taking over the plug-in. What’s the endgame?
I received an email from ACF urging me to update my installs, while I appreciate the gesture, I see they mentioned Matt Mullenweg without specifying who he is or what he did. Now I'm a HN reader but it could be wise to give more context to their many users who are probably clueless of the whole drama.
[+] [-] maxbond|1 year ago|reply
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
[+] [-] system2|1 year ago|reply
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
[+] [-] btown|1 year ago|reply
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
[+] [-] mldevv|1 year ago|reply
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg "in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
[+] [-] Atotalnoob|1 year ago|reply
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
[+] [-] jnd10|1 year ago|reply
[+] [-] mfischface|1 year ago|reply
[+] [-] foosantos|1 year ago|reply
It would be fantastic if people could open a topic there or a thread on Slack if they face any issues.
[+] [-] Cyberdog|1 year ago|reply
[+] [-] n3storm|1 year ago|reply
[+] [-] luckylion|1 year ago|reply
Did they also rename filters and functions? I thought it was only the name and mentions of ACF in the docs. What did you rely on?
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] hadad|1 year ago|reply
[+] [-] yawnxyz|1 year ago|reply
[+] [-] gg-plz|1 year ago|reply
If they’re actively breaking people’s sites I’d hope they can get an emergency injunction ASAP, and maybe someone can start a CFAA investigation.
[+] [-] dmje|1 year ago|reply
At the heart of this - if you consider it generously - is a principle that we can possibly all sign up to, namely that "large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
The principle however has been totally undermined by MM's actions, which have been completely out of line. His behaviour has been abhorrent. I've been shocked (possibly naively) that a single individual could have such huge power over an open source project that they could literally turn it off (referring here to the update mechanism that WPEngine was using).
I've been even more shocked and appalled by this plugin takeover. ACF is a central piece of pretty much all WP developers' / agencies toolkit. Those of us who have been in this game a long time remember WP before it, and the breath of fresh air that it was to finally be able to define complex relationships between posts and provide our users with a GUI that actually worked well for complicated sites. ACF have pushed and supported this technology for years and years - firstly under the expertise of Elliot Condon, now under the aegis of WPEngine. I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The forking of a plugin is one thing. A fair way to do this would be to fork it, and start from zero installs. Automattic could have done that, promoted the hell out of "SCF" and got users in a way that was at least slightly (?) fair.
Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft. It's outrageous, it's totally petty, and I so far haven't seen a single person being supportive of this (probably?) unilateral action by one - apparently increasingly unhinged - individual.
The wider problem of course is the effect this has on the vibrant WP ecosystem which as someone else in this thread has pointed out is a critical (erstwhile) open cornerstone of the web.
I am still hoping that this will subside into history and it'll all sort but it has left me and many WP devs I know with a pretty bitter taste.
[+] [-] lolinder|1 year ago|reply
Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
But that doesn't count as giving back because... reasons.
[+] [-] nailer|1 year ago|reply
So Matt’s company which has sufficient contribution history would get free access and WP engine could either pay for access, contribute more to WordPress, or make their own plug-in infrastructure.
[+] [-] dotBen|1 year ago|reply
...
I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The ACF team wiring that open source ACF code are on WP Engine's payroll.
[+] [-] hello_moto|1 year ago|reply
He probably is trying to make a point what WPEngine is doing (based on his own perspective)
[+] [-] yidhsvc|1 year ago|reply
[+] [-] mikeyinternews|1 year ago|reply
https://wordpress.org/news/2024/10/secure-custom-fields/
[+] [-] Zealotux|1 year ago|reply
[+] [-] gg-plz|1 year ago|reply
> Hey @WordPress. Are there any further plugins that we can expect to be forked?
> There are no others we're aware of at this time, but you are welcome to suggest some.
[+] [-] denislour|1 year ago|reply
[+] [-] mrinfinitiesx|1 year ago|reply
[+] [-] TiredOfLife|1 year ago|reply
[+] [-] didgeoridoo|1 year ago|reply
To twist the knife on a personal spat, Mullenweg just blew up uncountable businesses on a double-holiday weekend. At this point, seriously, fuck that guy.
[+] [-] sgdfhijfgsdfgds|1 year ago|reply
Not sure about this.
I'd assume most Wordpress sites that make actual money are dependent on WooCommerce and Easy Digital Downloads, and maybe Gravity Forms/WP Forms for member subscriptions.
None of these are reliant on ACF, and there's any number of WP plugins like this that do the whole job of some website niche or other.
(I've been doing bespoke WP builds for at least a decade -- first one probably more like 14 years ago actually -- and I've not used ACF a single time. There has always been an alternative, and for a developer it's a bad choice.)
Either way: I don't think ACF's popularity is the major factor here. It's that it's an outright abuse.
The word "gaslighting" gets overused but it applies quite well to what ACF free plugin users are experiencing here.
As to "blew up": I am not sure how many money-making ACF users this has affected, because they tend to use ACF Pro, which is a separate download.
What appears to have been removed from ACF to make this shady SCF nonsense is the upsell marketing. Not sure what other breakage there would/could have been. I have seen people say things have broken but I suspect they are relatively minor issues caused by the actual ACF security patch which is also shipped here... because they haven't changed much.
Though if Secure Custom Fields is getting the blame for the breakage, that's kismet, karma, whatever you want to call it.
[+] [-] wmf|1 year ago|reply
[+] [-] gnabgib|1 year ago|reply
(160 points, 23 hours ago, 174 comments) https://news.ycombinator.com/item?id=41821336
(383 points, 23 hours ago, 188 comments) https://news.ycombinator.com/item?id=41821400
[+] [-] chris_wot|1 year ago|reply
[+] [-] chx|1 year ago|reply
This on top of the "swear fealty" checkbox on login which caused multiple high profile contributors to leave and now shut the accessibility team down https://i.imgur.com/0jCZnlm.png
[+] [-] marpstar|1 year ago|reply
[+] [-] osbulbul|1 year ago|reply
[+] [-] andix|1 year ago|reply
The only possibility I can think of is a fork.
[+] [-] kyriakos|1 year ago|reply
[+] [-] jeltz|1 year ago|reply
[+] [-] FireBeyond|1 year ago|reply
Concerning is not just the things he's said, but what he has done that go along with this. Self-dealing? Improper tax accounting?
[+] [-] lolinder|1 year ago|reply
WordPress.org, and therefore the entire plugin repository, is owned by just Matt and maintained by a division within Automattic. The .org-ness of it was just a smokescreen all along.
[+] [-] throw16180339|1 year ago|reply
[+] [-] andix|1 year ago|reply
This should be rather easy, because all WordPress plugins are GPL-licensed because of the Copyleft.
I don't care about the current dispute, but wordpress.org can't be trusted any more.
[+] [-] guluarte|1 year ago|reply
[+] [-] mikemitchelldev|1 year ago|reply
[+] [-] ChrisArchitect|1 year ago|reply
https://news.ycombinator.com/item?id=41821336
[+] [-] rossant|1 year ago|reply
[+] [-] Zealotux|1 year ago|reply
[+] [-] CodeWriter23|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] unknown|1 year ago|reply
[deleted]