This content originally appeared on dbushell.com and was authored by dbushell.com
Over the weekend Matt Mullenweg — creator and would-be destroyer of WordPress — has seemingly released malware upon two million innocent websites. Every WordPress website I have ever built may be victim.
Malware?!
I’m talking about the Secure Custom Fields plugin. SCF is a WordPress plugin forked and renamed from the Advanced Custom Fields plugin. ACF had its plugin directory page commandeered by Mullenweg for SCF.
To make matters worse, as @Brugman on Twitter demonstrates, an attempt to update the ACF plugin within WordPress will unwittingly update to SCF without warning the user.
In the screenshots above from Tim Brugman’s video we can see the three stages of the plugin update process:
- User is informed “There is a new version of Advanced Custom Fields available”
- User clicks “update now” and gets an “Updated!” confirmation
- User reloads the page, the ACF plugin by WP Engine was changed to SCF by WordPress.org
This is not the same plugin, codebase, nor the same author.
In any other situation this would be considered a malware or supply chain attack. Does Mullenweg get a free pass? This was proudly orchestrated by him:
Sites that continue to use WordPress.org’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from WordPress.org enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.
Let’s make one thing clear. No site has “chosen” to use WordPress.org’s update service. It’s the default option. It’s the only option for 99% of plugin updates. Mullenweg’s disingenuity is off the charts here.
Why did this happen?
This is Mullenweg’s latest underhanded tactic in his battle against WP Engine. WP Engine provides WordPress hosting. Mullenweg claims they have violated WordPress trademarks.
That should not be a matter of concern for me or any WordPress developer or website owner to care about. However, during and since WordCamp US 2024 in mid-September, Mullenweg has gone “nuclear” — his own word. The fallout has already put thousands of websites at risk.
Mullenweg’s continued actions truly beggar belief. I would recommend reading “If WordPress is to survive, Matt Mullenweg must be removed” by Josh Collinsworth, and listening to ShopTalk Show #636 to catch up on this drama. Alternatively, visit:
Mullenweg.wtf
I have created a new website mullenweg.wtf to chronicle the drama that is now escalating on an almost daily basis. An RSS feed is available.
As someone who has developed WordPress themes and plugins for over a decade I fear it is becoming a professional liability to continue doing so. How do I explain to clients that the creator-turned-dictator of WordPress is playing games with their website at stake?
The “security” aspect of SCF is such an obvious smokescreen. In his meltdown over WP Engine, Mullenweg has destroyed all trust in WordPress.org’s plugin directory. Remember, this is the de facto built-in WordPress plugin source that Mullenweg has abused in an unprecedented way. All because of a petty personal obsession.
There is one narrative that is becoming exceedingly clear; very few agree with Mullenweg’s bizarre behaviour. Most agree he is doing irreversible damage and website owners have become collateral damage.
Do us a favour Matt: relinquish control of WordPress before you destroy it.
This content originally appeared on dbushell.com and was authored by dbushell.com
dbushell.com | Sciencx (2024-10-14T10:00:00+00:00) Matt’s Malware. Retrieved from https://www.scien.cx/2024/10/14/matts-malware/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.