ACF has been hijacked

221 pointsposted 15 hours ago
by GavinAnderegg
(anderegg.ca)

66 Comments

whalesalad

12 hours ago

I was heavily involved with Wordpress from about 2006 to 2012. I made it do things it was never designed to do before a lot of plugins like this existed. It was garbage then and it’s still garbage now. I stopped using it primarily because I saw what a cluster fuck the internals were and how out of control the plugin upsell ecosystem became. There were inklings of this behavior from the supreme leader too, like believing theme sales were antithetical to the entire point of WP. So I jumped ship with a real bad taste in my mouth and never looked back. I’ve tried it a handful of times over the year and it still looks like the same turd with a few more layers of polish. Still won’t scale out of the box without caching plugins.

The irony of this entire situation is Matt didn’t even make Wordpress. It was forked from a blogging engine called b2. How’s that expression go? You either die a hero, or live long enough to see yourself become the villain.

yard2010

12 hours ago

// (so much for) code is poetry

cranium

13 hours ago

What an ego trip... now I'll definitely stop considering WordPress, even if it perfectly fills the use-case (mine or client's).

I know it was frustrating for Automattic to see WPEngine as a leecher, but to be this hostile and volatile does not inspire confidence. What if you had a WP instance hosted by Automattic and said something the leadership does not approve? Will you get banned with no way of recovering your website? (Ghost had a similar story.)

kcrwfrd_

13 hours ago

What’s the story with Ghost?

ookblah

13 hours ago

he must be having a legit mental breakdown. i do not understand any of these decisions done so haphazardly with no regard to users or their current situation, even if that was the direction they were moving. basically, telegraphing that he will personally go out and fuck up your day if you cross him. pettiness to the nth degree right here.

Analemma_

13 hours ago

At first we were saying it as a joke, but I am increasingly seriously wondering just how many famous people in the Valley are in various stages of stimulant psychosis, considering how widespread the joking-not-joking talk is about liberally using Adderall etc. to maximize "the grind".

purple-leafy

13 hours ago

Don’t casually suggest “mental breakdown” for people and situations you do not know or have first party insight to.

First, blaming things on “mental breakdowns” is incredibly lazy and shallow and belittles the struggle that people with mental illness have.

Did you ever stop to think that maybe this guy is just greedy, or an incompetent CEO?

Ey7NFZ3P0nzAe

8 hours ago

Well, an essential part of psychiatric diagnosis is often to notice the presence of a noticeable before/after change. Psychosis, mania, are valid hypothesis that would make a CEO take surprising decision.

I don't see how that belittles the struggle of patients. Having and company and being bipolar is far from life on easy mode.

Greed and incompetence are also valid hypothesis, although don't necessarily need an abrupt change in behavior.

ookblah

12 hours ago

he could be all of them? i'm basing this off the fact that he was able to run and build it up to what it is today, then suddenly going off the rails. more of me grasping at an explanation than a declaration of truth heh.

baggy_trough

13 hours ago

Yes but I think it’s more likely he is having a mental breakdown.

williamstein

5 hours ago

Matt said in his keynote that he had a kidney stone a few weeks ago, which is evidently extremely painful. Perhaps that physical trauma triggered something.

gwerbret

13 hours ago

Aside: each and every post about Wordpress on HN over the past couple of days has been downweighted basically to oblivion (I expect this one to vanish from anywhere near the front page very soon). Is there a reason for this? The topic is rapidly evolving and is relevant to the HN community.

awb

13 hours ago

Check out “how are stories ranked” in the FAQ: https://news.ycombinator.com/newsfaq.html

Overheated discussions get demoted. I think the idea is that the comments should support discussion of the content, but not usurp it.

suzzer99

12 hours ago

> How are stories ranked?

> The basic algorithm divides points by a power of the time since a story was submitted. Comments in threads are ranked the same way.

> Other factors affecting rank include user flags, anti-abuse software, software which demotes overheated discussions, account or site weighting, and moderator action.

It could also be moderator action.

My most viral submission suddenly dropped from the top story to page 8, despite having far more points than anything else on that page, and only being a few hours old. I suspect this happened because it was a negative post about Amazon. The comments were not overheated. Most posters agreed with my sentiment.

akrotkov

13 hours ago

I believe the comment-to-upvote ratio is triggering an automated down-weighing on most of them.

yellow_lead

12 hours ago

When the comment to upvote ratio is too high, posts are down weighted to prevent flamewars, apparently.

hyperbrainer

13 hours ago

Do note that there is barely any comments on any. So, maybe that is a factor.

ars

13 hours ago

There's no such thing as downvoting a post on HN, only a comment.

There's flagging a post, but that would show up next to the post - do you have any examples?

gwerbret

12 hours ago

Moderators can downweight posts to drop their rankings. Here are 3 examples:

https://news.social-protocols.org/stats?id=41791369

https://news.social-protocols.org/stats?id=41815614

https://news.social-protocols.org/stats?id=41821336

Note the orange line indicating rank, which in every case shows a very sudden and precipitous drop in the rank of each post.

Fej

12 hours ago

Those threads appear to be stoking the drama more than anything. HN's stated goal is to satisfy intellectual curiosity, and even if the post topic itself is of interest, if the discussion isn't substantive then the system is probably working as intended (regardless of whether it's the flamewar detector or a manual downweight).

Zak

12 hours ago

Moderators can reduce the position of a post on the front page.

binary_slinger

13 hours ago

> If you use WordPress for a living, I recommend strongly that you consider changing platforms.

I initially thought this as well. There are alternatives but unless those alternatives are 100% API compatible with WP plugins and themes nothing is going to happen. Wordpress users and devs will continue to use WP. business as usual. Matt knows this.

cwalv

13 hours ago

I don't know much about WordPress, but it's pretty amazing to me how much staying power it's had. It seemed crusty, bloated and not long for this world 10 years ago to me.

butterfly42069

13 hours ago

Every day that goes by I'm more satisfied with my decision a week a go to migrate everything I have/am building off of WordPress.

Matt, if you read this...

:(

input_sh

12 hours ago

From WordPress to what?

butterfly42069

12 hours ago

Only a week in, but at the moment I'm building out things with HUGO and experiments are going very well.

Decided to seek out the absolute antithesis of WordPress after this experience, and don't wish to be dependent on peoples whims so much anymore.

I recognise the limitations of SSGs, but I think these are overcomeable, and the benefits (Speed, CI) seem massive.

I am open to hearing other suggestions people may have though.

SansGuidon

9 hours ago

It's maybe an issue with me but I've been on blogotext where I would post stuff, then on Hugo but the tooling was taking most of my energy and the version upgrade path was a blocker for my themes, plugins, etc. I was clueless how to solve those pains without coding and opening issues. Then I tried zola but it was buggy, and I had to learn Rust to fix one basic issue which took days of rewriting code review after review. And having yet to setup a pipeline and fight to make that work, just too much for me. Then I went to WordPress and didn't had to mess with trying to make the blogging system adapt to my needs with code, it was just flexible enough with a nice WYSIWYG editor and admin panel and plugins. No mess with ci/cd build times, manual upgrades and reading language specs and opening issues to make things work. Those things were not needed to just blog.

Today I'm still on WordPress and none of the SSG feel simple enough to me.

Git, markdown, build pipelines... Code editor. It's all fun for work and collaboration with devs but just out of interest for blogging. Also they mostly generate invalid HTML and lack features or have custom templates. And next upgrade could break everything.

I prefer something that is helping me focus on blogging for long term without upgrade maintenance cost and without fearing platform dies. But yeah WordPress is not perfect and I'm considering maybe to glue a few tools together in the long run and make my edits in pure txt or HTML for which no existing SSG or WordPress are needed.

parkcedar

12 hours ago

Interested to hear your experience with HUGO- I’ve done a lot of development in Go and keen to give this a crack.

butterfly42069

12 hours ago

Flawless, it's really easy to wrap your head around (especially if you grok Go).

I would recommend spinning up the most basic site from scratch to give it a try, takes minutes tops and its got a built in dev server to see your site.

It pretty much all rapidly clicked into place from there. The idea of adding content as markdown is so easy and appealing, and the flow is so logical. The build times make me smile. Everything feels so rapid and under my control.

mastazi

13 hours ago

I hope Matt can get better but in the meantime, the community needs to fork. In the same way that LibreOffice forked from OpenOffice. Otherwise the blogosphere is just going to adopt one of the competing platforms and many of them (at least many of the "user friendly" ones) are not open source.

yellow_lead

12 hours ago

As much as the community may want a fork, I suspect it's not going to pick up much momentum unless it's created by a larger company with skin in the game, i.e WPEngine.

thih9

12 hours ago

WPEngine starting a foundation and successfully forking Wordpress would have been an appropriate plot twist.

mastazi

12 hours ago

I agree and that is also my fear. That would mean that people will just move to something proprietary like Squarespace or Wix. This type of shift has happened many times before in tech so I consider it likely.

tasuki

12 hours ago

WordPress is pretty terrible. Perhaps the community can start using something better? Drupal or something. Something slightly less spaghetti...

Perhaps this is all for the good of humanity.

mastazi

10 hours ago

I get where you're coming from but I find it more likely that most people will just move to Squarespace, Wix etc. - away from open source and towards proprietary platforms.

hyperbrainer

13 hours ago

What kind of lawyer would let this happen in the middle of a lawsuit? I know lawyers do not control their clients, but this is ineffable. Even common sense should know better.

yellow_lead

12 hours ago

"What lawyer? I'm the CEO, I can do anything I want."

bigiain

13 hours ago

"If they’re willing to do this, I wouldn’t trust any plugins hosted on WordPress.org."

Yep yep yep.

Jesus Fuck Matt, put down the crackpipe and open the window. You are _totally_ out of control here.

I am 100% going to start another much more urgent discussion at work on Monday about how we remove all risk of relying on anything from Automattic, wordpress.org, or The WordPress foundation. This will include opening a discussion with WPEngine (where we host about two dozen internal and customer sites) about what their short/medium/longterm plans are and what sort of guarantee they are planning to provide about updates and security fixes to the plugins and themes we rely on. It will include an internal discussion of whether we own it to all our clients running WP to inform then of this stupid stupid drama and the risks in represents and what we are doing to mitigate them. It will also include a very serious discussion about a million dollar government RFQ we submitted last month for a project that has a plan to use WP for the public facing website component.

outsomnia

12 hours ago

You have been and continue to trust Automattic for the core code.

If for example, Automattic instead had said they will bundle the plugin functionality with the core, there are many historical cases of that, unpleasant as it is for the third party usually... results are identical, right?

bigiain

11 hours ago

> continue to trust Automattic for the core code

That is absolutely no longer true.

Which is very very sad.

outsomnia

10 hours ago

This plugin can only operate on top of the core code, whoever distributes the plugin to you. It means you have to decide to either bin the whole ecosystem, or use the core and plugin from the same people.

It's also open to the plugin people to distribute the core themselves, but since they don't have a history of working on it, why would you imagine for core maintenance, you can trust a smaller private equity-funded group that historically leeches on the core project, more than the originating project for the core?

ds

13 hours ago

I talked at length with theo about this here if anyone wants a catch up from the very start https://youtu.be/u-KCKEWMt-Q?t=774

Cliffnotes- This is a absolutely insane situation but matt has come out looking insanely bad imo.

hakanderyal

12 hours ago

As the saying goes, half the internet runs on Wordpress. Aside from a nuclear incident like an auto upgrade that permanently breaks all of the sites, it'll continue to be used.

Maybe Matt is counting on this?

butterfly42069

11 hours ago

I think he's massively underestimated the ingenuity of developers who wish to not have work undone on the whims of a tyrant.

If there's one thing we don't like it's FUD on the future of something we want to have completed/easily maintainable.

balls187

12 hours ago

I’m sure was covered in a comment on another thread—how is Mullenwag’s behavior different than other OSS projects wanting compensation when their work is monetized, especially from large well funded companies?

CiPHPerCoder

12 hours ago

I'd been staying out of this conflict, partly because I'm not really in the know on WP Engine's behavior behind-the-scenes and, as weird as Mullenweg's plays have been, I don't like to comment on things I'm not fully read into.

But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.

From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.

https://core.trac.wordpress.org/ticket/25052 + https://core.trac.wordpress.org/ticket/39309

If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.

https://w3techs.com/technologies/overview/content_management

For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially millions.

Now imagine all of those webservers conscripted into a DDoS botnet.

Thus, existential threat to the Internet.

Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.

https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-...

https://core.trac.wordpress.org/ticket/49200

You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: https://gossamer.tools

Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to solving the damn problem. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at https://medium.com/@photomatt/wordpress-and-update-signing-5... if you care to.)

The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been mitigated by solving the supply chain risk that I was so incandescent about in 2016.

(If you read my proposals from that era, you'll notice that I cared a lot about the developers controlling their keys, not WordPress.)

I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.

Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.

Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.

rafark

2 hours ago

Very interesting. I’ve been writing code for a while but if I’m honest I have no idea how code signing works. Any good resource on how it works especially in php?

niobe

12 hours ago

And we get yet another case study in how ego destroys value

outsomnia

12 hours ago

GPL does not make any representations about private equity being able to extract value from the work.

analcryptok

12 hours ago

Currently, there are lots of applications that bring winnings in the form of prizes, so always be careful, sometimes applications like that should not be installed immediately.

outsomnia

12 hours ago

Sorry, this is a GPL plugin to stuff already maintained by Automattic?

It's not like users aren't already updating to whatever Automattic want to give them, in the core, if that's the case? Automattic producing the same plugin and delivering it the same as the core doesn't sound like much of change, since users already trusted Automattic for the core either way...

usea

12 hours ago

If the delivery service that transported my vendor's goods to me, suddenly started substituting their own product instead, I would sue them. I think my vendor would be pissed too, especially if the main difference is that their monetization was torn out.

This behavior would land people in jail in a more serious industry.

outsomnia

8 hours ago

No... core volunteers who provide work to you for free, which you have been consuming successfully, have now extended the domain of their works to also encompass something on top you previously got from elsewhere.

The plugin you previously used was always completely dependent on the work of the core volunteers; you were always consuming their work and nothing changed about that. It just also already includes the optional plugin now.

Why would anyone end up in jail when everything is GPL2+?

prettymuchnoone

12 hours ago

Well yes, but it's like going to buy a bottle of Coke and finding out it's now Koke (but actually Pepsi inside)...it's iffy

outsomnia

12 hours ago

Users of the plugin already have a trust and consumption relationship with Automattic for the core.

It's more like mcdonalds replacing Coke with McCola with your mcdonalds meal - you were already trusting mcdonalds for the food. But even that is a stretch since both are GPL2 and there's no current sign the plugin Automattic provide differs from the WP Engine one.

GPL is on both sides, nothing stops WP Engine doing the same and providing their own flavour of core with their plugin, if that's what people want. Of course that costs more than private equity just using Automattic's core for free.

dabinat

12 hours ago

I feel like the dodgy part isn’t the forking. Any open source project can be forked at any time by anyone. The dodgy part is them automatically switching existing users to their fork.

To use your McDonald’s analogy, it’s like specifically ordering a Coke and McD’s secretly switching it to a McCoke without you noticing.

outsomnia

10 hours ago

As I wrote elsewhere, this is no different from a project deciding to incorporate a third party's functionality into the core. Either way whoever provides the plugin, you trust the provider to provide the core, if you now think they are going to do bad things, there is nothing they can do in the plugin that they couldn't do in the core without all this drama.

It seems the "perceptual framing" that is being engineered about this, that Automattic and its leader should be cancelled, is not about technical issues.

pavlov

11 hours ago

If you were buying Coke at a store owned by Pepsi, it almost seems inevitable.

I’m not saying it’s right, but it’s just the kind of thing that one expects from American corporations.