Oh god, this gave me a minor heart attack. We are using over 20 ACF fields for 150+ sites. I thought it was completely out of the WordPress ecosystem. I am glad they have the zip download and continuing auto updates.
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.
This should be the top comment. It's already scary for a package manager to take control of a community package, even more so when sites auto-update to new code... but to break existing sites by completely changing the code that is provided in an auto-update is beyond the pale.
Not a lawyer, but I imagine many consultancies will be talking to lawyers about this one; there are entire sections of law about interfering with other companies' contracts with each other. At minimum it's an appalling breach of trust.
(community member, not affiliated with WP, WPE, or A8C)
I can confirm this has been escalated internally in the WP slack.
I can also provide this context which I found concerning, given the way this was taken over and rolled out on a Saturday afternoon, of which I have also been dragged into now as a fellow site maintainer.
- Matt Mullenweg
"in a few days we'll have a Github where people can get involved, and we can also set up proper build systems, etc"
So its all in flux obviously. I let them know the same thing, that I find this as a malicious supply chain attack that is affecting the community.
I’d love to hear how he justifies taking away this engineers’ Sunday? I doubt this person is the only person working this weekend due to Matt’s theft of ACF
> I’d love to hear how he justifies taking away this engineers’ Sunday?
His posts on slack [1] show that he sees it as "either with us or against us", and he's willing to harm users to force them to choose a side instead of staying neutral. He probably hopes that people will blame WP Engine for it.
I think his real goal is tortious interference. Hurting devs who use ACF is just a bonus.
Install the official free plugin from the advanced custom fields website and remove the SCF version. You won’t need to change any existing code then, and future updates will come from the plugin dev for ACF.
That's where the Sunday goes. I am trying to create an FTP script to mass update all wp-content plugins for this single package. It was on my mind but I was not expecting to have something bizarre happening from WordPress for one of the most crucial plugins in WordPress' existence.
We use the wp-cli with cron jobs such as indexing when we post with API or database-related things. Even with wp-cli we must login to SSH individually. And this doesn't give us the wp-cli option since it is 3rd party zip file. We possibly can get the file, extract, and delete the old plugin with cli, and then enable the last updated plugin with with cli again with a script. Either way, we must create a script or suck it up, go into each wp individually, and take care of it from the backend...
No one should risk an unknown entity taking illegal control of a key plugin on their site. I can't imagine anyone wanting WP.org to weaponize more plugins on their site.
Are you being sarcastic or a jerk?
No issues? At least 50 deleted reviews spoke for themselves!
Yeah, you didn’t produce any “technical” issues other than now maintaining a plugin that isn’t yours to start with, gathering thousands of positive reviews that aren’t yours, and selling it as a security fix which you didn’t fix.
I don’t understand how you can even show your face in public.
You and your fellow matticians are a shame to the entire open source community.
How did the sites auto-update to have this plug-in removed/replaced? Are your sites set up to just automatically take push updates from WordPress central command or something and auto-modify themselves?!
Wordpress has a (highly effective) auto-updates mechanism for security patches.
It was extended a couple of years ago to automatically apply plugin updates for you if you opted in, and I think automatic plugin updates may now be the default.
(This is on balance a good thing; almost all WP vulnerabilities are outdated plugins, and until this mechanism was prevalent, WordPress occasionally had to live-patch existing installations of third party plugins in the case of severe vulnerabilities.)
The reason this nasty little takeover worked is that they (Matt, whoever helped) have stolen ACF's slug (advanced-custom-fields). So as far as the updater is concerned, it's just another plugin update to the same code base.
IDK if WordPress plugins respect SEMVER, but shouldn't this auto-update thingy update only patch versions, or minor versions at most? Idk, breaking changes like these is definitely not something you want your CMS to do overnight when you won't notice until you receive complaints that your site is broken
Right. And actually this small detail is emblematic of the whole problem.
When you roll out an auto-updates mechanism you're saying to the people who enable it "you can trust us to do the right thing with your project while you are elsewhere -- this is a risk but it's one we manage for your benefit".
If you roll out a change for purely political/commercial reasons that are ultimately not your end user's concern -- we're not a party to that lawsuit -- then you're undermining the trust in that mechanism entirely.
It was a stupid, arrogant, underhanded thing to do.
I don't know off-hand what the rule is for plugin updates, actually; I'd have to look it up.
As far as WordPress itself is concerned, the updater definitely does not auto-push updates to major WP versions by default [0], and they continue to patch older versions for a long time.
But at any rate, whether the plugin updates respect SEMVER or not, Matt/WP.org pushed this bullshit out as the most minor of minor version number changes over the previous ACF version: 6.3.6.2.
WP and/or A8C took over the existing plugin, so that sites that have auto-update on were automatically bumped to the SCF version instead of the historical ACF which obviously had a different team of maintainers
I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
If it's a bug, our bad and we'll fix ASAP. If it's a bug, it's a very rare one. There have been 225k downloads of the SCF plugin in the past 24 hours, implying a lot of updates. I would estimate at least 60% of the sites with auto-upgrade on and using .org for updates have done so already. https://wordpress.org/plugins/advanced-custom-fields/advance...
That said, I'm happy to pay system2 whatever he thinks his time was "spent" on a Sunday is worth. Just let me know an amount and where to send. You can contact me here: https://ma.tt/contact/ .
Matt, you say that you've had no other reports and this is the only claim on the Internet.
That's not true. You have users on the support forums reporting issues with SCF.
"this has caused an incident requiring unschedule maintenance on a weekend. I use this plugin on a couple hundred sites I help maintain, so this has been a very bad experience "
There's no justification for this whatsoever - it was your actions which meant that the ACF team couldn't manage the plugin on dotorg, and the issue you fixed was unbelievably minor.
IF you even had a point in the beginning, you've fatally undermined it. Hell, WPE's motion for a preliminary injunction even now notes that your actions here have potentially fallen into CFAA territory - https://storage.courtlistener.com/recap/gov.uscourts.cand.43...
Given you've been banning dissenters from Slack, I wonder "why" people might not be reporting issues where you can see them?
> I don't think anything about our update could cause the issues he describes and we've had no other reports, this is the only claim on the internet, and doesn't include enough technical details to tell if it's an actual bug or not.
Don't gaslight us. You've been removing negative reviews.
Thanks for improving on ACF. The plugin went downhill after the creator stepped away, IMO.
A while back, I bought a lifetime "Pro" license for ACF. It worked great for years. The last few times I tried ACF though, the admin experience felt degraded. My impression was their early customers had become an afterthought.
Looking forward to trying SCF. I have higher hopes for the plugin now.
We use ACF with WP Code auto insert. ACF has prepend and append (in presentation tab) and this can be used to wrap the value with classes or other tags such as IDs, JS or others. When the ACF name changed, the prepend and append broke because prepend/append text showing must be configured in functions.php like this:
Whatever they did, it didn't work. Maybe we are over-custimizing it but it is not unheard of to use ACF with multiple other plugins such as WP Code and custom scripts.
Strongly recommend installing the genuine ACF from www.advancedcustomfields.com - the WP Engine and ACF teams have provided timely updates (even fixed Automattic’s spurious security issue in less than a day) and have uploaded a permanent fix to MM’s malicious hack of ACF to create SCF.
The initial release of SCF only applied security fixes, changed the plugin name and removed upsells. I don't think there is any change that might cause the issue you are having.
If you can share the problem you are experiencing on Making WordPress Slack (#secure-custom-fields channel), I'm sure relevant people would love to help out ASAP.
I work at Automattic and I can get you in touch with people from WordPress.org if that's easier. You can email me at batuhan@a8c.com.
If there are any bugs, regressions or any issues with the fork, it's in the interest of everyone to quickly find and resolve them, so I'm sure your help would be appreciated.
So you guys don't get sued any further for essentially hijacking a distribution channel and pushing an unauthorized version?
If I were an employee of A8C I wouldn't be touching this code with a ten foot pole - employees can still be found guilty of criminal wrongdoing even if their employer told them to do something.
EDIT: I confirm our ACF plugins on sites are all switched to secure custom fields. This is so shady, it broke our snippets because we are using prepend and append texts to wrap our field values. Now they are all broken and we have to update all our sites (also our client's sites). Let's see what comes next...
EDIT2: There goes my Sunday. I received our first ticket regarding broken homepage widgets. I have to sit down and update every site one by one. Thank you Matt Mullenweg for ruining my Sunday plans.