WP Engine is not WordPress

Adenoid Hynkel said:
This is from 2010.


Edit, lol, mybb removing the word ****. Remove the dot after the w in the url :D
Click to expand...

Here is an article dated at the same time:

hakre.wordpress.com

WordPress Trademark passed over to Foundation – Again?

Wordpress.com, or better Automattic Inc, the company that had registered the term “WordPress” as a trademark back in 2007 after it has been used by the free software project with the sa…
hakre.wordpress.com hakre.wordpress.com

WordPress has been here, it started with the whole GPL debacle. That had swings, but sentiment turned WordPress's way, and to an extent rightly so. I say "to an extent" due to multiple arguments. GPL should not be exploited. Everyone should be bound to the same license. This now, however, is more severe.

It is also a toxic discussion. WordPress wants their users and contributors to pick a side which is why they made a vague agreement tick to their .org login. As they did with the "Automattic Alignment". People are being grouped, and there is no in-between.

The problem is, most users and contributors don't know where this is heading to. Way too much uncertainty without knowing what WordPress wants to achieve.

There are some big names backing Matt.

The WordPress license can't change without the contributors all being in consensus.

https://twitter.com/x/status/1839921189688660396

It is worth noting when "contributors" are added to the copyright text ;)
 
From a recent interview, an interesting snip:

www.worldofdaas.com

Matt Mullenweg

WordPress vs. WP Engine
www.worldofdaas.com www.worldofdaas.com

Auren Hoffman (26:40.62)

Okay, interesting. Now what, and now that you're kind of in the midst of this like PR craziness and stuff like that, you know, we always ask on this program, if there are conspiracy theories that people believe, are you more apt to believe in conspiracy theories now?

Matt(26:59.408)

I have seen some really amazing dark PR stuff, so I've never been in the center of a misinformation campaign.

Auren Hoffman (27:10.114)

Yeah, there's a lot of people who are good at this dark arts of PR.

Matt(27:13.804)

And I've seen like Twitter accounts with 20,000 followers with no posts. Suddenly become active and start posting memes about me and stuff like that.

Auren Hoffman (27:19.406)

Uh-huh. interesting. they're they have these like Dorman things that they've been waiting for a while to that's smart sleeper sleeper cell Twitter Twitter accounts.

Matt(27:27.483)

my goodness.

I think they're spending probably 100 to 150 grand a month on Crisis Dark PR itself.
Click to expand...

They are doing it all by themselves.
 
Just posted:

https://twitter.com/x/status/1845169499064107049

We have been made aware that the Advanced Custom Fields plugin on the WordPress directory has been taken over by WordPress dot org.A plugin under active development has never been unilaterally and forcibly taken away from its creator without consent in the 21 year history of WordPress.
Click to expand...

Yeah, this happened.

wordpress.org

Secure Custom Fields

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Cus…
wordpress.org wordpress.org

Secure Custom Fields​


On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.

On October 3rd, the ACF team announced ACF plugin updates will come directly from their website. This was also communicated via a support notice in the WordPress.org support forum on Oct 5th. Sites that followed the ACF team’s instructions on “How to update ACF” will continue to get updates directly from WP Engine. On October 1st, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers’ sites in place of WordPress.org’s update service.

Sites that continue to use WordPress.org’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from WordPress.org enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.

This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

Similar has happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

WP Engine has posted instructions for how to use their version of Advanced Custom Fields that uses their own update server, so you have that option, though the WordPress Security Team does not recommend it until they fix the security issues. You can uninstall Advanced Custom Fields and activate Secure Custom Fields from the plugin directory and be just fine.

There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will defect as well.
Click to expand...
 
Jason Bahl wrote a blog on his WPGraphQL site when he moved to Automattic. A quick snip:


WPGraphQL Becomes a Canonical Plugin: My Move to Automattic​


...

There will likely be assumptions that by joining Automattic, I’m fully endorsing every action Matt Mullenweg has taken recently. This is not the case. I’ve told Matt directly that I don’t agree with everything he’s done — and he has welcomed the disagreement. For example, I don’t think WordCamp US was the right time or place for his speech. I also do not agree with blocking WP Engine customers from WordPress.org without more notice. Should WordPress.org be required to remain a free service forever? Not necessarily. But should long-time users receive advance notice when significant changes are made? I think so.

I could probably list many other things that I don’t agree with Matt on but the reality is that I’ve never worked at a company where I’ve agreed with every single action their leaders have taken.

Leadership often involves making uncomfortable choices that others might not fully understand or agree with. His historical actions have led WordPress to its current success, and I believe that bold moves—though uncomfortable—are sometimes necessary to ensure the long-term future of WordPress. As a maintainer of open-source software, my livelihood depends on people like Matt, who are willing to keep WordPress relevant in the years to come.
Click to expand...

I am now curious whether he is being roped in to 'migrate' ACF to SCF.

Something tells me that this is not going to sit well with most contributors.
 
A moment ago I talked about GPL being exploited, and now licenses being altered. WordPress and Automattic are now pirates.
 


https://twitter.com/x/status/1844900290182386087

It seems those with insider knowledge knew. Now I know why Matt talked about dark PR. As I said, they are doing it all to themselves. For those backing Matt (who is WordPress by his own account), I hope you know what he did now.

This is appropriation. Forking isn't what this is.

Allegedly, seeing some screenshots, people did not agree with this decision. I guess Peterson is right, Matt has a become a villain. Now I am curious whether these moves was discussed in the "Automattic Alignment". Some say they will adopt "ACF Pro" as SCF. I can only speculate that this is the true intention behind poaching Bahl.

I guess I am right, that Matt wants to commercialize WordPress. This lawsuit that WP Engine got going against Automattic is going to grow ugly.
 
Last edited:
:ROFL:

https://twitter.com/x/status/1845181270889804149

Is this a circus?

They blocked WP Engine (incl. ACF team). Then disclosed a vulnerability without responsible disclosure, and now under their own guideline interpretation (which is also not disclosed) appropriated an active plugin.

This is bad. They said that they don't anticipate this happening to other plugins (which would include themes, mind you), but "anticipate" is something that could or could not happen. Trust is now eroded, unless there is a drastic change at the helm.

This question needs a re-poll.

https://twitter.com/x/status/1844742338175705570

All your contributions are belong to WordPress
 
Final post on this tonight:

https://twitter.com/x/status/1845179941727690824

This has happened several times before, and in line with the guidelines you agreed to by being in the directory: <guidline link removed, contained in X link> Best of luck with your version. We're looking forward to making ours amazing for our users, using the best GPL code available.
Click to expand...

So the ACF plugin, or well, now SCF,

en-za.wordpress.org

Secure Custom Fields

Secure Custom Fields is a free fork of the Advanced Custom Fields plugin created originally for security updates, but now includes functionality impro …
en-za.wordpress.org en-za.wordpress.org

Change log​

6.3.6.2​

Release Date 12th October 2024
  • Security – Harden fix in 6.3.6.1 to cover $_REQUEST as well.
  • Fork – Change name of plugin to Secure Custom Fields.

6.3.6.1​

Release Date 7th October 2024
  • Security – ACF defined Post Type and Taxonomy metabox callbacks no longer have access to $_POST data. (Thanks to the Automattic Security Team for the disclosure)
Click to expand...

ACF was blocked on the 3rd. They had a update ready on the 7th to address the security vulnerability. They could not access the WordPress repository, and hence shipped it to the repositories on WP Engine and ACF Pro, but proceeded to provide the WordPress Security Team with an updated copy which was then uploaded on the 7th by WordPress to the WordPress repository. Five days later, WordPress invoked directory guidelines (point 18) to commandeer ACF.

This is hostile.

On the 5th:

https://twitter.com/x/status/1842500184825090060

What are the best alternatives to Advanced Custom Fields for people who want to switch away? Is there an easy way to migrate?I suspect there are going to be millions of sites moving away from it in the coming weeks.
Click to expand...

WordPress/Automattic was planning this. First ever plugin to have more than 2 million installed on day 0. Interesting responses to that post.

Some WordPress exiles knew:

https://twitter.com/x/status/1842622402884440530

As I said, this is bigger than mere trademarks. It is about ownership.
 
This whole ACF debacle. That’s definitely not a fork. As a plugin developer, this is really concerning.
 
Adenoid Hynkel said:
This whole ACF debacle. That’s definitely not a fork. As a plugin developer, this is really concerning.
Click to expand...

It is terrible, and everything WordPress is doing now is exactly how they attacked WP Engine. WP Engine owns the ACF trademark. Yes, there it is GPL, but the code is being edited to remove "ACF". It is a takeover, under a condition where no permissions were exercised. This is a bad open-source practice and unethical conduct by WordPress.

Very concerning. Themes and plugin developers who have asked questions now, got some vague responses. Some will now be hosting their themes and plugins themselves. Other notable pushback are those now unwilling to have their themes and plugins on Wordpress.(com). The divide is now growing.
 
github.com

GitHub - sc0ttkclark/wordpress-fields-api: The 2024 Fields API proposal for WordPress Core

The 2024 Fields API proposal for WordPress Core. Contribute to sc0ttkclark/wordpress-fields-api development by creating an account on GitHub.
github.com github.com

Goodbye notice​

Date: October 12th, 2024

I am officially terminating my core contributions and involvement with the WordPress project. This project was something I poured hundreds of hours into and it greatly pains me to just stop here.

Anyone is free to lead the project again in the #core-fields channel of Slack. I am done making excuses for Matt's actions and will not associate myself with core any longer.

The content below represents the latest revision of the readme as it was prior to me leaving.

Yours previously fully,

Scott Kingsley Clark
Click to expand...
 
The community would have better supported WordPress should they have coded their own "SCF" into core. This is what users have long wanted. To take ACF, what an impalement.

At this point in time I will be sticking with ACF and ACF Pro. I don't want to update ACF to SCF without knowing what is going to happen. For those with auto updates, you need to make a decision quick.

I don't have a WordPress exit at this time should things go wrong. I am on this ride whether I like it or not.

Hosts who are and aren't under the WordPress canopy have been silent, and I would have been too.
 
https://twitter.com/x/status/1845422306702614841

:ROFL: I don't think Matt should continue having these engagements whilst in battle with WP Engine.

Just shows, yesterday's opinion isn’t today's opinion, neither is today's opinion tomorrow's opinion. I see it all the time now on social media. It is all about having the popular opinion at a given opportunity. People who have cashed in on others are becoming morally bankrupt. Though in this case, the signs was there a decade ago.
 
:ROFL:

make.wordpress.org

Accessibility Team Meetings Suspended

As neither of the current Accessibility team representatives are able to log-in to WordPress.org, team meetings are suspended until further notice. Bug scrubs will continue to run as normal.
make.wordpress.org make.wordpress.org

Accessibility Team Meetings Suspended​

As neither of the current Accessibility team representatives are able to log-in to WordPress.org, team meetings are suspended until further notice. Bug scrubs will continue to run as normal.
Click to expand...

The two comments:

This is bad. Do we know what’s blocking them ? Is it a technical issue (maybe related to the login form changes) ? Or is it something else ?
Click to expand...

One person is not certain whether they can safely check the WP Engine box, and one person has been removed from Slack, and is also unwilling to check the WP Engine box. So yes, it is largely related to the login form changes.
Click to expand...

So... that checkbox, the class attribute:

login-lawsuit login-remember checkbox
Click to expand...
 
This is how a Automattic employee see the situation, snipped:

jamesgiroux.ca

ACF Gets A Fork By WordPress.org - James Giroux

Matt Mullenweg takes the next step by forking Advanced Custom Fields into Secure Custom Fields after banning WP Engine from WordPress.org.
jamesgiroux.ca jamesgiroux.ca

ACF Gets A Fork By WordPress.org​

This is big.

...

Introducing Secure Custom Fields​

Given that there are currently over 2 million active installs of Advanced Custom Fields and the developers of the plugin do not have access to dotorg to maintain its security, the decision was made to fork ACF.

There are rules on dotorg that govern forking in the Plugin Handbook: “We also don’t accept 100% copies of other people’s work or plugins that duplicate functionality found in WordPress Core. Basically, your plugin should do something new, or in a new way, or solve a specific issue.”

The WordPress security team is also within its rights as described in Point 18 of the Plugin Directory guidelines to assume maintenance going forward.

With Secure Custom Fields, its first launch is implementing a stronger patch on the security vulnerability patched in 6.3.6.1 of the original plugin and creating a divergent, non-commercial pathway for development and distribution. If you are extending ACF and have plugins in the dotorg repo, I highly recommend you test compatibility with SCF.

The new plugin Secure Custom Fields is also now open for contributions as well.

This will be a change for users but hopefully there will be minimal impact to most as at this stage there are no major changes to the core functionality of the plugin, just a lot fewer upsells and links to the ACF website.

Are Other Plugins Going To Have A Similar Experience?​

The short answer is yes, but not for the reasons you may be thinking. If your code is in the dotorg repo, it’s under the GPL license and could be forked at any time. A modern recent example is when GiveWP forked Easy Digital Downloads.

Since then both have diverged from each other significantly and solved different and distinct challenges. That is always possible in the world of WordPress. Perhaps the real question being asked is, if I get banned or I end up on the wrong side of the Project Lead, could this happen to me too?

Honestly, I can’t answer that but I doubt what we’re seeing with WPE/SL is something anyone wants to see repeated. In Matt’s post he also calls this out as a “rare and unusual event.” My opinion is that WPE/SL has created the conditions that have put us in this spot, I’m aware others don’t share my position (that’s okay too). I would love it if both sides would get together to negotiate in good faith.
Click to expand...

Fork? :ROFL: They keep on telling themselves that. The Plugin Directory guideline doesn't even reasonably accommodate this. It is a hostile takeover, permissions are absent and the conditions are created by WordPress/Automattic. Just know that other plugins, which will include themes, are open to this too.

Just to quote GiveWP's license:

This program incorporates work covered by the following copyright and permission notices:

Easy Digital Downloads is Copyright (c) 2015, Pippin Williamson

EDD is released under the GPL 2.0
Click to expand...

Then to quote the ACF, sorry SCF, readme:

Secure Custom Fields is a free fork of the Advanced Custom Fields plugin created originally for security updates, but now includes functionality improvements to make this plugin non-commercial in the plugin directory. If you'd like to get involved, submit some code! We want the 2M+ sites that will receive this update to have the best code and functionality possible.
Click to expand...

Also, anyone is welcome to go see the changes in the WordPress.(org) repo. Go see what is deemed as "implementing a stronger patch". For the most part it is removing ACF language. Functionality improvements aren't made, unless they are talking about removing ACF Pro upselling. It is all in the code.

There are Automattic (and associated) plugins which upsells too. This hypocritical speak is insane.

Stolen Custom Fields is what this is. It is not even about the slug, they 'inherited' the package with its users. They explain the slug situation:

https://twitter.com/x/status/1845200752093863998

It needs to keep the same slug to keep the plugin updates — maybe there will be a better technical solution for it in the future, but for now it was the path to keep the security patches going.
Click to expand...

No, they wanted to update/auto-update ACF users to SCF. They don't want users to use the WP Engine ACF update.

In my view, these people will steal a baby's ice cream.

Their social channels are schitholes, people (incl. contributors) with concerns and constructive criticism are being blocked, and I had a chuckle at this Reddit thread:

https://www.reddit.com/r/Wordpress/comments/1g29dhm/petition_to_remove_uotto4242_as_a_a_mod

But hey, it is "dark PR" working against WordPress/Automattic :rolleyes:

I used to like WordPress and Automattic. Matt's Thanos snap have undone much.
 
Odd how WordPress keeps on pressing this when ACF don't have access to the repo, never mind that the plugin is commandeered.

https://twitter.com/x/status/1845680750210736392

We have been informed that ACF has emailed this to their customers:

"We are reaching out to you promptly and directly to address Matt Mullenweg's unprecedented and appalling actions on Oct 12th to forcibly appropriate the Advanced Custom Fields (ACF) plugin and .org listing. The potential impact of Mr. Mullenweg's improper action is that millions of existing installations of ACF will be updated with code that is unapproved and untrusted by the experts on the ACF team at WP Engine. We want to highlight how you can immediately reduce your exposure and risk now, and ensure you are using the genuine ACF."

However, from what we can tell, they have not updated their version to patch the security hole we patched in 6.3.6.2 of Secure Custom Fields. So using their version does not "reduce your exposure and risk", it actually increases it.

On behalf of the WordPress Security Team, we are advising to *avoid* Advanced Custom Fields until they release an update that patches the problem with $_REQUEST we fixed in 6.3.6.2. Their code is currently insecure, and it is a dereliction of their duty to customers for them to tell people to avoid Secure Custom Fields until they fix their vulnerability. We have also notified them of this privately, but they did not respond.
Click to expand...

At this point, most users who have ACF updated or auto-updated to SCF think that it is being managed by ACF. Golden Rule and all that, bending the law.

ACF is providing patches on their own repo.

The Plugin Guidelines, especially #9, is being trashed.
 
I have never used NitroPack, but they were also recently acquired by WP Engine and is now blocked. Over 100,000 installations. Could this pose yet another 'security risk' waiting to be commandeered?

Like ACF, they will have the plugin downloadable on their website.

https://twitter.com/x/status/1845742870554112262

I doubt WordPress/Automattic has interest in the plugin; they already have their suite.

This plugin is likely used by WP Engine and Flywheel users. I won't know, I like LiteSpeed.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X