{"id":17956,"date":"2024-10-12T18:26:55","date_gmt":"2024-10-12T18:26:55","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=17956"},"modified":"2024-10-16T03:54:15","modified_gmt":"2024-10-16T03:54:15","slug":"secure-custom-fields","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2024\/10\/secure-custom-fields\/","title":{"rendered":"Secure Custom Fields"},"content":{"rendered":"\n<p>On behalf of the <a href=\"https:\/\/wordpress.org\/about\/security\/\">WordPress security team<\/a>,  I am announcing that we are invoking <a href=\"https:\/\/github.com\/wordpress\/wporg-plugin-guidelines\/blob\/trunk\/guideline-18.md\">point 18 of the plugin directory guidelines<\/a> and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.<\/p>\n\n\n\n<p>On October 3<sup>rd<\/sup>, the ACF team announced ACF plugin updates will come directly from their website. Sites that followed the ACF team&#8217;s instructions on \u201cHow to update ACF\u201d will continue to get updates directly from WP Engine.\u00a0On October 1<sup>st<\/sup>, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers\u2019 sites in place of\u00a0<a href=\"https:\/\/wordpress.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress.org<\/a>\u2019s update service.<\/p>\n\n\n\n<p>Sites that continue to use&nbsp;<a target=\"_blank\" href=\"https:\/\/wordpress.org\/\" rel=\"noreferrer noopener\">WordPress.org<\/a>\u2019s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from&nbsp;<a target=\"_blank\" href=\"https:\/\/wordpress.org\/\" rel=\"noreferrer noopener\">WordPress.org<\/a>&nbsp;enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.<\/p>\n\n\n\n<p>This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.<\/p>\n\n\n\n<p>Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine&#8217;s legal attacks, we do not anticipate this happening for other plugins.<\/p>\n\n\n\n<p>WP Engine has <a href=\"https:\/\/www.advancedcustomfields.com\/blog\/installing-and-upgrading-to-the-latest-version-of-acf\/\">posted instructions for how to use their version of Advanced Custom Fields that uses their own update server<\/a>, so you have that option, though the WordPress Security Team does not recommend it until they fix the security issues. You can uninstall Advanced Custom Fields and <a href=\"https:\/\/wordpress.org\/plugins\/advanced-custom-fields\/\">activate Secure Custom Fields from the plugin directory<\/a> and be just fine.<\/p>\n\n\n\n<p>There is separate, but not directly related news that <a href=\"https:\/\/www.wpgraphql.com\/2024\/10\/07\/wpgraphql-becomes-a-canonical-plugin-my-move-to-automattic\">Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin<\/a>. We expect others will follow as well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem. On October 3rd, the ACF team announced [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-17956","post","type-post","status-publish","format-standard","hentry","category-security"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-4FC","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/17956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=17956"}],"version-history":[{"count":10,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/17956\/revisions"}],"predecessor-version":[{"id":17990,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/17956\/revisions\/17990"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=17956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=17956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=17956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}