Protect Personalized Data Fields

NewsProtect Personalized Data Fields

WordPress Security Update: Transition from Advanced Custom Fields to Secure Custom Fields

In a significant move that affects many WordPress users, the WordPress security team has announced a major change regarding the Advanced Custom Fields (ACF) plugin. The team has decided to create a fork of ACF, giving rise to a new plugin named Secure Custom Fields (SCF). This strategic decision aligns with the enforcement of point 18 of the plugin directory guidelines, emphasizing the need to address security concerns and eliminate commercial upsells within plugins hosted on WordPress.org.

ACF has long been a popular plugin among WordPress developers and users due to its ability to enhance the flexibility of custom fields. However, recent developments necessitated this transition. On October 3rd, the ACF development team declared that future updates for the ACF plugin would be available exclusively through their website. This announcement was also communicated through a support notice on the WordPress.org support forum on October 5th.

Shift in Update Sources

The announcement by the ACF team marks a critical shift in how updates will be managed. Users who have been following the ACF team’s guidance on updating the plugin will continue receiving updates directly from WP Engine. WP Engine, a prominent hosting service provider, on October 1st, 2024, rolled out its own solution for managing updates and installations of plugins and themes across its customers’ websites. This move effectively bypasses the traditional update service provided by WordPress.org.

For sites that have opted to continue using WordPress.org’s update service and have not migrated to receive updates from WP Engine, there is now an option to switch to Secure Custom Fields. This process is streamlined for those who have enabled auto-updates via WordPress.org, as the update mechanism will automatically transition them from Advanced Custom Fields to Secure Custom Fields.

Addressing Security Concerns

The primary motivation behind this update is to address a security vulnerability identified in the ACF plugin. The alterations made in Secure Custom Fields are minimal, focusing solely on resolving this security issue. Importantly, Secure Custom Fields is now a non-commercial plugin. Developers interested in contributing to its maintenance and future enhancements are encouraged to reach out and participate in its development.

Such an extensive shift is not without precedent, but it remains a rare occurrence. The impetus for this change stems from legal disputes involving WP Engine, which have necessitated this unusual course of action. The WordPress security team does not anticipate similar actions being required for other plugins in the future.

WP Engine’s Role and Recommendations

WP Engine has provided detailed instructions on how to use their version of Advanced Custom Fields, which employs their proprietary update server. While this option is available, the WordPress security team advises users against relying on it until the existing security issues are fully resolved. Users are encouraged to uninstall Advanced Custom Fields and activate Secure Custom Fields from the plugin directory to ensure optimal security.

In related news, Jason Bahl, a key figure at WP Engine, has departed the company to join Automattic. He announced that WPGraphQL, a tool he has been closely associated with, will become a canonical community plugin. This development may signal further changes within WP Engine, with potential shifts in personnel contributing to the broader WordPress ecosystem.

Conclusion

The transition from Advanced Custom Fields to Secure Custom Fields marks a pivotal moment in the WordPress community. This change underscores the importance of maintaining robust security standards while ensuring that plugins remain accessible and non-commercial for the wider community. As the WordPress ecosystem continues to evolve, users and developers alike must remain vigilant and proactive in adapting to such changes, ensuring that their websites remain secure and efficient.

For those interested in further information or updates, the WordPress security team encourages engagement with the new Secure Custom Fields plugin and welcomes contributions from the development community. As always, maintaining an open line of communication and collaboration is crucial for the continued success and security of the WordPress platform.

For more Information, Refer to this article.

Neil S
Neil S
Neil is a highly qualified Technical Writer with an M.Sc(IT) degree and an impressive range of IT and Support certifications including MCSE, CCNA, ACA(Adobe Certified Associates), and PG Dip (IT). With over 10 years of hands-on experience as an IT support engineer across Windows, Mac, iOS, and Linux Server platforms, Neil possesses the expertise to create comprehensive and user-friendly documentation that simplifies complex technical concepts for a wide audience.
Watch & Subscribe Our YouTube Channel
YouTube Subscribe Button

Latest From Hawkdive

You May like these Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.