- What Is a Fork in Software Development?
- The ACF to SCF Fork: What Happened?
- Is SCF a True Fork?
- Ownership and GPL Compliance
- Trademark Issues
- Ethical Concerns Around Forking SCF
- Commercial and Practical Implications
- Security Claims and Misleading Conduct
- Legal Risks for Automattic and WordPress.org
- Final thoughts
Is SCF a True Fork? A Deep Dive Into WordPress and Ethical Issues
In October 2024, the WordPress community was shaken by the announcement that Advanced Custom Fields (ACF), one of its most popular plugins, was being forked into Secure Custom Fields (SCF). This decision, made by Matt Mullenweg, CEO of Automattic, raised eyebrows for both legal and ethical reasons. Was this fork truly justified? And what potential legal risks does it bring?
In this article, we’ll explain the technical definition of a fork, dive into the controversy behind the ACF-to-SCF transition, and discuss the legal implications for WordPress, WP Engine, and the broader open-source community.
What Is a Fork in Software Development?
A fork in software development occurs when a developer or organization takes the source code of an existing project, modifies it, and creates a separate, distinct version. Forking allows developers to add features, fix bugs, or create entirely new functionalities while keeping the original project intact.
Under the General Public License (GPL), which governs WordPress, forking is explicitly allowed. The GPL encourages open collaboration, allowing anyone to modify, copy, and redistribute software, provided that the modified version remains under the same license. WordPress itself was created through a fork of b2/cafelog in 2003, and many notable forks (like ClassicPress) have occurred over the years.
The ACF to SCF Fork: What Happened?
The controversy began when Matt Mullenweg announced that WordPress.org was forking ACF into a new plugin called Secure Custom Fields (SCF). His justification was a need for security fixes and the removal of commercial upsells, following WP Engine’s decision to handle ACF updates through its own system.
To better understand the full context of this conflict, you can explore our in-depth analysis here:
👉 The Truth Behind the WordPress vs. WP Engine Debate.
This article dives deep into the key issues driving the debate between these two industry giants.
However, this was no ordinary fork. ACF, acquired by WP Engine in 2022, is one of WordPress’s most widely used plugins, boasting over 2 million users. The fork happened without creating a separate repository or plugin listing, with SCF directly replacing ACF in the WordPress Plugin Directory, a move that blurred the lines between a “fork” and what some are calling an “appropriation.”
Key changes included:
- Security updates: SCF introduced fixes for vulnerabilities in ACF.
- Removal of upsells: All references to ACF Pro and commercial upgrades were stripped out.
- Renaming: The plugin was rebranded as Secure Custom Fields, although traces of ACF remained.
Is SCF a True Fork?
Ownership and GPL Compliance
At the heart of the debate is whether SCF is truly a fork or merely an appropriation of ACF’s code. The GPL permits anyone to fork open-source code, but did WordPress modify its own copy of ACF or WP Engine’s copy?
If WordPress merely replaced ACF with SCF in the Plugin Directory without duplicating and independently modifying the code, this could raise legal questions. Forking traditionally involves duplicating the source code in a separate repository and making modifications to that version. Here, SCF seems to have taken over the existing ACF listing, which might blur the lines of GPL compliance. The original ACF code was still actively maintained by WP Engine, which adds another layer of complexity.
Trademark Issues
Another key question involves trademark infringement. ACF and Advanced Custom Fields are trademarks owned by WP Engine. Although SCF removed the ACF name from the plugin itself, references to “advanced-custom-fields” still appear in the URL and listing on WordPress.org.
Ethical Concerns Around Forking SCF
Beyond the legal aspects, the ethical implications of forking SCF are significant. The WordPress community operates on principles of collaboration and respect. Many developers feel that this fork undermines those values by stripping WP Engine of its rightful control over ACF, a plugin they invested in.
Forking a small, abandoned project is one thing, but forking one of the most popular plugins in the ecosystem is a different story. Some see this move as ethically dubious, especially since ACF’s owner was not involved in the decision.
This raises the question: should large, established plugins be treated differently when it comes to forking, even if the GPL allows it?
Commercial and Practical Implications
The SCF fork doesn’t just affect developers and users; it also has significant commercial implications for WP Engine. As the owner of ACF, WP Engine relied on the plugin for upsells and to engage with its vast user base. With SCF replacing ACF in the WordPress Plugin Directory, WP Engine stands to lose direct communication with users and potential revenue from ACF Pro.
For users, the sudden transition to SCF could lead to confusion. Some users may have their sites auto-updated to SCF without fully understanding the changes, especially if they were using ACF Pro. The removal of upsell options and potential compatibility issues could create frustration among developers relying on ACF’s advanced features.
Security Claims and Misleading Conduct
One of the central justifications for the fork was the need to improve ACF’s security. Automattic claimed that SCF would offer a more secure alternative. However, WP Engine had already patched the vulnerabilities in ACF before SCF was launched. The actual changes in SCF were minimal, which leads some to question whether security was the true motivation.
The claim that SCF was created for security reasons could be seen as misleading, especially if the underlying conflict between WP Engine and Automattic was more commercially driven.
Legal Risks for Automattic and WordPress.org
This fork opens the door to several potential legal risks for Automattic and WordPress.org:
- Copyright Infringement: If SCF isn’t a legitimate fork under the GPL, WP Engine could argue that its copyright in ACF’s code and plugin listing was infringed.
- Trademark Infringement: The continued use of ACF branding in SCF’s listing might constitute trademark infringement if it confuses users into thinking they are still using ACF.
- Misleading Conduct: Claims that ACF is less secure than SCF could lead to accusations of misleading conduct, particularly if the security differences are minimal.
Final thoughts
The ACF to SCF fork raises fundamental questions about the nature of forking, the GPL’s boundaries, and the ethics of open-source collaboration. While Automattic’s actions may technically fall within the bounds of the GPL, the legal and ethical implications are far from clear-cut.
This controversy highlights the need for careful consideration when forking major plugins in the WordPress ecosystem. As we await further developments, one thing is certain: this fork could have lasting effects on the way WordPress handles open-source forking in the future.