Secure Custom Fields by WordPress.org

Original Article ↗ Hacker News Discussion ↗

What Changed with ACF / “Secure Custom Fields”

  • WordPress.org took control of the advanced-custom-fields plugin entry, changed the owner to WordPress.org, renamed it “Secure Custom Fields” (SCF), and removed commercial/pro upgrade hooks.
  • The slug/URL, install base, ratings, and reviews remain the same, so existing sites will receive SCF updates under the old ACF identifier.
  • Some say the pro edition has always been a separate plugin, so only upsell/upgrade prompts were removed; others argue this still breaks expectations and potentially some setups.

Security Vulnerability and Patch Debate

  • WordPress.org claims an urgent security issue justified intervening and pushing a minimal fix.
  • A reserved CVE is referenced, but full details are not public; one link suggests the original maintainers had already shipped a security release.
  • Diff analysis shows small changes around blocking access to $_REQUEST/$_POST in callbacks. Several commenters argue this is either:
    • a legitimate but partial/brittle hardening step, or
    • not a meaningful fix and mainly a pretext for the takeover.
  • Timeline and which vulnerability is being fixed are described as unclear and disputed.

GPL, Trademarks, and Directory Policy

  • Many accept that GPL allows forking the free ACF code; the controversy is about hijacking the existing listing rather than publishing a separate fork.
  • Commenters point to plugin guidelines forbidding “100% copies” and trademark-like slugs without proof of rights, and note that ACF and “ACF” have pending trademark applications.
  • Others argue ACF (the free plugin) is not “premium” and that policies may have been selectively reinterpreted or edited after the fact.

Legal and Ethical Concerns

  • Multiple comments mention potential “tortious interference” and trademark issues due to redirecting traffic, installs, and goodwill away from the commercial owner of ACF.
  • Several see this as retaliation tied to an ongoing legal dispute between WordPress leadership and the hosting company that owns ACF, rather than a neutral security intervention.

Impact on Developers and Users

  • Developers report disabling auto-updates on client sites to avoid SCF updates they no longer trust.
  • Some fear future hostile takeovers of other plugins, degradation of ACF Pro compatibility, or use of core to disadvantage competitors.
  • A number of long‑time WordPress agencies and plugin authors say this breaks the implicit trust that the plugin directory is neutral and stable.

Community Trust, Governance, and Fork Talk

  • Many describe this as “one of the sleaziest things” they have seen in open source governance and worry it could trigger a serious WordPress fork.
  • Several note key community members stepping back from core initiatives and fields APIs in protest.
  • Some argue the root issue is systemic: commercial entities building on FOSS without “giving back,” but most replies focus on the immediate damage from unilateral actions by WordPress leadership.

Alternatives and Exit Discussions

  • A few commenters mention moving away from WordPress entirely, citing smaller CMSs or frameworks (e.g., ProcessWire, custom systems).
  • There is visible sympathy for competitors and alternative CMS ecosystems, with some explicitly welcoming “refugees” from WordPress.