ACF Plugin no longer available on WordPress.org

Original Article ↗ Hacker News Discussion ↗

Overview of the ACF → SCF Takeover

  • WordPress.org replaced the Advanced Custom Fields (ACF) plugin on the official repo with a fork (“Secure Custom Fields”, SCF) under the same slug, so auto‑updates delivered SCF as if it were a normal ACF update.
  • The fork is described as nearly identical but with security fixes, branding/upsell changes, and references to ACF removed. Critics call this an unauthorized takeover and trademark misuse; defenders frame it as a necessary security intervention.

Impact on Sites and Developers

  • Many users rely heavily on ACF (sometimes 100+ sites, dozens of fields per site). Some report broken layouts, snippets, and logic (e.g., filters around acf/format_value) after the forced update, costing hours of emergency weekend work.
  • Others say they have seen no technical regressions and that issues may stem from the underlying ACF security patch itself, not the fork.
  • Agencies highlight real operational costs (triage, client communications, billing/pro‑bono decisions) and say this confirms fears about deploying before weekends/holidays.

Security, Legality, and Ethics

  • Some call this indistinguishable from an insider supply‑chain / account‑takeover attack, arguing WordPress.org exceeded its authorization under the auto‑update trust model.
  • Multiple comments mention possible trademark infringement, tortious interference, and Computer Fraud and Abuse Act (CFAA) exposure, noting related allegations already appear in ongoing litigation involving WordPress.org infrastructure.
  • Others argue the move is likely legal under GPL but still a severe breach of community norms and moral expectations.

Governance and Trust in WordPress.org

  • Commenters are alarmed that one central authority can unilaterally seize a plugin’s slug and push code to millions of sites.
  • The distinction between the open‑source project, the commercial company, and the associated foundation is seen as blurred; some raise concerns about self‑dealing and nonprofit inurement.
  • The mandatory “not affiliated with WP Engine” login checkbox and reports of bans and review deletions deepen mistrust.

Ecosystem, Precedent, and Calls for Forks

  • Many say this will deter serious developers from using the official plugin repo and erodes trust in WordPress as critical web infrastructure.
  • Suggestions include: forking WordPress, creating a new plugin registry, distributed or signed plugin sources, or moving to other CMSs.
  • Some note the official statement that there are “no plans” to do this again, but commenters treat this as an unreliable assurance.