SCF vs. ACF: Why WordPress Forked Advanced Custom Fields

Quick Summary:

In this blog, we’ll explore the recent controversy between WP Engine, WordPress, and more recently, the ACF plugin. We’ll also discuss the history of Advanced Custom Fields (ACF) and the newly created Secure Custom Fields (SCF), discussing why this fork happened and how it may affect developers and users alike. Additionally, we’ll highlight the main differences between SCF and ACF and answer some common questions to help you understand these changes better.

WP Engine vs WordPress Controversy

The ongoing controversy between WP Engine and WordPress has grabbed the attention of many in the WordPress community. It all started when Automattic, the company that owns WordPress, got into a legal fight with WP Engine, a well-known WordPress hosting provider.

At the heart of the conflict is WP Engine’s claim that Automattic has been unfairly managing some trademark rights tied to WordPress. They accuse Automattic of acting like a monopoly, saying they’ve been blocked from key updates on WordPress.org. In response, Automattic, led by Matt Mullenweg, has denied these claims, arguing that WP Engine’s actions could put their customers at risk and labeling the lawsuit as “meritless.”

Things heated up when Automattic temporarily cut off WP Engine’s access to essential plugin and theme updates. Many see this as a risky decision. If the situation continues, WP Engine users might face significant difficulties in keeping their websites running smoothly. This has raised concerns about the overall impact on the WordPress ecosystem, especially since both Automattic and WP Engine are crucial players in developing WordPress.

The recent forking of the popular Advanced Custom Fields (ACF) plugin into a new version called SCF (Secure Custom Fields) has sent shockwaves through the WordPress community. This development is just one of many consequences stemming from the ongoing legal conflict between WordPress.org and WP Engine, two significant players in the WordPress ecosystem.

For now, users and developers are caught in the middle, trying to figure out whether they should continue using ACF (now only available directly from WP Engine) or switch to SCF. Currently, it’s unclear how this will impact the WordPress ecosystem moving forward.

History of Advanced Custom Fields (ACF)

Advanced Custom Fields (ACF) is one of the most popular plugins for WordPress, used by over 2 million websites. Originally created by Elliot Condon in 2011, ACF allowed users to add custom fields to WordPress posts, pages, and custom post types without needing complex coding skills. Over the years, ACF has become essential for developers, enabling them to create dynamic websites with ease. Over time, ACF grew into one of the most popular WordPress plugins due to its flexibility and ease of use.

In 2022, WP Engine acquired ACF, continuing its development and adding features through ACF PRO, a premium version of the plugin.

Why WordPress Forked ACF to Create SCF

On October 12, 2024, WordPress co-founder Matt Mullenweg officially announced the forking of the popular Advanced Custom Fields (ACF) plugin into a new plugin called Secure Custom Fields (SCF). The decision came after WordPress’ security team raised concerns over ACF’s handling of commercial upsells and potential security vulnerabilities.

In his statement, Mullenweg explained “On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.”

By forking ACF, WordPress has stripped out commercial upsells found in ACF Pro and introduced security enhancements that address a vulnerability where unfiltered data was being handled unsafely.

This action raised significant debate within the developer community. While some welcomed the enhanced security and clarity, others who relied on ACF Pro’s advanced features (like repeater fields) were left questioning how this change might impact their workflow and compatibility with other tools moving forward.

Impact on Developers and Users

The fork of ACF into Secure Custom Fields (SCF) has raised some concerns for developers and users, especially those who rely on ACF PRO’s premium features. 

• Compatibility Issues: The fork might cause compatibility issues with themes or plugins that were built specifically around ACF PRO’s advanced features. Developers might need to spend extra time ensuring their websites continue to function properly with SCF or explore alternatives.
• Learning Curve: For users who have been familiar with ACF for years, adjusting to SCF might involve a learning curve, especially in terms of missing features and differences in plugin management.
• Custom Field Migration: Developers using ACF may need to consider how custom fields will migrate or adapt if they choose to switch to SCF, particularly if they rely on ACF’s PRO functionalities like flexible content fields or repeater fields.
• Project Dependencies: Agencies or businesses that have built entire workflows around ACF may face challenges in deciding whether to migrate to SCF or stick with WP Engine’s ACF. The decision could impact future maintenance and project scalability.
• Support and Community Backing: Developers and users may have concerns about the level of community support and resources for SCF, especially in comparison to the well-established ACF community and documentation.
• Potential Security Benefits: SCF was created with security enhancements, addressing vulnerabilities found in ACF. Developers who prioritize security over advanced functionality may prefer SCF for this reason.
• Plugin Ecosystem Fragmentation: The split between SCF and ACF could fragment the plugin ecosystem, causing some confusion over which plugin to choose for certain projects and leading to compatibility issues with other plugins that integrate with ACF.
• Monetary Considerations: Developers and agencies relying on ACF PRO’s paid features may need to factor in additional costs or reconfigure their workflow to accommodate SCF’s free but more limited toolset.
• Client Confusion: For agencies managing multiple WordPress clients, explaining the fork and its implications may become an added layer of complexity in client communication and management.
• Maintenance Overhead: Switching from ACF to SCF, or vice versa, could introduce more maintenance tasks, as developers will need to stay on top of updates from two different sources (WordPress for SCF and WP Engine for ACF).

Discover More: Why a Custom WordPress Theme Is Better for Your Business

SCF vs. ACF: Key Differences

Here’s a simplified version of the SCF vs. ACF comparison:

The Road Ahead

For now, it’s difficult to predict how this conflict will be resolved. Both WordPress.org and WP Engine play critical roles in the WordPress ecosystem, and each has its own vision for the future of the platform. Users may need to weigh the benefits of each approach—whether to support WordPress’s SCF fork or to continue using WP Engine’s version of ACF, which may offer unique advantages for some users within its ecosystem.

For those involved in WordPress development, this conflict could have significant implications. Developers relying on Advanced Custom Fields (ACF) may need to assess which version aligns better with their long-term projects, keeping in mind compatibility and feature updates that can impact customizations and site performance.

Ultimately, WordPress users and developers should stay informed as this situation evolves. Keeping a close eye on the legal proceedings, plugin updates, and community developments will help ensure that their websites remain stable, secure, and aligned with the future direction of WordPress development.

FAQs

Is SCF replacing ACF completely?

No, SCF is just a version of ACF created by WordPress. ACF isn’t completely gone, you can still get it from WP Engine, though it’s no longer available in the official WordPress plugin directory.

Is it safe to switch from ACF to SCF?

Yes, SCF has fixed some security issues that ACF had, so it’s safe to switch if you’re using the free version of ACF.

What if I’m using ACF PRO? Can I switch to SCF?

If you use ACF PRO (the paid version), you’ll miss out on its extra features if you switch to SCF. If you need those features, you should stick with ACF PRO from WP Engine.

Can I still download ACF from WordPress.org?

No, ACF has been removed from the WordPress repository, but you can still download it from WP Engine’s website.

Is there a way to get ACF updates?

Yes, WP Engine provides ACF on their site, and you can keep getting updates and support from there.

Is Secure Custom Fields really safer, as WordPress says?

Yes, SCF was created to fix some security problems in ACF, so it’s safer for users, especially regarding how data is handled.

Will this change affect me as a user in terms of features or legal issues?

If you only use the free version of ACF, the switch to SCF won’t change much in terms of features. But if you rely on ACF PRO’s advanced features, you might notice the difference. Legally, there’s no major concern for users.

WordPress

Krunal Bhimajiyani

Software Engineer