Advisory: Advanced Custom Fields changes

Action maybe required for some users

WordPress

Note this is a modified slightly version of an email sent to all my existing retainer clients and past site review clients.

On Saturday, 12th October 2024, the WordPress.org user account, known as ‘wordpressdotorg’, unilaterally took control of the Advanced Custom Fields (ACF) plugin slug on wordpress.org and pushed an update.

This update:

  • Renamed Advanced Custom Fields to Secure Custom Fields (SCF)
  • Modified the plugin’s branding
  • Removed WP Engine’s branding from view, altering code related to WP Engine service offerings.

To clarify, wordpressdotorg is a legitimate admin account within the WordPress.org infrastructure.

Shortly after this occurred, wordpress.org published a post about the change: Secure Custom Fields Announcement

Unfortunately, some of the links in the post lead to 404 errors at the moment.

The ACF team, issued a response, which you can read here: ACF Blog Update

What does this mean for you?

If you’re using ACF Pro, there’s no need to update this post is just for your awareness.

If you host on WP Engine, this change hasn’t impacted you, as they’ve been maintaining a mirror of the plugins repository.

However, if you have automatic updates enabled, you might have noticed a surprise: ACF has already been replaced with Secure Custom Fields (SCF).

For those of you who manually update, the version of ACF provided by WP Engine is still available for download directly from them. An update will show as being available for ACF in your wp-admin area, manually updating using this will result in you being upgraded to SCF.

To keep the ACF version from WP Engine

In both cases, you’ll need to manually update to the latest version of the plugin. To assist you, here are some quick instructions: Upgrading ACF using WP Engine repository.

For command line users:
Run the following command to install the latest version of ACF directly:

wp plugin install https://www.advancedcustomfields.com/latest/ --force

This will install and override the existing plugin. You only need to do this once; future updates from WP Engine will happen automatically/Be shown as available.

ACF vs SCF: Which one should you use?

It’s important to note that Secure Custom Fields is no more secure than ACF. The security patch to fix a vulnerability found by Automattic last week was already applied by the WP Engine team prior to this incident, shared with the WordPress Security Team who had ALREADY patched ACF on wordpress.org.

In the short term, neither party is likely to make drastic changes to avoid disrupting users.

However, development at WP Engine may have slowed temporarily due to these events. For now, I would recommend sticking with the ACF version provided by WP Engine, it’s likely to be more stable and to receive timely security updates. Given that “security” is being used as part of a larger campaign, I would not be shocked if more small vulnerabilities are disclosed with patches applied to the WordPress.org SCF.

I will review each vulnerability report for both ACF and SCF. If my findings, or the community’s, differ from the official reports, I will notify my clients. This will unfortunately I fear get messy for a while. I do remain confident that ACF will be maintained and managed.

Moving Forward

At this stage, the future of these plugins remains uncertain. Both Automattic (owners of WordPress.com) and Matt Mullenweg (owner of wordpress.org site) are named parties in a legal dispute with WP Engine, and it’s unclear what long-term effects this will have.

If you have any questions, I’ll do my best to answer them, though I may not have all the answers right now.

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)