Is ACF banned from WordPress?
Martin Szigeti
There has been significant upheaval in the WordPress community over the past few weeks due to the ban of Advanced Custom Fields (ACF) from WordPress.org and the actions taken by Automattic. This situation has polarized opinions and left hundreds of thousands of users concerned about the future of one of the most essential plugins for WordPress and its impact on the community.
ACF Plugin
Advanced Custom Fields (ACF) is a highly popular WordPress plugin, now owned by WP Engine, that allows developers to create custom meta fields for posts, pages, and custom post types within WordPress. ACF enables the creation of custom field groups, supporting a variety of field types like text, images, repeaters, and flexible content layouts, which can then be displayed using custom PHP functions in theme templates. By deeply integrating with WordPress’s meta data system, ACF provides developers with a powerful tool to build tailored admin experiences and dynamic content structures without the need for extensive custom code, making it an essential plugin for developers who want to extend WordPress beyond its default functionality.
WP Engine and Automattic’s Roles
To better understand the current situation, it’s important to clarify the roles of WP Engine and Automattic. WP Engine, which acquired Advanced Custom Fields (ACF) in 2021, is a leading managed WordPress hosting provider that focuses on delivering high-performance, secure, and scalable WordPress hosting solutions. They are responsible for maintaining and developing ACF, ensuring its continued success within the WordPress ecosystem.
On the other hand, Automattic is the company behind WordPress.com and a major contributor to the development of WordPress.org, which powers a significant portion of the web. Automattic also oversees the WordPress plugin repository, where the free version of ACF is hosted. Due to WP Engine’s ban from WordPress.org, the ACF team has been unable to release updates to the free version of the plugin via the official repository, resulting in the need for manual updates. Automattic’s involvement is crucial in this case, as they manage the infrastructure that distributes free plugins and facilitate WordPress’s open-source community.
The Block
On October 3, 2024, ACF announced a shocking development: “The ACF team has been blocked from accessing WordPress.org and are unable to release updates for the free version of ACF.” The ban, stemming from a broader block against WP Engine by WordPress.org, resulted in the inability to deploy updates to the free version of ACF, leaving users vulnerable to outdated versions of the plugin hosted on WordPress servers. This block also prevented new users from downloading the latest versions of ACF through the official repository.
In response, the ACF team quickly released a guide for users to manually update the plugin via ZIP files, ensuring that they could still access the latest version. WP Engine also reassured clients hosted on its platform that they would continue to receive updates seamlessly. Fortunately, users of the PRO version of ACF were unaffected by the block, as they continued to receive automatic updates through advancedcustomfields.com.
The Vulnerability Incident
Soon after the block, Automattic—the company behind WordPress.com—posted publicly about a vulnerability in ACF. The post exposed the vulnerability, which violated the Intigriti Code of Conduct for responsible disclosure. The breach prompted a strong reaction from John Blackbourn, WordPress Core Security Team Lead, who criticized Automattic for irresponsibly making the issue public before a fix was widely available: “Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.”
Automattic quickly deleted the post following backlash, but the damage had already been done. The public disclosure of the vulnerability created unnecessary panic among users, leaving ACF and WP Engine in a more difficult position while trying to resolve the issue.
Community Response
On October 5, Matt Mullenweg, CEO of Automattic, publicly suggested alternatives to ACF, seemingly encouraging users to move away from the plugin. However, the WordPress community responded overwhelmingly in support of ACF, with many defending its critical role in empowering millions of WordPress users to customize their sites. The community highlighted how ACF had helped shape WordPress into a more flexible platform, allowing even non-technical users to extend the functionality of their sites.
The outpouring of support from the community emphasized ACF’s vital place in the WordPress ecosystem, with many arguing that it had played a significant role in the platform’s growth and adoption over the years.
ACF 6.3.8 Release
Despite the challenges, the ACF team pushed forward, releasing version 6.3.8. Although this version requires manual updates for those affected by the block, the ACF team assured users that after upgrading to 6.3.8, future updates will resume as normal within the WordPress admin dashboard. No further manual updates via ZIP files will be required after this version is installed.
As of the time of writing, there have been no official updates from either WordPress.org or WP Engine regarding a resolution to the block. While the situation remains unresolved, the continued support from the community and the commitment of the ACF team suggest that ACF will remain a critical tool for WordPress developers, even in the face of these challenges