All of us involved in WordPress TRAC received an email from Matt Mullenweg informing us that WordPress.org (and by extension, Automattic) is forking ACF (Advanced Custom Fields) to create a new plugin called SCF (Secure Custom Fields), which will serve as its replacement. But what does this mean, and why is it significant? We’ll explain below, as this is the latest chapter in the ongoing fight between WordPress and WPEngine.
Matt Mullenweg’s Slack Message
If you follow the link in the message, this is the content (only the part that matters). I kept all links so those interested can expand on each of the subjects, just like the original message does.
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.
On October 3rd, the ACF team announced ACF plugin updates will come directly from their website. This was also communicated via a support notice in the WordPress.org support forum on Oct 5th. Sites that followed the ACF team’s instructions on “How to update ACF” will continue to get updates directly from WP Engine. On October 1st, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers’ sites in place of WordPress.org’s update service.
Sites that continue to use WordPress.org’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from WordPress.org enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.
This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.
ACF forking… what does it mean?
Before anything, it’s possible that some readers may not know what a forking is and how does it work. A fork in software development refers to creating a copy of the source code from an existing software project and using it as the basis for independent development. Forking allows developers to modify the code and create a new version of the software that can evolve separately from the original project.
How Forking Works in the Context of GPL (General Public License)
In the case of software licensed under the GPL, like WordPress, forking is explicitly permitted. The GPL encourages collaboration and sharing by requiring any derivative work (including forks) to be distributed under the same license. Here’s how it works:
- Copy the Code: Developers can take the source code of WordPress (or any GPL-licensed project) and copy it.
- Modify the Code: They are free to modify the code to add new features, fix bugs, or customize it for their specific needs.
- Redistribute: If they choose to redistribute the modified version (whether free or paid), they must do so under the same GPL license. This means that users of the modified version must also have access to the source code and the freedom to modify and redistribute it.
- Attribution and Compliance: Forked projects must provide attribution to the original project and comply with other terms of the GPL, such as making the source code available to users.
Forking in WordPress
WordPress, as open-source software under the GPLv2 license, has seen several forks over the years. Some of the notable examples include:
- ClassicPress: A fork of WordPress that was created in response to WordPress’s introduction of the block editor (Gutenberg). ClassicPress aims to maintain a more traditional user interface.
- WordPress MU: A fork that was later merged into the core WordPress project, allowing multiple websites to be run from a single installation.
But this is not all: WordPress itself is a fork. It originated from a project called b2/cafelog, an open-source blogging platform developed by Michel Valdrighi. In 2003, when b2/cafelog’s development stalled, Matt Mullenweg and Mike Little decided to fork it and continue its development, leading to the creation of WordPress.
The decision to fork b2/cafelog marked the beginning of what would become one of the most popular content management systems in the world, evolving far beyond its blogging roots into a full-featured CMS. The GPL license of b2/cafelog allowed this kind of forking, which aligns with the open-source philosophy of freely sharing and modifying software.
In short, forking ACF to build SSF is not an issue in itself; in fact, it’s a healthy move for any open-source community like WordPress.
However, given the current situation, it would be naive to think there are no ulterior motives behind this forking. For those unaware, Advanced Custom Fields (ACF) is owned by WP Engine—the same WP Engine currently in a legal battle with Matt Mullenweg.
Advanced Custom Fields History
First, let’s do a quick recap on Advance Custom Fields (ACF) history to provide some context.
Advanced Custom Fields (ACF) was first developed by Elliot Condon in 2011. It started as a simple way to add custom fields to WordPress, allowing users to easily extend content types beyond the default title and body fields. Over time, ACF grew into one of the most popular WordPress plugins due to its flexibility and ease of use.
Key Milestones in ACF’s History:
2011 – ACF Launch: Elliot Condon released ACF as a free plugin on the WordPress.org repository. It quickly gained popularity for enabling users to create custom fields and meta boxes without needing deep development knowledge.
2012 – ACF Pro: In response to user demand for more advanced features, Elliot released ACF Pro, a premium version of the plugin with features such as:
Repeater Fields: Allowing users to create dynamic, repeatable fields.
Flexible Content Fields: Enabling more flexible content layouts.
Gallery Fields: Making it easy to manage image galleries.
2015 – Continued Growth: ACF became essential for WordPress developers, with thousands of active installations and widespread use in custom WordPress themes and plugins.
2018 – Gutenberg Compatibility: With the introduction of WordPress’s block editor, Gutenberg, ACF adapted to maintain compatibility, allowing developers to continue using ACF alongside the new editing experience.
2022 – Acquisition by WP Engine: WP Engine, a leading managed WordPress hosting provider, acquired ACF along with other plugins like WP Migrate and Custom Post Type UI. The acquisition was seen as part of WP Engine’s strategy to expand its ecosystem by providing essential tools for developers.
Controversy Around ACF
ACF has not been without controversy. As it grew, support—once excellent and personally provided by Elliot Condon—became less available, eventually limited to a forum and a few usage examples that didn’t fully address the needs of less experienced users.
Another point of criticism was ACF Theme Code PRO, a plugin that generates the necessary code to integrate custom fields into themes. Many saw this as a feature that should have been part of ACF itself, but for reasons unknown, Elliot refused to include it.
The plugin’s cost also raised eyebrows—it was expensive for what it did and required a yearly subscription. To put it in perspective, at one point it was priced nearly the same as ACF itself.
There’s a theory that Elliot was behind this plugin to earn extra revenue, but I doubt it. Here’s why: while it’s been said that Elliot and the developers of ACF Theme Code PRO are from the same city and likely connected, even if it’s true, it seems more like a favor between friends. If Elliot had been purely profit-driven, he wouldn’t have offered lifetime access to ACF PRO for unlimited sites at just $99 before selling to WP Engine. For context, this very site uses that deal.
After WP Engine acquired ACF, they introduced significant features like support for custom post types (CPTs)—a major addition requiring substantial effort. Yet, the seemingly simple “code creation” feature, which would only take a few days to develop from scratch, still hasn’t been added.
Now, the controversy has shifted from ACF itself to its fork: SCF (Secure Custom Fields). Let’s explore this further.
First SCF Analysis: Similarities and Differences
First, I want to thank Marcelo Pedra from AMPM Web Hosting for his code analysis and screen captures. If you ever need reliable hosting at an affordable price, I highly recommend him.
Please note that since he is based in Argentina and speaks Spanish, the screen captures are in Spanish. However, they’re easy to follow, and I’ll explain what they show.
Change Log
In a controversial move, Secure Custom Fields has removed ACF’s entire change log, which is somewhat understandable. However, it also retained ACF’s review history. Additionally, take note of the browser’s URL: yes, you’re not mistaken—it still clearly says “advanced custom fields.”
I’m pretty sure this screen alone will stir up some turmoil, but we’ll see.
ACF PRO Upgrade Removed
Now take a look at these lines: they’re almost identical. However, the option to upgrade to ACF PRO has been removed from the code. This makes sense since Secure Custom Fields is only meant to replace the features of the free version of Advanced Custom Fields, not the PRO version. So, having an upgrade option to ACF wouldn’t align with the intention behind this fork.
Additionally, all references to WP Engine were removed as well, which was to be expected.
Security fixes
One of the reasons for the ACF fork was due to security concerns, which were addressed in the SCF version. So, it’s true that Secure Custom Fields is indeed more… secure.
However, as shown in the image below, WP Engine attempted to prevent this, as highlighted in the screenshot. They even acknowledged Automattic’s help. The following is from the ACF PRO update details. Needless to say, it didn’t do much to stop the fork.
And ACF PRO is gone
SCF essentially removes ACF Pro from the equation, almost as if it never existed. This raises the question: are we going to see an SCF Pro integrated into WordPress core?
While I wouldn’t mind seeing that (especially since I have a lifetime subscription to ACF, so it’s not a big deal for me), I can imagine this would be quite a shock for many others—potentially affecting millions of users.
In short…
There will be plenty of opinions on this move, both for and against it. For now, the only objective points I can make are:
- Automattic essentially took ACF’s code and removed references to WP Engine and ACF Pro, which is concerning.
- However, they also added security features that ACF didn’t have.
- SCF appears to be positioned as the final, definitive replacement for ACF.
Advanced Custom Fields Answer
As I was writing this post, ACF posted on X, see below:
And to add even more drama to the WordPress vs WP Engine debate, someone registered the domain securecustomfields.com a few days before SCF even existed and pointed it to the Advanced Custom Fields website. This seems to support what many people (including Matt Mullenweg) have claimed: that there are WP Engine “moles” inside Automattic and/or WordPress TRAC.
Octobe 13 Update
Wp Engine reached their customers with the following email:
We are reaching out promptly and directly to inform you of Matt Mullenweg’s (CEO of Automattic and owner of WordPress.org) unprecedented and appalling actions on Oct 12th to forcibly appropriate the Advanced Custom Fields (ACF) plugin and .org listing. The potential impact of Mr. Mullenweg’s improper action is that millions of existing installations of ACF will be updated with code that is unapproved and untrusted by the experts on the ACF team at WP Engine. We want to highlight how you can immediately reduce your exposure and risk now, and ensure you are using the genuine ACF. If your website is hosted on WP Engine or Flywheel or you are an ACF PRO customer – you are not impacted and do not need to take any action. You will continue to get the latest updates, securely from the experts on the ACF team.
If you have a website that is NOT managed on WP Engine or Flywheel AND are using the free version of ACF you must perform a one-time download of the 6.3.8 version via advancedcustomfields.com in order to get genuine ACF updates and remain safe in the future. After this one-time download you will be able to safely update as usual via the WP Admin panel.
If your site has already updated to the modified “Secure Custom Fields” plugin, you can also follow the process above to get back to a genuine version of ACF, and should not experience any loss of configuration or data doing so before there is further change to the ACF code.
The WordPress community has trusted ACF for over a decade and the expert stewards of ACF will continue to support and enhance the capabilities that our users love and trust. If you have any questions our technical support team is standing by to support you. On behalf of our entire team, we are grateful for the continued opportunity to serve your customers, your business and team.
For a more in-depth overview of what has happened with the free ACF plugin and WordPress.org, you can read this post here.
The WP Engine Security team
Frequently Asked Questions About Secure Custom Fields
After just a few hours, there are already many questions about this move. I’ll answer them as they come up, but keep in mind that this is still very new, and things are likely to evolve quickly.
Is SCF replacing ACF completely?
No. You can still use the free version of ACF, or switch to SCF, which offers the same features.
Is it safe to replace ACF with SCF?
Yes. SCF is essentially the same code as ACF, just without the ACF PRO references.
What if I use ACF PRO? Can I use it with SCF?
Yes, SCF is a direct replacement for ACF, so you can continue using ACF PRO with it. In fact, much of what you’re seeing on this page uses SCF alongside ACF PRO.
Will I be able to download ACF from the WordPress repository?
It seems unlikely. As shown in one of the first images in this article, Automattic has replaced the Advanced Custom Fields plugin page with Secure Custom Fields. However, it’s still too early to say for sure.
Is there an alternative way to download ACF?
Yes. WP Engine users can update ACF Free and Pro using the WPE updater plugin. More details here.
Is Secure Custom Fields as safe as Automattic claims?
Yes. The security issues were patched, and WP Engine has acknowledged this.
Will this change affect me as a user in terms of features, usability, legality, or anything else?
Not really. There are ethical concerns being raised by developers, but for end users, this change doesn’t make much of a difference.
Is SCF being added to WordPress core as originally promised?
No. For now, it functions as a plugin, just like ACF.
Fabio is Bachelor in Marketing, Master in Human Computer Interaction and a UX Evangelist.
He worked for some of the biggest companies in the world. As such, he has developed entire systems and businesses for clients of all sizes.
We can improve your business!
Let us help you with the best solutions for your business.
It only takes one step, you're one click away from getting guaranteed results!
I want to improve my business NOW!