[HN Gopher] ACF Plugin no longer available on WordPress.org
___________________________________________________________________
ACF Plugin no longer available on WordPress.org
Author : michaelcampbell
Score : 143 points
Date : 2024-10-13 15:44 UTC (6 hours ago)
(HTM) web link (www.advancedcustomfields.com)
(TXT) w3m dump (www.advancedcustomfields.com)
| michaelcampbell wrote:
| "Advanced Custom Fields" developer accuses Matt Mullenweg of
| taking over, without consent, their WordPress plugin.
| denislour wrote:
| Wow, this is a big deal. Matt Mullenweg taking over ACF like
| that? Not cool. It's not just about messing with years of hard
| work, but think about all those WordPress sites now running code
| the ACF team didn't approve. Kinda scary when you think about it.
| Hope this doesn't become a trend in the open-source world.
| mrinfinitiesx wrote:
| It needs to stop here.
| TiredOfLife wrote:
| And this is different from WP Engine modifying Wordpress
| exactly how?
| mingus88 wrote:
| Well, we can start with the fact that WP Engine hasn't taken
| over any domain previously owned by Wordpress
| odo1242 wrote:
| WP engine never modified WordPress. They took stock Wordpress
| and edited a configuration file to disable revisions. They
| didn't actually change any code.
| mgkimsal wrote:
| I thought they'd also modified revisions to have a limit,
| instead of unlimited. Even when 'enabled', it's not how the
| rest of the wp installs would behave (iirc). Likely there
| was some code change there to enable that restriction.
| odo1242 wrote:
| No. They add the below to wp-config.php:
|
| define ('WP_POST_REVISIONS', 3);
| mldevv wrote:
| They use the parts of wordpress that are specifically
| built in to make modifications, as any other site
| maintainer would hosting their own install.
|
| You are mistaken.
| dmje wrote:
| Um, no: WP Engine changed a variable in wp-config
| FireBeyond wrote:
| Let's be really, really clear here.
|
| Matt might pontificate about "bastardizing and messing with"
| WordPress, but this is what he is actually referring to:
|
| A. Single. Configuration. Option.
|
| A. Changed. Default.
|
| Post revisions are a configuration option in the admin panel.
| They are enabled by default. Some hosting providers (and I
| expect WPE is not the only one) set it to disabled by
| default.
|
| That's it.
|
| This is not remotely comparable.
|
| Even without the ACF situation, Matt's description of WPE
| bastardizing the fundamental offering of WordPress is asinine
| at best, actively deceptive at worst (and that's where we
| seem to be, so far).
| gnabgib wrote:
| Discussions:
|
| (160 points, 23 hours ago, 174 comments)
| https://news.ycombinator.com/item?id=41821336
|
| (383 points, 23 hours ago, 188 comments)
| https://news.ycombinator.com/item?id=41821400
| chris_wot wrote:
| Hang on, the ACF plugin has been replaced by a different plugin,
| published by a different party? And install on every Wordpress
| installation?!?
| marpstar wrote:
| That's correct. But not if you were using ACF Pro.
| chx wrote:
| The whole thing is
| https://plugins.trac.wordpress.org/changeset/3167679/advance...
| it's very close to functionality wise right now to ACF. Not
| identical, already. While I am not a lawyer it almost certainly
| violates the ACF trademark as the code and reviews contains a
| lot of reference to ACF and the Advanced Custom Fields
| trademark which is literally the project slug. Some suspect a
| request for emergency injunction might follow next week. And
| most certainly it also violates community trust very, very big
| time.
|
| This on top of the "swear fealty" checkbox on login which
| caused multiple high profile contributors to leave and now shut
| the accessibility team down https://i.imgur.com/0jCZnlm.png
| TavsiE9s wrote:
| Excuse me for being OOTL: what "WP Engine checkbox"?
| Crosseye_Jack wrote:
| They added a checkbox to the wordpress.org login page
| https://login.wordpress.org/ stating "I am not affiliated
| with WP Engine in any way, financially or otherwise.", you
| can't login to the site without checking it.
| chx wrote:
| And very importantly: no one knows what that checkbox
| means and what are the consequences of checking it.
| jeltz wrote:
| And Matt has refused to clarify when asked about it.
| throw16180339 wrote:
| Matt also bans anyone who asks about it.
| anakaine wrote:
| You must agree on sign up that you're not affiliated with
| WP Engine. WP has been having a spat with WP engine.
| system2 wrote:
| Oh god, this gave me a minor heart attack. We are using over 20
| ACF fields for 150+ sites. I thought it was completely out of the
| WordPress ecosystem. I am glad they have the zip download and
| continuing auto updates.
|
| EDIT: I confirm our ACF plugins on sites are all switched to
| secure custom fields. This is so shady, it broke our snippets
| because we are using prepend and append texts to wrap our field
| values. Now they are all broken and we have to update all our
| sites (also our client's sites). Let's see what comes next...
|
| EDIT2: There goes my Sunday. I received our first ticket
| regarding broken homepage widgets. I have to sit down and update
| every site one by one. Thank you Matt Mullenweg for ruining my
| Sunday plans.
| gg-plz wrote:
| As someone who doesn't use it, were those features removed into
| the patch?
|
| If they're actively breaking people's sites I'd hope they can
| get an emergency injunction ASAP, and maybe someone can start a
| CFAA investigation.
| yawnxyz wrote:
| this is my nightmare
| btown wrote:
| This should be the top comment. It's already scary for a
| package manager to take control of a community package, even
| more so when sites auto-update to new code... but to _break
| existing sites_ by completely changing the code that is
| provided in an auto-update is beyond the pale.
|
| Not a lawyer, but I imagine many consultancies will be talking
| to lawyers about this one; there are entire sections of law
| about interfering with other companies' contracts with each
| other. At minimum it's an appalling breach of trust.
| didgeoridoo wrote:
| "Advanced Tortious Interference"
| Cyberdog wrote:
| How did the sites auto-update to have this plug-in
| removed/replaced? Are your sites set up to just automatically
| take push updates from WordPress central command or something
| and auto-modify themselves?!
| sgdfhijfgsdfgds wrote:
| Wordpress has a (highly effective) auto-updates mechanism for
| security patches.
|
| It was extended a couple of years ago to automatically apply
| plugin updates for you if you opted in, and I think automatic
| plugin updates may now be the default.
|
| (This is on balance a good thing; almost all WP
| vulnerabilities are outdated plugins, and until this
| mechanism was prevalent, WordPress occasionally had to live-
| patch existing installations of third party plugins in the
| case of severe vulnerabilities.)
|
| The reason this nasty little takeover worked is that they
| (Matt, whoever helped) have stolen ACF's slug (advanced-
| custom-fields). So as far as the updater is concerned, it's
| just another plugin update to the same code base.
|
| And in fact, very little has changed.
| mldevv wrote:
| WP and/or A8C took over the existing plugin, so that sites
| that have auto-update on were automatically bumped to the SCF
| version instead of the historical ACF which obviously had a
| different team of maintainers
| n3storm wrote:
| pass the bill to matt when you finish fixing those broken wp.
| znpy wrote:
| He will reply that go has just "contributed their fair share
| of man-hours" /s
| Atotalnoob wrote:
| Photomatt aka Matt mullenweg hangs out on HN.
|
| I'd love to hear how he justifies taking away this engineers'
| Sunday? I doubt this person is the only person working this
| weekend due to Matt's theft of ACF
| usea wrote:
| > I'd love to hear how he justifies taking away this
| engineers' Sunday?
|
| His posts on slack [1] show that he sees it as "either with
| us or against us", and he's willing to harm users to force
| them to choose a side instead of staying neutral. He probably
| hopes that people will blame WP Engine for it.
|
| I think his real goal is tortious interference. Hurting devs
| who use ACF is just a bonus.
|
| [1]
| https://threadreaderapp.com/thread/1843963052183433331.html
| luckylion wrote:
| > it broke our snippets because we are using prepend and append
| texts to wrap our field values
|
| Did they also rename filters and functions? I thought it was
| only the name and mentions of ACF in the docs. What did you
| rely on?
| system2 wrote:
| We use ACF with WP Code auto insert. ACF has prepend and
| append (in presentation tab) and this can be used to wrap the
| value with classes or other tags such as IDs, JS or others.
| When the ACF name changed, the prepend and append broke
| because prepend/append text showing must be configured in
| functions.php like this:
|
| add_filter('acf/format_value/name=mysnippet1',
| 'mysnippet1acf', 20, 3);
|
| function mysnippet1acf ($value, $post_id, $field) {
| if(!empty($value)){ $value =
| trim($field['prepend'].''.$value.''.$field['append']);
| }else{ $value=''; } return
| $value;
|
| }
|
| Long story short, if you are using ACF with advanced
| features, including logic and presentation, this hostile
| takeover breaks it.
|
| Doesn't even matter if you use prepend/append for the fields,
| our logic-based ACF fields are also broken.
| jnd10 wrote:
| Install the official free plugin from the advanced custom
| fields website and remove the SCF version. You won't need to
| change any existing code then, and future updates will come
| from the plugin dev for ACF.
| system2 wrote:
| That's where the Sunday goes. I am trying to create an FTP
| script to mass update all wp-content plugins for this single
| package. It was on my mind but I was not expecting to have
| something bizarre happening from WordPress for one of the
| most crucial plugins in WordPress' existence.
| mldevv wrote:
| (community member, not affiliated with WP, WPE, or A8C)
|
| I can confirm this has been escalated internally in the WP
| slack.
|
| I can also provide this context which I found concerning, given
| the way this was taken over and rolled out on a Saturday
| afternoon, of which I have also been dragged into now as a
| fellow site maintainer.
|
| - Matt Mullenweg "in a few days we'll have a Github where
| people can get involved, and we can also set up proper build
| systems, etc"
|
| So its all in flux obviously. I let them know the same thing,
| that I find this as a malicious supply chain attack that is
| affecting the community.
| yidhsvc wrote:
| The official wp announcement of this said "we don't plan on doing
| this to other plugins." lol. anyone think they pinky promise?
| More like: build on Wordpress and unless you kiss the ring some
| guy named Matt will disappear your business.
| gg-plz wrote:
| https://x.com/WordPress/status/1845180576531468375
|
| > Hey @WordPress. Are there any further plugins that we can
| expect to be forked?
|
| > There are no others we're aware of at this time, but you are
| welcome to suggest some.
| aliasxneo wrote:
| I thought that was satire, but they actually asked for
| suggestions...
| maxbond wrote:
| To me this is indistinguishable from an account takeover attack
| executed by an insider. I doubt any prosecutor would be
| interested, but to my eyes WordPress.org has violated the CFAA by
| accessing WordPress instances outside the bounds of their
| authorization. They were authorized to modify WordPress instances
| in ways ACF prescribed, not in ways of their own choosing.
|
| I'm not saying I'd like to see Mullenweg in chains, I wouldn't.
| But WP.org's escalating legal exposure is really concerning. I
| feel like we're at risk of losing a cornerstone of the web.
| People are talking about a different open source CMS eating their
| lunch, but I think the more likely scenario is that people move
| to Square Space, Wix, Facebook, et cetera, and open source
| content management becomes niche.
| btown wrote:
| IMO it's also notable that Mullenweg is in this state of mind
| and also has access to Tumblr data, with a history of allegedly
| doxxing the relationships between anonymous user blogs based on
| non-public information [0]. One doesn't need to agree with the
| moderation decision, or take sides on the political context
| around it, to understand that there is a tremendous amount of
| centralized power here, that norms are going out the window,
| and that an entire ecosystem is at risk.
|
| [0] https://techcrunch.com/2024/02/22/tumblr-ceo-publicly-
| spars-...
| maxbond wrote:
| In hindsight this should've been all the warning anyone
| needed.
|
| In the future, when a BDFL telegraphs that they're willing to
| abuse their powers like this, we need to fork immediately.
| Open source is more important than any single project or any
| single BDFL. We can't allow open source to appear risky or
| unreliable relative to proprietary software, subject to the
| whims of volatile personalities.
|
| Open source is kind of like libraries - an institution for
| the collective good people managed to erect in the past that
| would be neigh impossible to replicate today. Imagine
| convincing companies in any other industry to collaborate
| openly and freely with their competitors merely because it's
| good for society as a whole. You'd be labeled a socialist and
| laughed out of the room.
|
| If we lose it, it's probably gone for good.
| didgeoridoo wrote:
| This is particularly bananas as ACF is basically table stakes for
| doing anything beyond blogging. I'd assume most websites that
| make actual money are thoroughly dependent on it.
|
| To twist the knife on a personal spat, Mullenweg just blew up
| uncountable businesses on a double-holiday weekend. At this
| point, seriously, fuck that guy.
| wmf wrote:
| They replaced ACF with a forked version so the functionality is
| still there. That doesn't excuse it but the situation is not so
| dire for users.
| GenerocUsername wrote:
| Asking for a friend... What's the migration path to a
| different plugin look like? Seamless? Better be duckin
| seamless
| mattrad wrote:
| You don't need to migrate from ACF to a different plugin,
| you can still access ACF and received future updates
| indepedent of wordpress.org. See
| https://www.advancedcustomfields.com/blog/installing-and-
| upg...
| wmf wrote:
| https://dorve.com/blog/ux-news-articles-archive/wp-forks-
| acf...
| noapologies wrote:
| There are examples of things breaking in this very comment
| section [1].
|
| Given how widely used ACF is, it wouldn't be surprising to
| learn that a lot of weekends were ruined by the "fork".
|
| [1] https://news.ycombinator.com/item?id=41830709
| sgdfhijfgsdfgds wrote:
| Looking at the code, it's not clear to me how much has
| broken because of the fork, and how much has broken because
| of the "secure context" security patch that ACF have
| apparently also applied in their own version.
|
| That is, I think some of these things might have broken
| even with the _real_ ACF.
|
| The main change appears to be that if a developer has used
| a built-in wordpress function as a filter hook (rather than
| a user-defined one), that has been blocked. (This has never
| been a good idea, anyway; developers should not do it.)
| Also a filtered version of the POST variables has been
| passed to the callback. These are both seemingly to stop
| CSRF attacks.
|
| This patch was necessary; it prevents CSRF and potentially
| other nasties.
|
| I don't mean to excuse any of the other bullshit; I'm just
| saying that if there are "breakages" here, they are likely
| to do with the necessary patch that is hidden inside the
| gaslighting.
| sgdfhijfgsdfgds wrote:
| > This is particularly bananas as ACF is basically table stakes
| for doing anything beyond blogging.
|
| Not sure about this.
|
| I'd assume most Wordpress sites that make _actual money_ are
| dependent on WooCommerce and Easy Digital Downloads, and maybe
| Gravity Forms /WP Forms for member subscriptions.
|
| None of these are reliant on ACF, and there's any number of WP
| plugins like this that do the whole job of some website niche
| or other.
|
| (I've been doing bespoke WP builds for at least a decade --
| first one probably more like 14 years ago actually -- and I've
| not used ACF a single time. There has always been an
| alternative, and for a developer it's a bad choice.)
|
| Either way: I don't think ACF's popularity is the major factor
| here. It's that it's an _outright abuse_.
|
| The word "gaslighting" gets overused but it applies quite well
| to what ACF free plugin users are experiencing here.
|
| As to "blew up": I am not sure how many money-making ACF users
| this has affected, because they tend to use ACF Pro, which is a
| separate download.
|
| What appears to have been removed from ACF to make this shady
| SCF nonsense is the upsell marketing. Not sure what other
| breakage there would/could have been. I have seen people say
| things have broken but I suspect they are relatively minor
| issues caused by the actual ACF security patch which is also
| shipped here... because they haven't changed much.
|
| Though if Secure Custom Fields is getting the blame for the
| breakage, that's kismet, karma, whatever you want to call it.
| didgeoridoo wrote:
| Fair enough. My info might be a little out of date from my
| web agency chop shop days, but I do recall that for
| essentially any substantial site it was assumed from day 1
| that it would involve an ACF install. Probably integrated it
| into... fifty(?) websites over the years. I don't recall the
| value prop of Pro, and I actually don't think I ever touched
| it myself.
| sourcecodeplz wrote:
| I am sorry to say this but: be gone wordpress. always getting
| hacked, if you get featured somewhere your website will always go
| down, regardless if you are on shared hosting or a hetzner dedi.
| it is just too complex, it wants to do it all and sometimes it
| works.. until it doesnt.
|
| if you still want to use it and like the design options just
| install the "Export to Static" plugin and build your website
| locally then create a static copy and upload it...
| rossant wrote:
| I don't see how Mullenweg could escape lawsuits on this one.
| jeltz wrote:
| It is insane how Matt once again seem totally unable to
| understand the difference between Autoamattic and the WordPress
| Foudnation.
| FireBeyond wrote:
| The challenge is that this drama seems to be unmasking the
| reality that for the past decade or more, Matt has grown used
| to referring to Automattic, WP.com, WP.org, and the WPF
| interchangably and synonymously.
|
| Concerning is not just the things he's said, but what he has
| done that go along with this. Self-dealing? Improper tax
| accounting?
| guluarte wrote:
| Not a single serious developer would release a plugin or theme on
| wordpress.org after this.
| rasso wrote:
| While all of this is very bad, I still dislike the post. ,,Since
| 2011", for example. The plugin was sold two times in the last two
| years and ended up in the hands of WPEngine in the end. Since
| then, it has been a bumpy road with ACF, even before this (hugely
| unsettling!) incident.
| mattrad wrote:
| I don't know what you mean by "bumpy road". ACF has been solid
| for years, and has received excellent care and updates since
| moving to Delicious Brains and then WP Engine.
| dmje wrote:
| There's been nothing "bumpy" about ACF. It has been solidly
| supported, developed and documented for years.
| mldevv wrote:
| My opinion as well as many as my peers is that ACF could have
| been rolled into core or bought by Matt long long before it was
| acquired by WPE, which most of us found as a good thing, being
| that its a critical plugin and gained long term support.
|
| Plugins have bumps, that's part of the growth, and some of the
| changes ACF have made as of recent years, even the ones I
| disagree with, seem well intentioned and not malicious. I can't
| say the same for what is happening right now.
| ChrisArchitect wrote:
| More discussion: https://news.ycombinator.com/item?id=41821400
|
| https://news.ycombinator.com/item?id=41821336
| dmje wrote:
| Long time WordPress agency owner here.
|
| At the heart of this - if you consider it generously - is a
| principle that we can possibly all sign up to, namely that "large
| commercial entities" should (should from a moral, not legal
| standpoint) "pay back" to the open source software that makes
| them money.
|
| The principle however has been totally undermined by MM's
| actions, which have been completely out of line. His behaviour
| has been abhorrent. I've been shocked (possibly naively) that a
| single individual could have such huge power over an open source
| project that they could literally turn it off (referring here to
| the update mechanism that WPEngine was using).
|
| I've been even more shocked and appalled by this plugin takeover.
| ACF is a central piece of pretty much all WP developers' /
| agencies toolkit. Those of us who have been in this game a long
| time remember WP before it, and the breath of fresh air that it
| was to finally be able to define complex relationships between
| posts and provide our users with a GUI that actually worked well
| for complicated sites. ACF have pushed and supported this
| technology for years and years - firstly under the expertise of
| Elliot Condon, now under the aegis of WPEngine. I know some of
| the developer team at ACF personally - they're excellent people,
| making brilliant code, and most of them are putting huge efforts
| into WP as an open source project even aside from their efforts
| in maintaining and extending ACF.
|
| The forking of a plugin is one thing. A fair way to do this would
| be to fork it, and start from zero installs. Automattic could
| have done that, promoted the hell out of "SCF" and got users in a
| way that was at least slightly (?) fair.
|
| Simply switching the name and keeping the slug - and thus the
| 2+million sites - should be thought of as theft. It's outrageous,
| it's totally petty, and I so far haven't seen a single person
| being supportive of this (probably?) unilateral action by one -
| apparently increasingly unhinged - individual.
|
| The wider problem of course is the effect this has on the vibrant
| WP ecosystem which as someone else in this thread has pointed out
| is a critical (erstwhile) open cornerstone of the web.
|
| I am still hoping that this will subside into history and it'll
| all sort but it has left me and many WP devs I know with a pretty
| bitter taste.
| hello_moto wrote:
| > Simply switching the name and keeping the slug - and thus the
| 2+million sites - should be thought of as theft.
|
| He probably is trying to make a point what WPEngine is doing
| (based on his own perspective)
| asmor wrote:
| This is the same person that plasters the 4 freedoms of free
| software on his about page like they're the core of his
| personal credo.
|
| https://wordpress.org/about/
|
| There are certain implied rules to FOSS:
|
| 1. Free software is an ideological battleground, and as long
| as you abide by the license you're fine. Most GNU packages.
|
| 2. Open Source without a single backing entity is a
| meritocracy (or tries, sometimes a little too hard) and you
| can help improve it for everyone. Like the Kernel.
|
| 3. Open Source from a single backing entity is an insurance
| policy against that company failing or overcharging - at
| least in principle - if that works is often up to adoption,
| see the state of various Hashicorp products and their forks.
| You'll also never get your PR merged if it isn't critical,
| you aren't a customer or the PR misaligns with the company's
| strategy. I've even seen this happen on an Apache project, so
| that's not a guarantee of being group 1 or 2.
|
| Matt has always pretended he belongs to group 1 with
| incidentally aligned commercial interest, but it turns out
| WordPress is group 3 with a server dependency twist. He
| wouldn't even approve a config constant to change the default
| update/catalog endpoints.
| osbulbul wrote:
| After all this drama, it feels like WordPress has reached its
| peak and is now starting its decline. Of course, it will take
| years, and the process may be volatile, but the overall trend
| will likely be downward.
| andix wrote:
| AFAIK there is just no other free and open source CMS with a
| similarly mature ecosystem, which could replace WordPress. So
| many websites, companies and agencies are built on WordPress,
| it would take a decade to move away.
|
| The only possibility I can think of is a fork.
| kyriakos wrote:
| This would be the same as Google replacing Spotify with Youtube
| Music on Play Store and pushing Youtube Music in its place on all
| Android devices. Its insane.
| andix wrote:
| I guess the only way forward for now is forking WordPress and
| creating a new plugin registry.
|
| This should be rather easy, because all WordPress plugins are
| GPL-licensed because of the Copyleft.
|
| I don't care about the current dispute, but wordpress.org can't
| be trusted any more.
___________________________________________________________________
(page generated 2024-10-13 22:01 UTC)