A deep dive into SCF forking of ACF

And so the WordPress vs WP Engine drama continues, this time with a quite groundbreaking move by WordPress and Automattic.

Recently, Matt Mullenweg announced that WordPress.org, and by extension Automattic, is forking Advanced Custom Fields (ACF) to create a new plugin called Secure Custom Fields (SCF). This decision is part of an ongoing dispute between WordPress and WP Engine.

Key Announcement by Matt Mullenweg

Matt Mullenweg’s announcement, sent through the WordPress TRAC system, stated that SCF will replace ACF on WordPress.org, removing commercial upsells and addressing security concerns. The full announcement, including relevant links and context, is available here.

In summary:

• SCF will fix security issues and remove commercial aspects of ACF.
• Users relying on WordPress.org for updates will automatically switch to SCF unless they opt to update ACF via WP Engine.
• If auto-updates are enabled, ACF will be replaced by SCF on affected sites.

What Does Forking Mean?

In software, forking refers to creating a copy of an existing project’s source code and modifying it for independent development. Forking is allowed under the GPL (General Public License), which governs WordPress and ACF. The main steps involved in a fork are:

1. Copy the Code: Developers can copy the GPL-licensed code.
2. Modify the Code: Developers can alter the code to introduce new features or fixes.
3. Redistribute: If developers redistribute the modified code, they must do so under the same GPL license.
4. Attribution: Forks must provide credit to the original project and comply with other terms, such as making the source code available to users.

But this is not all: WordPress itself is a fork. It originated from a project called b2/cafelog, an open-source blogging platform developed by Michel Valdrighi. In 2003, when b2/cafelog’s development stalled, Matt Mullenweg and Mike Little decided to fork it and continue its development, leading to the creation of WordPress.

In short, forking ACF to build SSF is not an issue in itself; in fact, it’s a healthy move for any open-source community like WordPress.

However, given the current situation, it would be naive to think there are no ulterior motives behind this forking. For those unaware, Advanced Custom Fields (ACF) is owned by WP Engine—the same WP Engine currently in a legal battle with Matt Mullenweg.

ACF Forking Context

ACF (Advanced Custom Fields), originally developed by Elliot Condon in 2011, allows users to easily add custom fields to WordPress. Over time, ACF became widely used due to its flexibility and ease of use. However, after WP Engine acquired ACF in 2020, issues emerged between WP Engine and the WordPress core team.

ACF Plugin Details

Important Milestones for ACF:

• 2011: ACF launched as a free plugin on WordPress.org.
• 2012: ACF Pro was released, featuring advanced tools like Repeater Fields, Flexible Content Fields, and Gallery Fields.
• 2020: ACF was acquired by WP Engine, along with other key plugins like WP Migrate and Custom Post Type UI.

ACF Pro became a paid version, while the free version continued to offer powerful features for developers.

Controversy Around ACF

ACF has not been without controversy. As it grew, support—once excellent and personally provided by Elliot Condon—became less available, eventually limited to a forum and a few usage examples that didn’t fully address the needs of less experienced users.

Another point of criticism was ACF Theme Code PRO, a plugin that generates the necessary code to integrate custom fields into themes. Many saw this as a feature that should have been part of ACF itself, but for reasons unknown, Elliot refused to include it.

The plugin’s cost also raised eyebrows—it was expensive for what it did and required a yearly subscription. To put it in perspective, at one point it was priced nearly the same as ACF itself.

There’s a theory that Elliot was behind this plugin to earn extra revenue, but I doubt it. Here’s why: while it’s been said that Elliot and the developers of ACF Theme Code PRO are from the same city and likely connected, even if it’s true, it seems more like a favor between friends. If Elliot had been purely profit-driven, he wouldn’t have offered lifetime access to ACF PRO for unlimited sites at just $99 before selling to WP Engine. For context, this very site uses that deal.

After WP Engine acquired ACF, they introduced significant features like support for custom post types (CPTs)—a major addition requiring substantial effort. Yet, the seemingly simple “code creation” feature, which would only take a few days to develop from scratch, still hasn’t been added.

Now, the controversy has shifted from ACF itself to its fork: SCF (Secure Custom Fields). Let’s explore this further.

Code Analysis of SCF vs. ACF

Thanks to Marcelo Pedra from AMPM Web Hosting, we have an in-depth analysis of the SCF code, comparing it to the original ACF plugin. Below are the key findings:

1. Change Log Removal

SCF has removed ACF’s full change log while retaining the review history. This presents some concerns about transparency, as SCF’s URL still reads “advanced custom fields” in some cases.

Here is the relevant section of the code where the change log was removed:

This has been a point of contention, as some developers feel that removing the changelog undermines transparency, while others argue it was necessary to avoid confusion.

2. ACF Pro Upgrade Option Removed

Another significant change in SCF is the removal of the option to upgrade to ACF Pro. This is logical since SCF is a fork of the free version of ACF, and SCF is not intended to include the paid features offered by ACF Pro. The relevant code is shown here:

All references to WP Engine have also been stripped from SCF, which aligns with the plugin’s goal of becoming a standalone, non-commercial solution.

3. Security Fixes

One of the core reasons for the fork was to address security vulnerabilities in ACF. SCF introduces several security patches that were previously unaddressed by WP Engine. The following snippet highlights a key security fix:

And ACF PRO is gone

SCF essentially removes ACF Pro from the equation, almost as if it never existed. This raises the question: are we going to see an SCF Pro integrated into WordPress core?

While I wouldn’t mind seeing that (especially since I have a lifetime subscription to ACF, so it’s not a big deal for me), I can imagine this would be quite a shock for many others—potentially affecting millions of users.

Technical Comparison: ACF vs. SCF

Key Differences:

• Pro Features: SCF lacks ACF’s Pro features like Repeater Fields and Flexible Content Fields.
• Security: SCF introduces security patches not present in ACF.
• References to WP Engine: All WP Engine references have been removed from SCF.
• Upgrade Path: SCF does not offer an upgrade path to ACF Pro, keeping it a non-commercial plugin.

Controversy: WP Engine vs. WordPress

The legal conflict between WP Engine and Matt Mullenweg adds complexity to the situation. Some believe this fork is more about business rivalry than technical improvements. For example, WP Engine introduced its own plugin update service, bypassing WordPress.org, which escalated tensions.

There’s also speculation that WP Engine may have “insiders” within WordPress TRAC. To add fuel to the fire, someone registered the domain securecustomfields.com and pointed it to ACF’s website, implying WP Engine was aware of the fork before it happened.

ACF Response

ACF responded to the forking announcement by emphasizing that their free and Pro versions would continue to be available via WP Engine’s update service. However, many developers are questioning whether they should continue to rely on ACF or switch to SCF for long-term security and stability.

For those who want to dig deeper, here are some key resources:

• WordPress Security Policy
• ACF Plugin
• SCF FAQs and Updates