A storm is brewing in the WordPress open-source CMS

The title of this post is deliberately toned down. The storm* has very much hit land and is reeking havoc in the world of WordPress.

If you aren’t aware, Automattic CEO Matt Mullenweg has forcefully taken over one of WordPress’s most popular plugins. Advanced Custom Fields is used by developers all over the globe. The free plugin had over 2 million active installs.

This takeover is in response to an ongoing feud between WPEngine and Matt Mullenweg, but this irrational and irresponsible action puts millions of WordPress websites at potential risk.

Is your site at risk?

If you’re using the free version of ACF

If you’re using the free version of Advanced Custom Fields that was available on the WordPress plugin repository then your website could be at risk. If you had the plugin set to automatically update, or you have manually updated it in the past couple of days, then the plugin will have already been changed to the now WordPress operated and renamed Secure Custom Fields version. Rather ironically named I might add.

However, if you’re using the free version and are hosted with WPEngine or Flywheel, you are safe. As hosted sites get updates for WPEngine operated plugins directly from WPEngine, not via the update system from WordPress.org.

If you’re using ACF Pro

If you’re using the Pro version of Advanced Custom Fields then you too are safe. ACF Pro is a different plugin, one that is also connected to WPEngine’s updating system. ACF Pro will continue to be maintained and updated by the current ACF team. Keeping you and your website data secure.

What to do if you are affected

The team behind ACF have published this article explaining what to do if you are affected. If you have already been updated to the Secure Custom Fields plugin then don’t despair. You can follow the instructions outlined by the team at ACF to reverse the update and continue to use WPEngine’s version of their plugin.

 


 

I’ve been keeping a close eye on what has been happening, and this is really sad to see. In the world of open-source, this is pretty much unheard of. In fact, it really undermines the idea of open-source as a whole. If a plugin can be simply taken over in a forceful manner by an uber admin, then, is it really open?

There is a lot more to this story continuing to unfold. I really hope it doesn’t cause any more issues such as this one. If it does, frankly many people will reconsider using and working with WordPress. If they do, and do en masse, it will literally change the face of the web as we know it.

 

*[read: total shit storm]