Secure Custom Fields by WordPress.org

156 pointsposted 18 hours ago
by ValentineC
(wordpress.org)

180 Comments

akira2501

17 hours ago

> This update is as minimal as possible to fix the security issue.

> This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

So.. is this fixing a security issue.. or is this because of WP Engine?

> and are forking Advanced Custom Fields (ACF) into a new plugin

And stealing their place in the plugin store. A fork generally implies that you are going to set off on your own, and not inhabit the dead flesh of the project you just killed.

Matt Mullenweg is the biggest child I have ever seen in operation.

throw16180339

16 hours ago

> So.. is this fixing a security issue.. or is this because of WP Engine?

AFAIK, here's the timeline.

1. Automattic announced that there was a security issue in ACF.

2. WP Engine fixes it immediately.

3. Automattic bans the WP Engine developers from Wordpress.org, so they can't deploy the fix. This places millions of users at risk, but that's how they roll.

4. Automattic forks ACF, removes the commercial upgrade, and renames it.

claudiulodro

17 hours ago

> So.. is this fixing a security issue.. or is this because of WP Engine?

It's fixing a security issue WP Engine cannot fix because they are banned from wordpress.org.

Sebguer

17 hours ago

*Has fixed, but can't post the fixed version to wordpress.org, to be clear

mthoms

15 hours ago

Not just "stealing their place in the plugin store" but also blatantly committing trademark violations. https://imgur.com/a/D7YHn4e

Pot... Kettle... Something, something.

CharlesW

17 hours ago

So WordPress-the-org — which is effectively Matt, as far as I can tell — just Sherlocked a developer's plug-in using the developer's own code, ostensibly as retribution for a security issue that the developer had already fixed. https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

What am I missing?

sureIy

17 hours ago

> Sherlocked

The verb you're looking for is stole

Sherloking is when a Walmart is built next to a cornershop. Here the dude tore open the corner shop while claiming to be a victim.

CharlesW

16 hours ago

When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.

sureIy

16 hours ago

Forking isn't the issue. Here they just took the whole ID/address from which existing installations will continue to be updated from. This is theft. I have no doubt it will be added to the lawsuit.

While technically they own the platform and can do whatever they want, there is clearly ill intent here and it'll be used against them.

danillonunes

16 hours ago

I think being GPL is a requirement to host plugins in wp.org, so yes, that free version available there is (was?) open source.

ValentineC

16 hours ago

> When I posted, I was under the impression that ACF was open source. But the GitHub repo doesn’t list one, so if it’s not open source…WTF.

Isn't it here?

https://github.com/AdvancedCustomFields/acf

If you mean the licence, it's in readme.txt:

https://github.com/AdvancedCustomFields/acf/blob/master/read...

forrestthewoods

16 hours ago

Clearly AdvancedCustomFields should have filed a trademark to prohibit Wordpress from fully stealing it.

GPL code, trademarked branding. If you want to fork then you have to actually fork.

Oh the irony.

snapetom

16 hours ago

Or, more blatant and accurate, Sherlocking is when Apple literally named their search product "Sherlock" when a popular third party shareware app named "Watson" already existed.

user

14 hours ago

[deleted]

user

17 hours ago

[deleted]

photomatt

17 hours ago

This release fixes a separate security vulnerability from the original update.

DanielLestrange

6 hours ago

Unfortunately you have no proof of that, because the only relevant changes are actually neither introducing fixes, nor ever changing the plugin core code in a way that fixes security issues. The only thing done is removing a LOT of references, links, and instructions that would remind of WP Engine, as well as all compatibility with the POR features.

Then, you added a few irrelevant changes that to the inexperienced eye look like security fixes https://plugins.trac.wordpress.org/changeset?old_path=%2Fadv...

However, these are no fixes. You just introduce a new variable, that you never use, and re-assign the same contents of that new variable back to the $_REQUEST

Unless you show proof of a security fix - which you could have pushed to users WITHOUT renaming the plugin, WITHOUT removing original, non-security related code, and WITHOUT breaking compatibility with the PRO features - you have LIED and STOLEN code in the name of WP.ORG

This will hopefully be recognized by WP Engine and if god wills, remove you from the equation once and for all legally speaking.

NeonNautilus

16 hours ago

Can anyone else prove this security vulnerability actually existed?

mirzap

16 hours ago

It doesn't matter. Matt didn't have the right to hijack ACF.

jnwatson

16 hours ago

I'm not on Matt's side, but anyone has the right to fork a GPL project and call it something else.

mirzap

15 hours ago

This is not a fork. He stole the original project plugin space, its reviews, download statistics, SEO traffic, etc. It has nothing to do with GPL.

ankleturtle

15 hours ago

Wow. I will never contribute anything to WordPress again.

ImPostingOnHN

15 hours ago

That isn't what happened here.

user

14 hours ago

[deleted]

ankleturtle

15 hours ago

You are abusing the community for your own gain. Stop!

bigiain

6 hours ago

So far as I can tell, when Matt talks about "the WordPress Community", he means:

  - Matt
  - the people who didn't quit Automattic last week
  - _maybe_ the WP core developers who don't work at Automattic, so long as they keep their criticisms to themselves
And the community of people who _use_ WordPress to run their websites, and the people who help them to do that, and the 3rd party plugin and theme developers who make WP work for so many different kinds of websites - can all go and get fucked.

geerlingguy

15 hours ago

What is he gaining at this point?

bigiain

6 hours ago

Avoiding the embarrassment of backing down and admitting he is wrong.

Apparently that's worth burning down his life's work and legacy for.

user

15 hours ago

[deleted]

ankleturtle

13 hours ago

Harm of WP Engine.

kuschku

10 hours ago

Harming WPEngine is not even beneficial to Wordpress anymore.

With the level of revenge matt is applying you'd think WPEngine murdered his dog or something.

It just makes no sense.

acherion

12 hours ago

At the cost of also harming WP. Well done Matt. clap clap (these are sarcastic claps)

minimaxir

11 hours ago

There's a reason mutually-assured destruction is abbreviated MAD.

youngtaff

12 hours ago

Matt… stop being a dick…

gg-plz

16 hours ago

The maintainers [1] and the Wordpress project’s core security team lead [2] said that the fix was already published, despite your blocking them from publishing it directly and irresponsibly disclosing the issue out of spite [3].

Was that not true?

[1] https://x.com/wp_acf/status/1843376378210857441

[2] https://x.com/johnbillion/status/1843750679141331039

[3] https://x.com/johnbillion/status/1842627564453454049

gg-plz

16 hours ago

Sorry, I misread, disregard. I’d delete the comment but HN won’t let me.

Kye

16 hours ago

Related: the main developer on the Fields API proposal is calling it quits on involvement with WordPress.

https://github.com/sc0ttkclark/wordpress-fields-api

I'm not entirely sure what it is but it has over 350 stars and quite a few forks so it's probably important.

taikahessu

16 hours ago

Now resigned maintainer Scott is also lead dev of Pods, awesome ACF-like plugin.

Lines have been crossed when stealing other people's code, what happened in the case of ACF to SCF, IMHO.

RobotToaster

17 hours ago

Wordpress banned forks from the plugin directory a while ago, so they're doing what they ban everyone else from doing. https://make.wordpress.org/plugins/2021/02/16/reminder-forke...

sureIy

17 hours ago

Rules are for thee, not for me

batuhanicoz

17 hours ago

ACF isn’t a premium plugin (linked post only concerns those).

The linked post also might not reflect the current policies. This update was a security update and was done due to the unique circumstances around the original publisher.

throw16180339

16 hours ago

There are a lot of other employers that won't make you lie for them.

batuhanicoz

16 hours ago

If you point to any lies told by me, I would love to correct them.

No one has told me to come here and defend anyone. I work at a part of Automattic that is isolated from anything WordPress — I don’t have to be here.

I am defending values I believe in. I am trying to make sure correct information is out there.

You are free to not believe that of course.

DonnieBurger

16 hours ago

If Microsoft took over an existing GitHub repo, would those values be the same?

throw16180339

16 hours ago

The correct information is that your employer created the security problem as part of their shakedown attempt. They then banned the WP Engine developers from Wordpress so that they couldn't update the plugin. Now they've forked the plugin, removed the commercial upgrade, and renamed it.

I'm not sure where values come into it. I'd be ashamed to work there.

dmvdoug

16 hours ago

What values are those, exactly?

bombcar

15 hours ago

US dollar values deposited into the accounts every paycheck, I assume.

bigiain

6 hours ago

"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair (probably, may be apocryphal)

throw16180339

14 hours ago

Automattic is an open source company, albeit one controlled by a melodrama villain.

albedoa

8 hours ago

Seven hours have passed without you being able to name one (1) of those values. Such integrity!

labster

5 hours ago

Some people have better things to do with their life than win internet arguments, man.

CrimsonRain

14 hours ago

You're values are doing open source dirty.

user

16 hours ago

[deleted]

Sebguer

16 hours ago

The mental gymnastics you keep doing to defend your boss are impressive, and I'm sure will reflect well on your next perf cycle!

rasso

16 hours ago

Exactly. ACF is free and open source. ACF Pro is not. Secure Custom Fields is based on the free version (ACF, without "Pro").

maxloh

5 hours ago

Because WordPress is licensed under the GPL, all plugins must be licensed under GPL-compatible licenses. This applies to ACF Pro as well.

luckylion

15 hours ago

It still uses trademarks from ACF, those are obviously not "open source", which also has been Matt's & wordpress.org's stance since forever: the _code_ is GPL, but the assets are not.

If you "fork" the assets, you're not covered by GPL.

Obviously it's nonsense to discriminate between the free version of a freemium plugin and a commercial plugin and this is simply a stupid way to lash out.

xenago

16 hours ago

Spamming nonsense isn't a good look...

bullenweg

17 hours ago

If anyone from Automattic is reading this and would like to confidentially leak any internal information about this behaviour from Matt, please email admin@bullenweg.com and I will publish it on bullenweg.com.

ivanmontillam

17 hours ago

This is excellent!

Is there a repo of this website?

It would be good to have for preservation purposes.

photomatt

17 hours ago

It actually is an excellent website, and the repo is here: https://github.com/bullenweg/bullenweg.github.io

bullenweg

17 hours ago

I have been unable to convince Jason Bahl to share the ~threats~ ~coercion~ terms you used to convince him to join Automattic. Your contribution via GitHub of the terms that you used to ~coerce~ persuade him into defecting would be appreciated.

onnimonni

15 hours ago

Matt you propably don't remember me but we met briefly on WordCamp Vienna 8 years ago. I was hugely inspired by you for many years and still was until few weeks ago.

It's not too late to stop this madness.

mthoms

15 hours ago

People are concerned about you, my dude. Very concerned. From one human being to another - please consider taking a step back to get some perspective.

discostrings

17 hours ago

Blog post on wordpress.org concerning this: https://wordpress.org/news/2024/10/secure-custom-fields/

righthand

17 hours ago

> There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.

Anything to prop up their position and throw the company they are attacking under the bus. What a jerk.

None4U

16 hours ago

Which, by the way, previously ended with "We expect others will defect as well." before the post was edited

righthand

15 hours ago

Not surprised. What scum.

user

8 hours ago

[deleted]

0cf8612b2e1e

17 hours ago

  This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.
Yeah, that is not how trust works.

smarx007

17 hours ago

> This update is as minimal as possible to fix the security issue.

What is the actual issue? CVE number?

jorams

17 hours ago

The diff contains two (identical) changes that aren't just ripping out upgrade notices for the pro version: Two functions that stop callbacks from accessing $_POST now also stop them from accessing $_REQUEST, which also contains everything in $_POST. Also confirmed by WP Engine's update notice[1].

I honestly don't see why anyone would treat this as a security issue. Everything involved is PHP code that can do whatever it wants, not in any kind of sandbox.

Edit: And even if it were this update doesn't fix the problem. POST variables can still be accessed:

    filter_input(INPUT_POST, 'name');
[1]: https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

Sebguer

17 hours ago

Details haven't been made public yet: https://www.cve.org/CVERecord?id=CVE-2024-9529

Though, Automattic posted publicly that there was a vulnerability shortly after filing the CVE, while simultaneously blocking WPEngine from being able to push a fix to it because they'd cut off access to wp.org

FireBeyond

9 hours ago

I wonder how many Automattic resources Matt threw at ACF to find a vulnerability to catalyze this situation?

ImPostingOnHN

8 hours ago

Same, I was imagining Gavin Belsom and his warehouse full of Hooli employees scouring over the Pied Piper demo.

Similarly, this is all to resolve the personal grudge of an exceedingly rich dude who wants even more money.

mananaysiempre

17 hours ago

I can’t find the actual number because Automattic’s tweet[1] announcing it has been deleted, but it’s the one mentioned in the ACF 6.3.8 release notes[2]. The authors of ACF can’t upload that version to wordpress.org themselves because Matt banned them from there before making the announcement.

ETA: Matt says[3] it’s a different vulnerability. Anybody willing to break out the almighty diff?

[1] Discussed at the time: https://news.ycombinator.com/item?id=41752289

[2] https://www.advancedcustomfields.com/blog/acf-6-3-8-security...

[3] https://news.ycombinator.com/item?id=41821829

kristofferR

17 hours ago

I think they mean that it's developed by WP Engine and that's the security issue.

righthand

17 hours ago

If anyone is interested in the extended controversy surrounding Wordpress, there is a site that has been tracking everything.[0]

[0] https://bullenweg.com

kristofferR

17 hours ago

Wow, I hadn't heard about the nosebleed incident. Absurd, even if he ain't snorting coke, it's deeply weird to continue an interview while profusely bleeding as if nothing is happening.

shermantanktop

15 hours ago

I have no stake in any of this but some people have nosebleeds without anything nefarious or bad going on. This guy doesn’t need any help looking bad, suggesting that his nosebleed is important is stupid.

kristofferR

15 hours ago

It's not the nosebleed in itself, it's the ignoration of the blood streaming down the face during a video interview that is the most curious. And it wouldn't be as relevant if the subject hadn't acted increasingly erratic and self-destructive at the same time period.

It's not "important", it's just deeply weird, because it tracks.

corobo

13 hours ago

Him being in the middle of a mad coke bender would explain so much. I'm accepting this as canon until we find out WP Engine slept with his wife or something

delichon

17 hours ago

As a builder of a small specialized CMS for which WordPress is a large generalized competitor, thanks Matt. Refugees welcome.

ivanmontillam

17 hours ago

I'm rooting for this to happen. Best of luck to the new king of the market.

DonnieBurger

17 hours ago

I'm interested. Please do share.

delichon

16 hours ago

Thanks but I'm going for pseudonymity on this account. Just a few dozen clients.

DonnieBurger

16 hours ago

Perhaps you should edit out "refugees welcome" then.

user

16 hours ago

[deleted]

notamy

17 hours ago

Good lord, why?? That’s such a petty move and is just doing further damage to the WordPress ecosystem.

dylan604

17 hours ago

scorched earth is always so successful

sureIy

17 hours ago

This gets better by the day.

I'm so rooting for WPE and I hope the judge will lay it heavy.

sgdfhijfgsdfgds

17 hours ago

OK so:

1) WordPress clearly lacks functionality like ACF that belongs in core

2) Many developers clearly like ACF

3) Many do not (it's messy in the DB, if you ask me)

4) Core functionality that was if not API-compatible, at least API-familiar with ACF would be welcomed by many

5) Creating a new plugin that did this, that was transitioned into core (like other functionality has been), would be a good plan

6) Commandeering the slug for a decade-old commercial plugin like this, to replace it with a fork, is so obviously fucking bad form that it's still hard to believe it is happening even given all the other whatthefuckery that has been happening.

ETA: 7) "Secure Custom Fields"? Really? The difference is what?

What the fuck, Matt?

ETA: personally I understand many of the frustrations with WP Engine's positioning. I have experienced exactly the trademark confusion issues that the lawsuit has been about, where clients have assumed WP Engine is WordPress itself. I don't use them after some iffy customer service and technical issues early on. But this is absurd behaviour.

Sebguer

17 hours ago

The fucked thing is that per the article, they're not even dedicating any resources to maintain it going forward, they've just made this one fix and are throwing it to other people to maintain if they want:

> Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

photomatt

17 hours ago

We have taken on stewardship of this code going forward, and will dedicate engineers to it. Probably more than Silver Lake does.

ceejayoz

16 hours ago

So, the ACF plugin is a useful contribution to the WordPress ecosystem? Significant enough to warrant bringing it in-house now? Is work on it included in your assessment of what WPE contributes?

Sebguer

16 hours ago

Why don't you mention this in the post at all?

user

16 hours ago

[deleted]

xenago

17 hours ago

So, wordpress is being burnt to the ground by Matt. Just great. :/

mattbee

17 hours ago

I can't even follow what's going on here, and I used to be an expert in software licensing drama. All I see is a bunch of unilateral actions driven by Matt Mullenweg that breaks so many implicit promises of how a free software steward should behave.

Wordpress sites quite often seen to be a hodge-podge of plugins, each with their own UI and conventions, and (as a host) I'm never an expert in anye one of them. Has one of the site designers used a plugin that has offended Matt? Or that might offend him in the near future? How do I even audit for that?

I don't need much of a push to move my position on this. Before: "eh, use Wordpress if it's cheaper" Now: "please don't, that decision will probably cost me".

Scaevolus

15 hours ago

Theoretically WPE might be a bad actor-- perhaps even more than any commercial competitor naturally is-- but they're smart enough to not smear it around with absurd moves like this that radiate a lack of professionalism or ability to predict reactions.

mirzap

17 hours ago

Pathetic. Matt banned one of the most popular WordPress plugins. Then, he forked the code and hosted it on WP.org, which is against the Terms of Service. He also hosted it in the plugin directory on the same path as ACF, stealing its SEO traffic. Wow!

Matt's state of mind is clearly not good. If I were an investor in WordPress, I would start thinking about cutting my losses. WordPress will not recover from this self-inflicted destruction

*Update* Oh, it's worse than that. He just renamed the ACF to SCF and claimed all the installations and reviews from ACF. I still can't believe this happened. This can't be legal!

photomatt

16 hours ago

Have you read the GPL?

Sebguer

16 hours ago

Eventually you are going to have to confront that the distance between 'technical correctness' and 'moral correctness' is vaster than you apparently think it is.

DonnieBurger

16 hours ago

Parent does not mention GPL, nor is this a GPL issue. It's about the takeover of an existing plugin and it's reviews/installs.

ankleturtle

13 hours ago

I am not a lawyer, but I am really curious if this would amount to tortious interference.

user

14 hours ago

[deleted]

rpgbr

14 hours ago

The problem isn’t GPL or code, it’s a trademark and trusting issue.

user

16 hours ago

[deleted]

kristofferR

15 hours ago

What kind of response is that? Does that mean you approve of sites like GPLDL then?

cendyne

16 hours ago

It is as if Wordpress [1] is asserting that the original author is a danger to public safety. Their terms read: ...

To that end, we reserve the following rights: ... to make changes to a plugin, without developer consent, in the interest of public safety.

[1]: https://x.com/WordPress/status/1845179613783142426

butz

17 hours ago

ProcessWire CMS (https://processwire.com/) is a neat alternative if one requires quite complex set of custom fields on a website.

johnchristopher

12 hours ago

So, is the next step to capture wp-migrate (or another prominent WPEngine plugin) or to update the core to degrade ACF pro ?

getcrunk

15 hours ago

Posted this in the other thread:

A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.

No one dares address the systemic issue of for profit corporations exploitatively (ab)using open source software.

There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially

*Following is a response to some replies on the other thread, that clarifies my points *

Matt being a poor steward of gpl is by definition not a systemic issue … unless ur claim is that many people in positions like him do what he does which is in turn caused by invariant factors?

The systemic issue is companies the world over not giving their fair share back in terms of contributing to foss.

I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.

throw16180339

14 hours ago

> A lot of the comments seem to call out Matt (right or wrong). But that’s the easy thing to do.

It's also productive. If there's enough of an uproar, then the board will remove him. They're pretty much the only people who can stop him.

> There is a social contract that people should contribute back, and while it’s largely unenforceable, as it should be, when it’s happening on a systemic level something has to be done. And we are all complicit if we don’t at least say that much and spare some good will towards the guy actively in that fight at least superficially

You don't speak for me. Contributions to my OSS projects are appreciated, but all I ask is that users comply with the license terms.

If you feel that contributions are an unwritten obligation, he's made them much harder to ask for. Everyone else who asks for them in the future will be tarred with the same brush.

Matt is burning down the WordPress ecosystem because his shakedown attempt failed. He's prevented at least 2.5 million users from receiving security updates. He's earned my contempt, not my goodwill.

> I might agree with most of your points, I’m just trying to get people to realize there’s the local issue of Matt/wp and then there’s this global issue of companies building businesses off foss and not giving back.

Drew said it best. (https://drewdevault.com/2021/01/20/FOSS-is-to-surrender-your...) If you want to require contributions, pick an appropriate license.

mmsnowsniff

15 hours ago

I don't know how much goodwill we owe somebody currently being sued for extortion and who lied to a community about ownership of a trademark for over a decade in an attempt to take a whole community hostage when he feels like it's time to cash in. The writing was on the wall when he sold user intellectual property from WordPress.com and Tumblr to OpenAi. Was that fighting for open source?

geerlingguy

15 hours ago

A number of people have dealt with the maker/taker issue, for example Dries, the founder and BDFL of the Drupal project: https://dri.es/solving-the-maker-taker-problem

I think we're pretty far removed from the original issue of WP Engine and WordPress and people are just trying to deal with the fallout from Matt's nuke-the-entire-ecosystem approach he's elected to take.

getcrunk

6 hours ago

Hey Jeff! :)))))

That was a great article from drupal. It’s a great idea and really goes along way to help, but we still need more.

This only addresses foss projects that are hosted as an offering. It wouldn’t address how for example the pgp guy basically went broke or just the general amount of pressure maintainers of “critical” foss packages are under and are spread so thin, that it’s always a triage fire and there’s never any room to “level up” with rewrites or full code base audits. And a lot of it comes at a huge personal cost but it just so happens the people often times in those shoes end up being super noble.

Maybe this is a cynical take but year after year it really does seem the software we rely on for modern life is just a house of cards where most cards are solo devs or a handful each doing the task of atlas cus the worlds corporations just don’t give back!

My words will ring true in 10-20 years when most of these people kick the bucket or retire and all we have left will be google’s next android| fuchsia and windows server.

butz

17 hours ago

I wonder what will happen to old websites I built with ACF and did not touch for years? Are they vulnerable now, as owners cannot get updates for ACF?

martin_a

16 hours ago

I had to login to several sites and make sure that the plugins would not auto-update. This is pretty much like a rogue actor taking over a plugin.

johnchristopher

12 hours ago

The slug hasn't changed so it will receive updates (from SCF repository, now under the control of Automattic).

If you used ACF pro then the plug-in is downloaded from ACF website.

But.

The obvious next move is to put code in the core that would degrade ACF pro.

user

16 hours ago

[deleted]

chx

15 hours ago

According to https://make.wordpress.org/plugins/2021/02/16/reminder-forke... this is piracy.

Let's look at newer documentation:

https://developer.wordpress.org/plugins/wordpress-org/detail...

> The use of trademarks or other projects as the sole or initial term of a plugin slug is prohibited unless proof of legal ownership/representation can be confirmed

The plugin is at https://wordpress.org/plugins/advanced-custom-fields and advanced custom fields filed for trademark last December https://trademarks.justia.com/983/21/advanced-custom-9832116...

Also

https://developer.wordpress.org/plugins/wordpress-org/plugin...

> We also don’t accept 100% copies of other people’s work

There's a clause which looks applicable https://developer.wordpress.org/plugins/wordpress-org/plugin...

> What happens to a plugin if the plugin owner gets blocked?

however the page says "Last Updated: 12 October 2024" and https://github.com/WordPress/developer-plugins-handbook/blob... (permalink at the time of writing this) doesn't have this section. So it really looks someone manually edited the page on wordpress.org without editing the source. Now, who has such permissions and has the motive to do this?

geerlingguy

14 hours ago

I feel so bad for all the Wordpress devs and shops right now. This is not the kind of community turmoil I'd want to deal with leading up to holidays/new years!

It makes Drupal 8/Backdrop seem like a pleasant and wonderful experience, in comparison.

chx

14 hours ago

I don't think there was any bad blood between Drupal 8 and Backdrop, was there? It was forked in 2013 and look https://www.drupal.org/u/jenlampton Jen was still doing BADCamps and went to DrupalCons and all that. My memory is fuzzy a little but I do remember we were making huge progress on migrate at BADCamp 2014 and I do not remember a single tense moment with Jen or Nate. Or was that 2013? But even if it was, that was after the fork. Nate also went to DrupalCons look https://www.drupal.org/u/quicksketch

In short, I know I considered Backdrop futile but I don't think there was any significant controversy or is my memory failing me? http://www.drupal4hu.com/node/380 here's my post from the time.

Truth to be told there was significantly more controversy between me and the rest of the Drupal community than Backdrop and Drupal. You can not imagine how much I regret that.

geerlingguy

12 hours ago

True; I'm just thinking back to the absolute worst drama I can think of in Drupal land, it all pales in comparison. Most of it was misunderstandings that were subsequently sorted, or like Backdrop just a friendly fork with community connections still intact.

chx

12 hours ago

I'm glad but slightly surprised neither Crell nor me counts as worst drama for you. Good? I guess.

geerlingguy

9 hours ago

Well instances were both painful but in my mind mostly affected a few core groups of devs, and a lot of the community was oblivious to anything going on. The Drupal 8 migration and subsequent forking of D7 into Backdrop caused a lot more consternation with smaller agencies especially.

I mostly did Drupal stuff with local and regional camps at the time, I was hired at Acquia slightly after, so I remember a lot of pain back then, especially as Wordpress and Drupal were often considered in the same meetings when building small local sites for nonprofits, small businesses, etc.

Nowadays it seems Drupal isn't part of the conversation unless there's a C-suite at the place building the website, it's moved upmarket quite a bit.

mthoms

15 hours ago

Good catches. Also note that "ACF" is trademarked by WPEngine and is used throughout the source code and reviews.

martin_a

16 hours ago

Just stealing plugins right now? Or is this some kind of "eye for an eye" situation?

I'm really turned down from the whole ecosystem by this total shitshow. Seems like everything could be pulled from under running sites if some clown decides he doesn't like it anymore.

At this point I just hope that WP Engine wins whatever lawsuit happens and Matt Mullenweg (and everybody who was involved besides him) has to pack his things and leave everything WP-related forever.

partiallypro

17 hours ago

This is one of the sleaziest things I've ever seen. I fear a hard fork of WordPress is now inevitable and unfortunately, it's possibly going to kill the platform, all over one man's ego. How can I now sell my clients on using WordPress for mission critical things if on a whim the owner of WordPress can break my site or lock out my security updates, just because I chose the "wrong" host or plugin? I don't see how the Board can sit by and let this all unfold like this, it's practically business suicide.

mnau

14 hours ago

TBF WordPress was also created by two men and one of them was Matt. Of course it only achieved it's success through efforts of countless others, but it's not just some person. Shame, it came to this.

We had hard forks of very popular systems before, e.g. xfree86 turned into x.org, LibreOffice vs OpenOffice.org, Hudson to Jenkins and others and basically everyone switched (nearly) overnight.

Fork will likely have a much better direction structure to avoid precisely this problem, at least it seems to be the pattern.

wkirby

17 hours ago

We no longer do custom WordPress work --- it turned out to never be worth the hassle --- but when we did, our company used ACF extensively. High quality plugin with responsive support and very fair licensing terms.

This --- to me --- smacks of complete bullshit.

xenago

17 hours ago

Forking it is whatever, but to take over their namespace and thus break trust across the ecosystem is a dealbreaker. All devs will have to move.

luckylion

17 hours ago

It is complete bullshit, but calling ACF high quality is also pretty out there.

It's one of those giants in WP that is stuck in the past, arguably much like a lot of core.

bigiain

6 hours ago

It's certainly "high quality" in the sense of "it solves a huge number of requirements that WP core doesn't, in a way that's better that alternative plugins". It's a high quality WP Admin user experience. Just don't try looking too deeply into the database mess it creates.

For WordPress _users_, as in the people who log into the WordPress dashboard to run their website, 'stuck in the past' is often an advantage and not a bad thing. You'll be able to find blog posts and tutorials and youtube showing you how to use in, unlike the "new shiny" where there's no easily found example or support for.

luckylion

4 hours ago

I'm not arguing against its usefulness, not at all. The sites I work on use it as well (and abuse, you really shouldn't do complex things with it), though we're looking into replacing it with something custom because the dev experience is bad and the performance isn't great. But for the average small to medium site, it's great, especially because of what you mention: the standard use cases are super well documented by a million people having gone through them before you.

I wouldn't call it high quality though. 200k LOC even for the free version (I use pro), no OOP, global variables, bugs get no attention unless they're major. It was amazing when it first came out, but it has fallen behind even compared to core + other plugins (and the WP average is a very low bar).

It clearly belongs in core, just like 90% of Yoast's (or AIOSEO's, Rank Math') functionality, Redirection and permalinks, and they should have focused on getting that done instead of gutenberg. But also clearly this isn't the way to bring it into core.

wkirby

16 hours ago

To be fair we haven’t worked with WP in 4 years; our experience with ACF was always positive.

rasso

15 hours ago

4 years ago it was still great. I had one contact with WPE support since they bought the plugin last year or so and it was the most frustrating support interaction I ever had. It felt like I was writing with an AI that was prompted to drive me crazy so that I would leave them alone.

asmor

16 hours ago

I thought there weren't any hinges left for Matt to unhinge. He dug for that minior vulnerability to be to able to justify that takeover.

Who can ever trust this guy and his company, ever again?

yard2010

4 hours ago

This is a human being, making a mistake, only to be bullied by literally the whole internet?

Never have I ever witnessed a lynch with any positive consequence whats so ever in my entire life.

Empathy all the way. We all make mistakes. Stay kind and positive.

jrflowers

15 hours ago

This whole saga is surreal because I thought myself to be constitutionally incapable of rooting for a private equity firm to win a fight, but this is like watching a guy violently strain to shit his pants while yelling “Look what they made me do!”

Also the guy is in a hot tub with all of his friends and employees

user

17 hours ago

[deleted]

stefanos82

18 hours ago

The URL though says "advanced-custom-fields"; Matt...I can't find the words to comment; I just shake my head -_-

unsnap_biceps

17 hours ago

If you look at the reviews, they took over the advanced-custom-fields plugin and modified the owner to be Wordpress.org and renamed it to Secure Custom Fields.

What a terrible look

They also modified it by ripping out the pro features, so if people update their ACF Plugin and they had pro features enabled, it'll just break their install

https://plugins.trac.wordpress.org/changeset/3167679/advance...

Scaevolus

15 hours ago

So they forked some open source software and "hacked it up" to remove notices from the original creators? Fascinating.

cyral

15 hours ago

Yup, removing post revisions which I think is single line change is hacking it up when WP Engine does it, but this is totally okay apparently.

joe_hills

17 hours ago

What a choice, and what poor timing.

Companies that make breaking changes on holiday weekends aren’t going to earn much goodwill from developers.

photomatt

17 hours ago

Nothing has broken. Perhaps WP Engine should have consider that before suing us.

clessg

16 hours ago

I'd normally never say something like this, but: seek therapy, man. Seriously. This is not normal. It will end badly for so many people, including yourself. It may not be too late.

maxbond

16 hours ago

I've vouched this comment. I don't think we should be flagging this comment; it's not particularly out of line, and there's a significant interest in the community seeing Mullenweg's comments.

sccxy

16 hours ago

You are a disgrace to the open source community.

I hope the lawsuit serves as a lesson to you.

taikahessu

15 hours ago

Business is war, I get it. But you chose to make innocent bystanders (your users) life difficult and you crossed a line by stealing code with an excuse that everyone sees through. This looks now more and more of a personal vendetta.

throw16180339

16 hours ago

There won't be a Wordpress community left if you continue as you have. What does the board think of your actions?

mmsnowsniff

15 hours ago

Can't wait for Matt to read this in a deposition. At this point, the dude seems to be intent on running up the highest tab possible.

navigate8310

16 hours ago

What a 5 year old kid you are Matt. Good that the community can now see through it.

yard2010

4 hours ago

There must be a timeline in which this is de-escalated, compromises are being made and everyone's happy.

In your perspective - what does it look like? What could be done to go the opposite way and keep going?

Also, I'm surprised to see people only siding with WP Engine here. Usually the discussions here are much more balanced.. What do you think could be the reason for it?

Kye

16 hours ago

Guy who started a fight tells target to stop hitting themselves

bombcar

15 hours ago

These are clearly the actions of someone who is sure they'll win the lawsuit.

(not)

wongogue

16 hours ago

Please proceed, governor.

user

16 hours ago

[deleted]

NeonNautilus

16 hours ago

I don't think punishing people for suing you typically plays well in court. Especially not if you, you know, publicly announce that's what you're doing.

user

17 hours ago

[deleted]

jorams

17 hours ago

The pro version of the plugin is a separate install, this just rips out the upgrade notices.

skhr0680

16 hours ago

AFAIK the free version never included “pro features” in the first place

trog

15 hours ago

If you were an insider deliberately trying to tank WordPress, it is hard for me to imagine anything you could do that would be more effective than this.

JBiserkov

6 hours ago

Perhaps he shorted the Automattic stock... no, wait, Automattic is privately held... make it make sense!