from Hacker News

ACF has been hijacked

by GavinAnderegg on 10/13/24, 3:05 AM with 80 comments

by ChrisArchitect on 10/13/24, 6:02 AM
[dupe]
Lots more discussion: https://news.ycombinator.com/item?id=41821400
https://news.ycombinator.com/item?id=41821336
by whalesalad on 10/13/24, 5:59 AM
I was heavily involved with Wordpress from about 2006 to 2012. I made it do things it was never designed to do before a lot of plugins like this existed. It was garbage then and it’s still garbage now. I stopped using it primarily because I saw what a cluster fuck the internals were and how out of control the plugin upsell ecosystem became. There were inklings of this behavior from the supreme leader too, like believing theme sales were antithetical to the entire point of WP. So I jumped ship with a real bad taste in my mouth and never looked back. I’ve tried it a handful of times over the year and it still looks like the same turd with a few more layers of polish. Still won’t scale out of the box without caching plugins.
The irony of this entire situation is Matt didn’t even make Wordpress. It was forked from a blogging engine called b2. How’s that expression go? You either die a hero, or live long enough to see yourself become the villain.
by cranium on 10/13/24, 5:19 AM
What an ego trip... now I'll definitely stop considering WordPress, even if it perfectly fills the use-case (mine or client's).
I know it was frustrating for Automattic to see WPEngine as a leecher, but to be this hostile and volatile does not inspire confidence. What if you had a WP instance hosted by Automattic and said something the leadership does not approve? Will you get banned with no way of recovering your website? (Ghost had a similar story.)
by ookblah on 10/13/24, 5:08 AM
he must be having a legit mental breakdown. i do not understand any of these decisions done so haphazardly with no regard to users or their current situation, even if that was the direction they were moving. basically, telegraphing that he will personally go out and fuck up your day if you cross him. pettiness to the nth degree right here.
by gwerbret on 10/13/24, 5:31 AM
Aside: each and every post about Wordpress on HN over the past couple of days has been downweighted basically to oblivion (I expect this one to vanish from anywhere near the front page very soon). Is there a reason for this? The topic is rapidly evolving and is relevant to the HN community.
by binary_slinger on 10/13/24, 5:19 AM
> If you use WordPress for a living, I recommend strongly that you consider changing platforms.
I initially thought this as well. There are alternatives but unless those alternatives are 100% API compatible with WP plugins and themes nothing is going to happen. Wordpress users and devs will continue to use WP. business as usual. Matt knows this.
by gnabgib on 10/13/24, 3:15 AM
Ongoing discussion (289 points, 8 hours ago, 125 comments) https://news.ycombinator.com/item?id=41821400
by butterfly42069 on 10/13/24, 4:59 AM
Every day that goes by I'm more satisfied with my decision a week a go to migrate everything I have/am building off of WordPress.
Matt, if you read this...
:(
by mastazi on 10/13/24, 5:39 AM
I hope Matt can get better but in the meantime, the community needs to fork. In the same way that LibreOffice forked from OpenOffice. Otherwise the blogosphere is just going to adopt one of the competing platforms and many of them (at least many of the "user friendly" ones) are not open source.
by hyperbrainer on 10/13/24, 5:32 AM
What kind of lawyer would let this happen in the middle of a lawsuit? I know lawyers do not control their clients, but this is ineffable. Even common sense should know better.
by bigiain on 10/13/24, 5:34 AM
"If they’re willing to do this, I wouldn’t trust any plugins hosted on WordPress.org."
Yep yep yep.
Jesus Fuck Matt, put down the crackpipe and open the window. You are _totally_ out of control here.
I am 100% going to start another much more urgent discussion at work on Monday about how we remove all risk of relying on anything from Automattic, wordpress.org, or The WordPress foundation. This will include opening a discussion with WPEngine (where we host about two dozen internal and customer sites) about what their short/medium/longterm plans are and what sort of guarantee they are planning to provide about updates and security fixes to the plugins and themes we rely on. It will include an internal discussion of whether we own it to all our clients running WP to inform then of this stupid stupid drama and the risks in represents and what we are doing to mitigate them. It will also include a very serious discussion about a million dollar government RFQ we submitted last month for a project that has a plan to use WP for the public facing website component.
by ds on 10/13/24, 5:11 AM
I talked at length with theo about this here if anyone wants a catch up from the very start https://youtu.be/u-KCKEWMt-Q?t=774
Cliffnotes- This is a absolutely insane situation but matt has come out looking insanely bad imo.
by hakanderyal on 10/13/24, 6:26 AM
As the saying goes, half the internet runs on Wordpress. Aside from a nuclear incident like an auto upgrade that permanently breaks all of the sites, it'll continue to be used.
Maybe Matt is counting on this?
by benatkin on 10/13/24, 6:20 AM
> If they’re willing to do this, I wouldn’t trust any plugins hosted on WordPress.org.
I wouldn't be surprised if the original author of ACF trusts WordPress more. His last commit was more than 3 years ago and he hasn't shown up on X to defend WP Engine. https://github.com/AdvancedCustomFields/acf/commits?author=e...
by CiPHPerCoder on 10/13/24, 6:32 AM
I'd been staying out of this conflict, partly because I'm not really in the know on WP Engine's behavior behind-the-scenes and, as weird as Mullenweg's plays have been, I don't like to comment on things I'm not fully read into.
But, this touches on a particular hobby horse of mine. It involves some old conflicts too, but I don't want to ruminate on them.
From about 2016 to 2019, I was heavily involved with trying to remedy what I considered an existential threat to the Internet: WordPress's auto-updater.
https://core.trac.wordpress.org/ticket/25052 + https://core.trac.wordpress.org/ticket/39309
If that sounds alarming, consider the enormity of WordPress's market share. Millions of websites. W3Techs estimates it powers about 43% of websites whose server-side stack is detectable. At the time, it was a mere 33%.
https://w3techs.com/technologies/overview/content_management
For the longest time, the auto-updater would pull an update file from WordPress.org, and then install it. There was no code-signing of any form until I got involved. So if you pop one server, you get access to potentially millions.
Now imagine all of those webservers conscripted into a DDoS botnet.
Thus, existential threat to the Internet.
Eventually, we solved the immediate risk and then got into discussing the long tail of getting theme and plugin updates signed too.
https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-...
https://core.trac.wordpress.org/ticket/49200
You can read my ideas to solve this problem for WordPress (and the PHP ecosystem at large) here: https://gossamer.tools
Here's the part that delves into old drama: Mullenweg was so uncooperative that I wrote a critical piece called #StopMullware (a pun on "malware") due to his resistance to even commit to solving the damn problem. On my end, I reimplemented all of libsodium in pure PHP (and supported all the way back to 5.2.4 just to cater to WordPress's obsession with backwards compatibility to the lowest common denominator), and just needed them to be willing to review and accept patches. Even though I was shouldering as much of the work as I logically could, that wasn't enough for Matt. After he responded to my criticism, I took it down, since he committed in writing to actually solving the problem. (You can read his response at https://medium.com/@photomatt/wordpress-and-update-signing-5... if you care to.)
The reason I'm bringing this old conflict up isn't to reopen old wounds. It's that this specific tactic that Mullenweg employed would have been mitigated by solving the supply chain risk that I was so incandescent about in 2016.
(If you read my proposals from that era, you'll notice that I cared a lot about the developers controlling their keys, not WordPress.)
I don't keep up-to-date on Internet drama, so maybe someone already raised this point elsewhere. I just find it remarkable that the unappreciated work for WordPress/PHP I did over the years is relevant to Mullenweg's current clusterfuck. Incredible.
Since my knowledge on the background noise that preceded this public conflict is pretty much nil, I have no reason to believe WP Engine hold any sort of moral high ground. And I don't really care either way.
Rather, I'd like to extend an open invitation: If anyone is serious about leading the community to fork off WordPress, as I've heard in recent weeks, I'm happy to talk at length about my ideas for security enhancements and technical debt collection. If nothing else comes of this, I'd like to minimize the amount of pain experienced by the community built around WordPress, even if its leadership is frustrating and selfish.
by balls187 on 10/13/24, 6:20 AM
I’m sure was covered in a comment on another thread—how is Mullenwag’s behavior different than other OSS projects wanting compensation when their work is monetized, especially from large well funded companies?
by niobe on 10/13/24, 5:57 AM
And we get yet another case study in how ego destroys value
by analcryptok on 10/13/24, 5:51 AM
Currently, there are lots of applications that bring winnings in the form of prizes, so always be careful, sometimes applications like that should not be installed immediately.
by outsomnia on 10/13/24, 5:47 AM
Sorry, this is a GPL plugin to stuff already maintained by Automattic?
It's not like users aren't already updating to whatever Automattic want to give them, in the core, if that's the case? Automattic producing the same plugin and delivering it the same as the core doesn't sound like much of change, since users already trusted Automattic for the core either way...