Impact of WPEngine’s Ban on ACF Plugin

When WP Engine was blocked from accessing WordPress.org, users were left wondering what the future holds for ACF (Advanced Custom Fields) and how this ban will impact their sites moving forward.

ACF Blocked from WordPress.org

On October 03, 2024, ACF (Advanced Custom Fields) announced via X that “The ACF team has been blocked from accessing WordPress dot org and are unable to release updates for the free version of ACF.” 

WP Engine, the owners of the ACF plugin, were earlier banned from accessing WordPress.org , which prevented the ACF team from deploying updates to the free version hosted on the platform. So the users were unable to automatically update ACF to newer versions. To help users, the ACF team  shared a guide to manually update to the latest version of the plugin.

Customers of WP Engine or Flywheel, however, could still receive automatic updates for the free version. The ACF team assured users that “Recent events do not impact customers of ACF PRO. All updates of ACF PRO will continue to be served from advancedcustomfields.com and no action is required.”

They also noted, “While there are no pending security updates for ACF, this alternative update mechanism ensures your sites are ready to receive new features, bug fixes, and security updates going forward.”

Automattic’s Vulnerability Announcement

However, Automattic soon tweeted about a vulnerability in the plugin. The tweet was later deleted. 

In response, John Blackbourn, WordPress Core Security Team Lead, tweeted, “Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.” 

Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF. https://t.co/LpMhvAIQou

— John Blackbourn (@johnbillion) October 5, 2024

Matt Mullenweg’s Comments on ACF

Previously, Matt Mullenweg had raised the idea of integrating ACF Pro into WordPress core in WordPress Slack channel . 

On October 05, Matt Mullenweg tweeted: “What are the best alternatives to Advanced Custom Fields @wp_acf for people who want to switch away? Is there an easy way to migrate? I suspect there are going to be millions of sites moving away from it in the coming weeks.”

However, most of the replies he received were favouring the plugin.

ACF is literally the reason why so many people choose to build with WordPress.

Does he really think people will want to switch away and spend tons of hours rebuilding everything?

Doesn’t make sense, and that’s likely never going to happen.

We use ACF on almost every website we… https://t.co/KNUlbUHAse

— Corentin (@corxntyn) October 5, 2024

ACF is what made WordPress actually useful as a CMS well over a decade ago, and it’s block features are what continue to make it useful in a Block Editor world that is impractical to approach natively. There is nothing comparable. https://t.co/1rEHtEEOcn

— Galen Gidman (@galengidman) October 5, 2024

Dear Matt,
I tell you in roman slang:
“Non famo cazzate, su!”

There’s NO ALTERNATIVE!

Keep on fighting against WPEngine. Destroy it if you want/can.
Many don’t give a fuck about it.

But ACF is something any WP dev out there has been using for years. We love it. Wee need it. https://t.co/GlU5gcWUIV

— Mauro Bono (@UpTheIrons1978) October 6, 2024

Core ignores agency features for the last 5 years of block development. Asks for alternatives to ACF. Delusional.

— philhoyt (@philhoyt) October 6, 2024

Meanwhile, Ghost, another open-source CMS jumped into the fray asking “so should we add custom fields?” 

ACF 6.3.8 released

The ACF team shared that they have released ACF 6.3.8, a routine security release. “WP Engine remains blocked from accessing our plugins on the .org plugin repository and therefore this update has been shipped to WP Engine’s repository and to the ACF website.”, they said.

This latest release contains a security fix for Post Type and Taxonomy metabox callbacks. The vulnerability addresses the unlikely scenario where one user with ACF admin permissions attacks a different admin user with permissions to create or modify posts, or in a Multisite configuration where a single site admin attempts to exploit a super admin to modify or add a new post.

Iain Poulson, the Product Manager for Advanced Custom Fields

They also shared that: “Once manually updated to 6.3.8, updates will appear in the admin dashboard as normal going forward. No more manual zip updates will be required.”

The team also shared that “We made a copy of the update available to the WordPress.org Security team, who have posted it to the plugin repository.”

Other Updates

In related news, WP Tavern’s ex-author Sarah Gooding published 21 Years of WordPress. “I don’t fully agree with how Matt has handled this matter, but I will not support any governance model that doesn’t have his leadership at the forefront. WordPress is his life’s work and his legacy. No design-by-committee model is going to give you the same consistent, decisive, nonstop forward momentum that we have experienced with WordPress thus far. After 21 years of delivering on this, I believe Matt is uniquely qualified to steer the project forward. His leadership has built something truly extraordinary.”

Kaelon tweeted about how “WordPress is entering its “end-stage founder” period.” His advice for WP and Matt includes, “Do not turn on your people.”, “Step the Founder back.” and “Reinvent.”

The WP Minute’s Eric Karkovack published Private Equity and the Soul of WordPress. He says “Perhaps having a few private equity-owned WordPress products isn’t a big deal…The real threat is an ecosystem controlled by a few big firms…That’s only half the potential catastrophe, though. Companies that are in it for the short-term may not be compelled to give back to WordPress core.”