Automattic’s New “Secure Custom Fields” Plugin Sparks Controversy

At SouthWest WebPress, we are passionate about WordPress and its open-source spirit. However, Automattic’s recent actions surrounding the Advanced Custom Fields (ACF) plugin have raised concerns within the WordPress community—concerns that we share.

The new Secure Custom Fields plugin (available on WordPress.org) offers features reminiscent of ACF Pro, including repeaters, flexible content, clone fields, galleries, options pages, and ACF Blocks. With over 90 active installations, the plugin appears to be a fork of ACF Pro, but questions about its licensing and ethics have cast a shadow over its release.

Background on the Dispute

Last month, WordPress.org controversially took over WP Engine’s ACF plugin, citing security concerns, and renamed it Secure Custom Fields (Advanced Custom Fields). The decision has been widely criticised for allegedly undermining the open-source ethos WordPress is built upon.

David McCan of WebTNG has scrutinised the new plugin, noting the removal of update and licence checks found in ACF Pro. He describes it as akin to a “nulled” version of the plugin, raising legal questions about whether the fork complies with software licensing laws, such as maintaining original copyright notices.

Prominent voices in the community have spoken out:

• Gergely Orosz, author of The Pragmatic Engineer, highlighted how Automattic’s actions could threaten paid plugin developers, warning, “Automattic… took a paid WordPress plugin built and owned by another dev and re-published it, making it free. If you have a business selling a paid WP plugin: Automattic can null it, anytime. Another new low.”
• Duane Storey pointed out that ACF is now an officially registered trademark of WP Engine, adding that the new plugin “basically [nullifies] ACF Pro without preserving copyrights.”
• Tim Brugman, a full-stack developer, criticised the plugin’s behaviour of deactivating ACF Pro when activated, which violates the WordPress Plugin Handbook.

Automattic’s Response

Automattician Brandon Kraft, who submitted the plugin, admitted to missing copyright notices and is now working to address this oversight. Kraft clarified that the decision to fork ACF Pro was “above his pay grade.”

A member of the WordPress Plugin Review Team revealed anonymously that the plugin bypassed the usual review processes, being approved directly by another Automattic employee.

What This Means for You

The controversy has left many WordPress users and developers uneasy, with some questioning the integrity of WordPress.org’s processes and Automattic’s leadership in the open-source space.

At SouthWest WebPress, we understand how unsettling this situation may be for businesses relying on ACF and similar tools. If you’re concerned about the impact of these developments on your website or need advice about your plugin setup, we’re here to help.

Our team is committed to supporting you through these changes, offering practical solutions to ensure your site remains secure and functional. Please don’t hesitate to reach out for a consultation or advice.

Let’s continue to champion the open-source principles that have made WordPress the platform we all know and love.