(160 points, 23 hours ago, 174 comments) https://news.ycombinator.com/item?id=41821336
(383 points, 23 hours ago, 188 comments) https://news.ycombinator.com/item?id=41821400
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
This on top of the "swear fealty" checkbox on login which caused multiple high profile contributors to leave and now shut the accessibility team down https://i.imgur.com/0jCZnlm.png
> Hey @WordPress. Are there any further plugins that we can expect to be forked?
> There are no others we're aware of at this time, but you are welcome to suggest some.
I'm not saying I'd like to see Mullenweg in chains, I wouldn't. But WP.org's escalating legal exposure is really concerning. I feel like we're at risk of losing a cornerstone of the web. People are talking about a different open source CMS eating their lunch, but I think the more likely scenario is that people move to Square Space, Wix, Facebook, et cetera, and open source content management becomes niche.
To twist the knife on a personal spat, Mullenweg just blew up uncountable businesses on a double-holiday weekend. At this point, seriously, fuck that guy.
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
[0] https://techcrunch.com/2024/02/22/tumblr-ceo-publicly-spars-...
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
Did they also rename filters and functions? I thought it was only the name and mentions of ACF in the docs. What did you rely on?
At the heart of this - if you consider it generously - is a principle that we can possibly all sign up to, namely that "large commercial entities" should (should from a moral, not legal standpoint) "pay back" to the open source software that makes them money.
The principle however has been totally undermined by MM's actions, which have been completely out of line. His behaviour has been abhorrent. I've been shocked (possibly naively) that a single individual could have such huge power over an open source project that they could literally turn it off (referring here to the update mechanism that WPEngine was using).
I've been even more shocked and appalled by this plugin takeover. ACF is a central piece of pretty much all WP developers' / agencies toolkit. Those of us who have been in this game a long time remember WP before it, and the breath of fresh air that it was to finally be able to define complex relationships between posts and provide our users with a GUI that actually worked well for complicated sites. ACF have pushed and supported this technology for years and years - firstly under the expertise of Elliot Condon, now under the aegis of WPEngine. I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The forking of a plugin is one thing. A fair way to do this would be to fork it, and start from zero installs. Automattic could have done that, promoted the hell out of "SCF" and got users in a way that was at least slightly (?) fair.
Simply switching the name and keeping the slug - and thus the 2+million sites - should be thought of as theft. It's outrageous, it's totally petty, and I so far haven't seen a single person being supportive of this (probably?) unilateral action by one - apparently increasingly unhinged - individual.
The wider problem of course is the effect this has on the vibrant WP ecosystem which as someone else in this thread has pointed out is a critical (erstwhile) open cornerstone of the web.
I am still hoping that this will subside into history and it'll all sort but it has left me and many WP devs I know with a pretty bitter taste.
He probably is trying to make a point what WPEngine is doing (based on his own perspective)
Given how widely used ACF is, it wouldn't be surprising to learn that a lot of weekends were ruined by the "fork".
Not sure about this.
I'd assume most Wordpress sites that make actual money are dependent on WooCommerce and Easy Digital Downloads, and maybe Gravity Forms/WP Forms for member subscriptions.
None of these are reliant on ACF, and there's any number of WP plugins like this that do the whole job of some website niche or other.
(I've been doing bespoke WP builds for at least a decade -- first one probably more like 14 years ago actually -- and I've not used ACF a single time. There has always been an alternative, and for a developer it's a bad choice.)
Either way: I don't think ACF's popularity is the major factor here. It's that it's an outright abuse.
The word "gaslighting" gets overused but it applies quite well to what ACF free plugin users are experiencing here.
As to "blew up": I am not sure how many money-making ACF users this has affected, because they tend to use ACF Pro, which is a separate download.
What appears to have been removed from ACF to make this shady SCF nonsense is the upsell marketing. Not sure what other breakage there would/could have been. I have seen people say things have broken but I suspect they are relatively minor issues caused by the actual ACF security patch which is also shipped here... because they haven't changed much.
Though if Secure Custom Fields is getting the blame for the breakage, that's kismet, karma, whatever you want to call it.
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg "in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
His posts on slack [1] show that he sees it as "either with us or against us", and he's willing to harm users to force them to choose a side instead of staying neutral. He probably hopes that people will blame WP Engine for it.
I think his real goal is tortious interference. Hurting devs who use ACF is just a bonus.
[1] https://threadreaderapp.com/thread/1843963052183433331.html
In the future, when a BDFL telegraphs that they're willing to abuse their powers like this, we need to fork immediately. Open source is more important than any single project or any single BDFL. We can't allow open source to appear risky or unreliable relative to proprietary software, subject to the whims of volatile personalities.
Open source is kind of like libraries - an institution for the collective good people managed to erect in the past that would be neigh impossible to replicate today. Imagine convincing companies in any other industry to collaborate openly and freely with their competitors merely because it's good for society as a whole. You'd be labeled a socialist and laughed out of the room.
If we lose it, it's probably gone for good.
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
And in fact, very little has changed.
There are certain implied rules to FOSS:
1. Free software is an ideological battleground, and as long as you abide by the license you're fine. Most GNU packages.
2. Open Source without a single backing entity is a meritocracy (or tries, sometimes a little too hard) and you can help improve it for everyone. Like the Kernel.
3. Open Source from a single backing entity is an insurance policy against that company failing or overcharging - at least in principle - if that works is often up to adoption, see the state of various Hashicorp products and their forks. You'll also never get your PR merged if it isn't critical, you aren't a customer or the PR misaligns with the company's strategy. I've even seen this happen on an Apache project, so that's not a guarantee of being group 1 or 2.
Matt has always pretended he belongs to group 1 with incidentally aligned commercial interest, but it turns out WordPress is group 3 with a server dependency twist. He wouldn't even approve a config constant to change the default update/catalog endpoints.
add_filter('acf/format_value/name=mysnippet1', 'mysnippet1acf', 20, 3);
function mysnippet1acf ($value, $post_id, $field) {
if(!empty($value)){
$value = trim($field['prepend'].''.$value.''.$field['append']);
}else{
$value='';
}
return $value;
}Long story short, if you are using ACF with advanced features, including logic and presentation, this hostile takeover breaks it.
Doesn't even matter if you use prepend/append for the fields, our logic-based ACF fields are also broken.
Plugins have bumps, that's part of the growth, and some of the changes ACF have made as of recent years, even the ones I disagree with, seem well intentioned and not malicious. I can't say the same for what is happening right now.
That is, I think some of these things might have broken even with the real ACF.
The main change appears to be that if a developer has used a built-in wordpress function as a filter hook (rather than a user-defined one), that has been blocked. (This has never been a good idea, anyway; developers should not do it.) Also a filtered version of the POST variables has been passed to the callback. These are both seemingly to stop CSRF attacks.
This patch was necessary; it prevents CSRF and potentially other nasties.
I don't mean to excuse any of the other bullshit; I'm just saying that if there are "breakages" here, they are likely to do with the necessary patch that is hidden inside the gaslighting.
This should be rather easy, because all WordPress plugins are GPL-licensed because of the Copyleft.
I don't care about the current dispute, but wordpress.org can't be trusted any more.
Matt might pontificate about "bastardizing and messing with" WordPress, but this is what he is actually referring to:
A. Single. Configuration. Option.
A. Changed. Default.
Post revisions are a configuration option in the admin panel. They are enabled by default. Some hosting providers (and I expect WPE is not the only one) set it to disabled by default.
That's it.
This is not remotely comparable.
Even without the ACF situation, Matt's description of WPE bastardizing the fundamental offering of WordPress is asinine at best, actively deceptive at worst (and that's where we seem to be, so far).
Concerning is not just the things he's said, but what he has done that go along with this. Self-dealing? Improper tax accounting?
The only possibility I can think of is a fork.
https://plugins.trac.wordpress.org/browser/advanced-custom-f...
It's still $this->add_field_filter( 'acf/format_value', array( $this, 'format_value' ), 10, 4 );
The file was last changed 7 weeks ago by deliciousbrains/wpengine and specifically the filter part is the same on their github.
I don't think GP's distinction of "websites that make money" == "online stores" is accurate or meaningful. I use ACF on every website, my clients are money-making businesses. Only a couple of them are running WooCommerce (and those are running ACF as well).
Nothing about running a business on WordPress makes WooCommerce and ACF mutually exclusive.
Now, when he's already failed to bring the community on board with his attacks, he decides that his next move is to make a big show of stealing something that had he done nothing many people would not have realized was a WP Engine property, with the net effect of reminding people that WP Engine has been responsible for maintaining what is widely considered to be the most essential plugin in the ecosystem.
But that doesn't count as giving back because... reasons.
WordPress.org, and therefore the entire plugin repository, is owned by just Matt and maintained by a division within Automattic. The .org-ness of it was just a smokescreen all along.
If there is insider inurement, the IRS fine is directed to the Board of Directors (each one of them, however many) for 25% of the value of the benefit. If they do not pay in a timely manner, the bill is 200% of the inurement. Matt is the ultimate insider, "giving" the valuable trademarks to the foundation and then getting to use them for free, while leaning on other companies to pay millions. So the insider inurement is in the millions of dollars, per year, for years. Those two unknown board members of the WordPress Foundation? I hope they have great tax lawyers!
[1] https://www.mercadien.com/resource/steep-penalties-for-exces...
> But that doesn't count as giving back because... reasons.
I haven't used WordPress in years, but I've seen recent comments saying that WP Engine has been using ACF to market their hosting packages, even giving customers a "4 month trial" — not something a hosting provider really wants to see.
Ideally, those repos would be hosted by each party, and then hosting providers would be able to host their own mirrors containing many packages for all the installs, giving a similar experience to what is now offered by Mr. Mullenweg's WP.org.
I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.
As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.
But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.
https://wordpress.org/plugins/advanced-custom-fields/advance... (scroll down to the bottom and you can download the previous version to diff it)
So as far as the poor benighted plugin updater is concerned, it's just a change to the display name, which is inconsequential.
[0] WP Engine do, ironically, on a pretty short timescale!
Most of the "open" standards from other industries that I'm familiar with require a license, and certainly aren't open to participation by anyone and everyone. Let alone allowing you to modify and redistribute them.
But in software we've created a culture with different expectations. And I don't think we should take that for granted.
If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.
I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.
If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.
"Just update it!" Until it all goes to shit, and we have to triage the whole mess.
Sorry you are dealing with this, I have spent the better part of the weekend trying to get them to understand this was inevitable.
Devs: "Don't deploy on Fridays" A8C/Matt: "We will deploy on SATURDAYS"
https://www.reddit.com/r/Wordpress/comments/1cc0aor/what_are...
I might be wrong, but as best I can tell from some quick searching, ACF is the most mentioned.
If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .
That's not true. You have users on the support forums reporting issues with SCF.
"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "
https://wordpress.org/support/topic/plugin-hijacked-on-weeke...
All of them used ACF for custom article types, testimonial types, carousels, and other random one-off “content-types”
Not trying to debate against you, just adding that wordpress usage is so wide
The security trade offs for this would not be worth it, IMO, considering WPs auto-updating features.
...
I know some of the developer team at ACF personally - they're excellent people, making brilliant code, and most of them are putting huge efforts into WP as an open source project even aside from their efforts in maintaining and extending ACF.
The ACF team wiring that open source ACF code are on WP Engine's payroll.
I would keep an eye on PayloadCMS or Ghost. Those, among others, are the future, IMO.
See this video at the 3:49 mark - https://youtu.be/qFlORU3NGX0?si=_AHQIT4V7LKvecBH&t=229
Update ACF and stay secure against this latest threat. https://www.advancedcustomfields.com/blog/installing-and-upg...
A while back, I bought a lifetime "Pro" license for ACF. It worked great for years. The last few times I tried ACF though, the admin experience felt degraded. My impression was their early customers had become an afterthought.
Looking forward to trying SCF. I have higher hopes for the plugin now.
Would prevent the issue above.
But destroying trust in Wordpress? Absolutely
The erratic and bizarre behavior of the BDFL that runs WordPress and Automattic has proven himself untrustworthy and is causing massive damage to the WordPress ecosystem.
So Matt’s company which has sufficient contribution history would get free access and WP engine could either pay for access, contribute more to WordPress, or make their own plug-in infrastructure.
It’s not rocket science to learn another CMS, but many people are deeply invested into Wordpress and it would take a lot of money and effort to switch.
Even if the popularity of Wordpress decreases now, Wordpress (or a compatible fork) are going to be relevant for at least another decade.
The Wordpress license GPL/Copyleft makes forks rather easy.
I would estimate a proper fork could be done by 3 developers within two weeks, but whoever is doing it, should get some backing by a company (probably also easy) and some legal consulting.
But anything can happen. If 12 weeks passes and the suit is ongoing, then I'll be happy to admit I was wrong.
I'm pretty sure Matt has been dropped by one law firm, he's also had the chef lawyer for Automattic accept a buyout which I think is fair to assume this drama is the reason. Automattic's current in house lawyer commented on here that lawyers can't control their clients. Which I think is fair to assume that Matt is ignoring legal advice. Matt already knows this lawsuit is going to cost millions. And he's pouring petrol on it.
When you roll out an auto-updates mechanism you're saying to the people who enable it "you can trust us to do the right thing with your project while you are elsewhere -- this is a risk but it's one we manage for your benefit".
If you roll out a change for purely political/commercial reasons that are ultimately not your end user's concern -- we're not a party to that lawsuit -- then you're undermining the trust in that mechanism entirely.
It was a stupid, arrogant, underhanded thing to do.
Yeah, you didn’t produce any “technical” issues other than now maintaining a plugin that isn’t yours to start with, gathering thousands of positive reviews that aren’t yours, and selling it as a security fix which you didn’t fix.
I don’t understand how you can even show your face in public. You and your fellow matticians are a shame to the entire open source community.
Don't gaslight us. You've been removing negative reviews.
No, you just act and screw everyone else.
There's no justification for this whatsoever - it was your actions which meant that the ACF team couldn't manage the plugin on dotorg, and the issue you fixed was unbelievably minor.
IF you even had a point in the beginning, you've fatally undermined it. Hell, WPE's motion for a preliminary injunction even now notes that your actions here have potentially fallen into CFAA territory - https://storage.courtlistener.com/recap/gov.uscourts.cand.43...
Given you've been banning dissenters from Slack, I wonder "why" people might not be reporting issues where you can see them?