Note this is a modified slightly version of an email sent to all my existing retainer clients and past site review clients.
On Saturday, 12th October 2024, the WordPress.org user account, known as ‘wordpressdotorg’, unilaterally took control of the Advanced Custom Fields (ACF) plugin slug on wordpress.org and pushed an update.
This update:
- Renamed Advanced Custom Fields to Secure Custom Fields (SCF)
- Modified the plugin’s branding
- Removed WP Engine’s branding from view, altering code related to WP Engine service offerings.
To clarify, wordpressdotorg is a legitimate admin account within the WordPress.org infrastructure.
Shortly after this occurred, wordpress.org published a post about the change: Secure Custom Fields Announcement
Unfortunately, some of the links in the post lead to 404 errors at the moment.
The ACF team, issued a response, which you can read here: ACF Blog Update
What does this mean for you?
If you’re using ACF Pro, there’s no need to update this post is just for your awareness.
If you host on WP Engine, this change hasn’t impacted you, as they’ve been maintaining a mirror of the plugins repository.
However, if you have automatic updates enabled, you might have noticed a surprise: ACF has already been replaced with Secure Custom Fields (SCF).
For those of you who manually update, the version of ACF provided by WP Engine is still available for download directly from them. An update will show as being available for ACF in your wp-admin area, manually updating using this will result in you being upgraded to SCF.
To keep the ACF version from WP Engine
In both cases, you’ll need to manually update to the latest version of the plugin. To assist you, here are some quick instructions: Upgrading ACF using WP Engine repository.
For command line users:
Run the following command to install the latest version of ACF directly:
wp plugin install https://www.advancedcustomfields.com/latest/ --force
This will install and override the existing plugin. You only need to do this once; future updates from WP Engine will happen automatically/Be shown as available.
ACF vs SCF: Which one should you use?
It’s important to note that Secure Custom Fields is no more secure than ACF. The security patch to fix a vulnerability found by Automattic last week was already applied by the WP Engine team prior to this incident, shared with the WordPress Security Team who had ALREADY patched ACF on wordpress.org.
In the short term, neither party is likely to make drastic changes to avoid disrupting users.
However, development at WP Engine may have slowed temporarily due to these events. For now, I would recommend sticking with the ACF version provided by WP Engine, it’s likely to be more stable and to receive timely security updates. Given that “security” is being used as part of a larger campaign, I would not be shocked if more small vulnerabilities are disclosed with patches applied to the WordPress.org SCF.
I will review each vulnerability report for both ACF and SCF. If my findings, or the community’s, differ from the official reports, I will notify my clients. This will unfortunately I fear get messy for a while. I do remain confident that ACF will be maintained and managed.
Moving Forward
At this stage, the future of these plugins remains uncertain. Both Automattic (owners of WordPress.com) and Matt Mullenweg (owner of wordpress.org site) are named parties in a legal dispute with WP Engine, and it’s unclear what long-term effects this will have.
If you have any questions, I’ll do my best to answer them, though I may not have all the answers right now.