The ACF Plugin Update Controversy: What You Need to Know

The WordPress community was recently shaken by the surprising removal of the Advanced Custom Fields (ACF) plugin from the WordPress.org repository. This change, initiated by Matt Mullenweg, has raised concerns among developers and users about the future of the platform and the integrity of the open-source ecosystem.

What happened?

Advanced Custom Fields, one of the most popular and widely used plugins for WordPress, was replaced without warning by a modified version called "Secure Custom Fields" (SCF). This change was made without the consent of the ACF team, which has actively developed and maintained the plugin since 2011. Users who rely on the free version of ACF in the WordPress.org repository now receive updates from code different from the one they originally trusted.

WP Engine, the company that owns ACF, has confirmed that PRO customers or those using WP Engine hosting are not affected. Users of the free version, however, must manually download version 6.3.8 from the official ACF website in order to continue receiving authentic updates.

Why does this matter?

The WordPress ecosystem is built on trust and collaboration. Developers provide plugins, themes, and code for the platform, relying on the integrity of the WordPress community. Mullenweg's decision was described by many as a "hostile takeover," raising concerns about security and governance.

For users who update their plugins via WordPress.org, replacing ACF with SCF may feel like a breach of trust. Some developers even call this a kind of "supply chain attack," since users unwittingly install a new plugin that they may neither want nor trust.

Impact on developers

For developers, especially those who have built custom solutions around ACF, this change is particularly concerning. ACF is a core plugin for many websites, and the unexpected replacement could lead to compatibility issues, functional failures, and confusion among clients who cannot understand these changes.

Many in the WordPress community have expressed frustration, and some are questioning whether they can still trust the platform. There are also fears that similar incidents could occur with other plugins.

What should you do?

If your website uses the free version of ACF and you want to continue receiving authentic updates, you should take the following steps:

1. Download ACF 6.3.8: Visit the official Advanced Custom Fields website and download the latest version.
2. Disable automatic updates for SCF: Make sure automatic updates for the SCF plugin are disabled if it has already been installed on your website.
3. Manual updates: Going forward, perform manual updates of ACF via the official website to avoid unwanted changes from the WordPress.org repository.

What's next?

This situation has heightened awareness of the governance and security aspects of WordPress. Although this incident rightly raises concerns, WordPress remains a powerful and flexible platform for web developers. By acting proactively and making informed decisions, you can ensure that your projects remain stable and secure.

Conclusion

Although this incident caused quite a stir in the community, there is no reason to panic. With a few simple measures, you can ensure that your website and those of your clients continue to function smoothly. The WordPress community is strong and resilient, and these challenges will ultimately lead us to even better solutions.