Categories: WordPress News

Secure Custom Fields

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.

On October 3rd, the ACF team announced ACF plugin updates will come directly from their website. This was also communicated via a support notice in the WordPress.org support forum on Oct 5th.  Sites that followed the ACF team’s instructions on “How to update ACF” will continue to get updates directly from WP Engine.  On October 1st, 2024, WP Engine also deployed its own solution for updates and installations for plugins and themes across their customers’ sites in place of WordPress.org’s update service.

Sites that continue to use WordPress.org’s update service and have not chosen to switch to ACF updates from WP Engine can click to update to switch to Secure Custom Fields. Where sites have chosen to have plugin auto-updates from WordPress.org enabled, this update process will auto-switch them from Advanced Custom Fields to Secure Custom Fields.

This update is as minimal as possible to fix the security issue. Going forward, Secure Custom Fields is now a non-commercial plugin, and if any developers want to get involved in maintaining and improving it, please get in touch.

Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

WP Engine has posted instructions for how to use their version of Advanced Custom Fields that uses their own update server, so you have that option, though the WordPress Security Team does not recommend it until they fix the security issues. You can uninstall Advanced Custom Fields and activate Secure Custom Fields from the plugin directory and be just fine.

There is separate, but not directly related news that Jason Bahl has left WP Engine to work for Automattic and will be making WPGraphQL a canonical community plugin. We expect others will follow as well.

A WordPress Commenter

Recent Posts

Performance Chat Summary: 30 June 2026

The full chat log is available beginning here on Slack. WordPress Performance Trac tickets @westonruter…

3 days ago

The First AI Leaders Graduates

On June 23, around 40 students from the University of Illinois Chicago (UIC), Louisiana Tech…

4 days ago

Browse the New Mercantile Swag Store

Mercantile, the official swag store of the WordPress project, has a newly redesigned storefront with…

2 weeks ago

Kim Parsell Memorial Scholarship Opens for WordCamp US 2026

Applications are now open for the 2026 Kim Parsell Memorial Scholarship, which supports one active…

2 weeks ago

Global Partners Across the First Half of the 2026 WordPress Event Season

This post recaps how the WordPress project’s five Global Partners — Jetpack, WordPress.com, WooCommerce, Bluehost,…

2 weeks ago

Performance Chat Summary: 16 June 2026

The full chat log is available beginning here on Slack. WordPress Performance Trac tickets @westonruter…

2 weeks ago