Automattic receives backlash for cloning premium plugin
Automattic has cloned WP Engine’s paid ACF Premium plugin and is distributing it for free. Many in the WordPress community disapprove of this action and express concerns that it undermines the plugin and theme ecosystem.
Advanced custom fields plugin
Advanced Custom Fields (ACF) is a WordPress plugin popular among WordPress website developers because it allows them to create custom fields that WordPress publishers and authors can use.
Custom fields allow developers to take full control of the editing screens and, for example, add a form to create structured data specifically for a type of WordPress page such as Schema.org markup for e-commerce, news, legal or medical context. A custom field can be used to allow article authors to enter the author’s name or a highlighted quote.
Website developers and use ACF to allow authors to add author bios, highlighted citations, or article metadata such as publication date, modification dates, or links to sources. For example, a highlighted quote field can be used to allow authors to enter what the highlighted quote says and it will appear in the article with all the predefined styles. All the author needs to do is fill out the form and click the “Submit” button.
ACF was developed by a company called Delicious Brains, which was acquired by WP Engine in 2022 and took responsibility for developing and updating the free and premium versions.
WordPress freemium ecosystem
ACF is popular because, as a solid plugin, it has built trust and authority by using the freemium WordPress business model. Plugin and theme developers use the freemium business model to offer a free version of their software and a premium version with additional features. Offering a highly functional and useful free version increases the popularity and reputation of a plugin or theme among basic users, and more advanced users can try out the functionality of the free version and then opt for the premium version for the additional features. It can take years to build this goodwill, trust and authority with users.
Plugin developers like Yoast and Wordfence spend thousands of hours developing and promoting their free plugins, which are then installed on millions of websites. They put all this effort into the free versions to resell their premium products.
Timeline: Automattic Forks ACF
In the context of WordPress plugins and themes, the term “forking” refers to creating an independent version of an existing WordPress plugin or theme using the original version’s source code to create another version. Forking is made possible by open source licenses. All plugins and themes derived from WordPress must be developed with an open source license.
Forking a theme or plugin sometimes happens when a developer abandons their project and an interested party decides to further develop their version of the software, a “forked” version of the original.
October 3, 2024 Automattic releases independent updates
Automattic banned the ACF plugin from WordPress.org servers, preventing ACF customers from updating their versions of the plugin directly from WordPress.org servers, forcing WP Engine to issue a workaround on October 3rd to create.
WP Engine announced:
“On October 3rd, we released new versions of our widely used plugins, providing independent update functionality and updates delivered directly from WP Engine.
While WP Engine and Flywheel customers are already protected by the WP Engine update system and do not need to take any action, community members are encouraged to download these versions of our free, open source plugins and updates directly from the ACF and NitroPack websites to ensure you receive updates directly from us.
If you are using version 6.3.2 or earlier of ACF, or have been forced to use Secure Custom Fields without your consent, you can install ACF 6.3.8 directly from the ACF website or follow these instructions to resolve the issue.
These efforts support our customers and plugin users and are aimed at protecting the community at large.”
Screenshot of the ACF plugin changelog showing the blocking workaround
On October 5, Automattic notified WP Engine of a vulnerability in the ACF plugin and disclosed it in a now-deleted post on X (formerly Twitter).
Screenshot of the post on X by Automattic
October 7: WP Engine fixes ACF vulnerability
On October 7th, WP Engine fixed the plugin vulnerability, as noted in their changelog.
Screenshot of the ACF security patch changelog
October 12, 2024: Automattic Forks ACF
But then on October 12th, Automattic forked WP Engine’s ACF plugin, renamed it Secure Custom Forms (SCF), and replaced the ACF plugin with their fork in the official WordPress plugin repository, using the same URL , which was previously used by the ACF plugin. Matt Mullenweg posted an announcement on WordPress.org citing security concerns as the reason for the ACF fork, but later in the announcement also cited WP Engine’s lawsuit seeking compensation for Mullenweg’s actions.
Mullenweg wrote:
“On behalf of the WordPress security team, I announce that we are invoking Point 18 of the Plugin Directory Guidelines and converting Advanced Custom Fields (ACF) to a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security issue.
…This is a rare and unusual situation brought about by WP Engine’s legal attacks. We don’t expect this to happen with other plugins.”
Automattic Forks Premium version of ACF
There was a lot of buzz on social media over the weekend because it was announced that a new version of ACF had been released on WordPress.org under a new URL (/secure-custom-fields/), marked as a beta version. WebTNG’s David McCan downloaded the plugin, took a look at the code, and confirmed that the new version is a fork of the paid version of ACF. He points out that WP Engine’s copyright information has been removed and notes that this could be a problem. He also noted that the code that checks whether the software is paid for and licensed has also been removed.
Looking at the code he says:
“We’re going to the secure custom fields version. You see, the file name is still the same ACF dot PHP, but this. The header information says “secure custom fields”. It says the author is wordpress.org. There is no copyright notice for the WP Engine code here, which is probably a problem.
So removing license checking and updating from the WP engine seems to be a classic case of an old plugin now hosted in the WordPress plugin directory. So I’m wondering if this is even a legal fork. I’m not an expert in software licensing law, but I understand that you must retain the original copyright notices when forking a plugin. That’s one of the requirements.”
Answer from the developers in the Facebook group
The courts must decide whether it is legal to make the pro version of the plugin available for free download. What Automattic may not have taken into account is that there are implications for competitors like Meta Box Pro, which offer similar functionality to ACF. Current Meta Box Pro users may have an incentive not to renew their current license since they can now get similar premium features for free from WordPress.org.
Someone posted this concern in the private Dynamic WordPress group (posted here, group membership required to view) and wrote that they had purchased a lifetime license ($699) for Meta Box prior to Mullenweg’s dispute with WP Engine. They wrote that they felt they had made a mistake in purchasing a license for Meta Box, pointed out that they disagreed with “stealing” from ACF, and expressed that this would lead to that Meta Box is losing users. An annual subscription to Meta Box starts at $149/year.
One of the Facebook group members noted that no, they didn’t make a bad decision by purchasing a license for Meta Box, saying that Matt Mullenweg was the one who made the bad decision. Another group member expressed that he viewed Mullenweg as an unreliable steward of the ACF fork and would not trust his fork, ACF, on any of the websites he developed.
Other developers agreed that SCF was not trustworthy enough to use on a live website and pointed out that many websites had issues with the secure custom fields. Someone else noted that this could end badly for Meta Box in a year as SCF becomes more stable. Some members said they were happy to have Meta Box and were happy not to be caught up in the WordPress vs WP Engine drama.
Reply to WordPress Subreddit
The reaction from the WordPress community on Reddit was similarly negative.
Members of the WordPress subreddit voiced their disapproval, but no one celebrated Mullenweg’s move.
A member posted the following:
“It’s crazy because they’re literally suing someone else for hosting invalid plugins and this guy’s bank accounts have been frozen. They’re now doing the same thing with WordPress.”
Someone else shared this:
“Oh wow, so that’s actually Matt making the premium/pro version of ACF, with all of its features that are usually behind their paywall, available for people to download and use for free on wordpress.org while he calls it Secure Custom Forms Pro or “Secure Custom Forms Pro” Whatever, completely out of spite?
This is worse than I thought, just looking at the title of this thread, much worse.”
Another post representative of how people feel about WordPress.org distributing a premium plugin for free:
“If he wanted to kill WordPress, this was the perfect move.”
Whether this move will impact ACF’s competitors and the larger premium WordPress ecosystem remains to be seen. One thing is for sure: most people on social media don’t seem to like that Matt Mullenweg has researched a premium WordPress plugin, and whether legal or not, it is perceived as crossing a line usually associated with software piracy becomes.
Watch David McCan examine the code:
Featured image from Shutterstock/LoveHex