Impact of WPEngine’s Ban on ACF Plugin

When WP Engine was blocked from accessing WordPress.org, users were left wondering what the future holds for ACF (Advanced Custom Fields) and how this ban will impact their sites moving forward.

ACF Blocked from WordPress.org

On October 03, 2024, ACF (Advanced Custom Fields) announced via X that “The ACF team has been blocked from accessing WordPress dot org and are unable to release updates for the free version of ACF.”

WP Engine, the owners of the ACF plugin, were earlier banned from accessing WordPress.org , which prevented the ACF team from deploying updates to the free version hosted on the platform. So the users were unable to automatically update ACF to newer versions. To help users, the ACF team shared a guide to manually update to the latest version of the plugin.

Customers of WP Engine or Flywheel, however, could still receive automatic updates for the free version. The ACF team assured users that “Recent events do not impact customers of ACF PRO. All updates of ACF PRO will continue to be served from advancedcustomfields.com and no action is required.”

They also noted, “While there are no pending security updates for ACF, this alternative update mechanism ensures your sites are ready to receive new features, bug fixes, and security updates going forward.”

Automattic’s Vulnerability Announcement

However, Automattic soon tweeted about a vulnerability in the plugin. The tweet was later deleted.

In response, John Blackbourn, WordPress Core Security Team Lead, tweeted, “Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF.”

Automattic has responsibly disclosed a vulnerability in ACF but breached the @Intigriti Code of Conduct by irresponsibly announcing it publicly. I am going to work my damned hardest to ensure that the fix gets shipped to dotorg if it affects the free version of ACF. https://t.co/LpMhvAIQou
— John Blackbourn (@johnbillion) October 5, 2024

Matt Mullenweg’s Comments on ACF

Previously, Matt Mullenweg had raised the idea of integrating ACF Pro into WordPress core in WordPress Slack channel .

On October 05, Matt Mullenweg tweeted: “What are the best alternatives to Advanced Custom Fields @wp_acf for people who want to switch away? Is there an easy way to migrate? I suspect there are going to be millions of sites moving away from it in the coming weeks.”

However, most of the replies he received were favouring the plugin.

ACF is literally the reason why so many people choose to build with WordPress.

Does he really think people will want to switch away and spend tons of hours rebuilding everything?

Doesn’t make sense, and that’s likely never going to happen.

We use ACF on almost every website we… https://t.co/KNUlbUHAse
— Corentin (@corxntyn) October 5, 2024

ACF is what made WordPress actually useful as a CMS well over a decade ago, and it's block features are what continue to make it useful in a Block Editor world that is impractical to approach natively. There is nothing comparable. https://t.co/1rEHtEEOcn
— Galen Gidman (@galengidman) October 5, 2024

Dear Matt,
I tell you in roman slang:
"Non famo cazzate, su!"

There's NO ALTERNATIVE!

Keep on fighting against WPEngine. Destroy it if you want/can.
Many don't give a fuck about it.

But ACF is something any WP dev out there has been using for years. We love it. Wee need it. https://t.co/GlU5gcWUIV
— Mauro Bono (@UpTheIrons1978) October 6, 2024

Core ignores agency features for the last 5 years of block development. Asks for alternatives to ACF. Delusional.
— philhoyt (@philhoyt) October 6, 2024

Meanwhile, Ghost, another open-source CMS jumped into the fray asking “so should we add custom fields?”

ACF 6.3.8 released

The ACF team shared that they have released ACF 6.3.8, a routine security release. “WP Engine remains blocked from accessing our plugins on the .org plugin repository and therefore this update has been shipped to WP Engine’s repository and to the ACF website.”, they said.

This latest release contains a security fix for Post Type and Taxonomy metabox callbacks. The vulnerability addresses the unlikely scenario where one user with ACF admin permissions attacks a different admin user with permissions to create or modify posts, or in a Multisite configuration where a single site admin attempts to exploit a super admin to modify or add a new post.

Iain Poulson, the Product Manager for Advanced Custom Fields

They also shared that: “Once manually updated to 6.3.8, updates will appear in the admin dashboard as normal going forward. No more manual zip updates will be required.”

The team also shared that “We made a copy of the update available to the WordPress.org Security team, who have posted it to the plugin repository.”

Other Updates

In related news, WP Tavern’s ex-author Sarah Gooding published 21 Years of WordPress. “I don’t fully agree with how Matt has handled this matter, but I will not support any governance model that doesn’t have his leadership at the forefront. WordPress is his life’s work and his legacy. No design-by-committee model is going to give you the same consistent, decisive, nonstop forward momentum that we have experienced with WordPress thus far. After 21 years of delivering on this, I believe Matt is uniquely qualified to steer the project forward. His leadership has built something truly extraordinary.”

Kaelon tweeted about how “WordPress is entering its “end-stage founder” period.” His advice for WP and Matt includes, “Do not turn on your people.”, “Step the Founder back.” and “Reinvent.”

The WP Minute’s Eric Karkovack published Private Equity and the Soul of WordPress. He says “Perhaps having a few private equity-owned WordPress products isn’t a big deal…The real threat is an ecosystem controlled by a few big firms…That’s only half the potential catastrophe, though. Companies that are in it for the short-term may not be compelled to give back to WordPress core.”

Category: News, Plugins

Tags: acf

10 Comments

Author

Posts
- jeswin
  October 9, 2024 at 10:49 AM View in Forum
  
  WordPress is his life’s work and his legacy. No design-by-committee model is going to give you the same consistent, decisive, nonstop forward momentum that we have experienced with WordPress thus far. After 21 years of delivering on this, I believe Matt is uniquely qualified to steer the project forward.
  Reply
  Loading…
- Rebekah
  October 9, 2024 at 10:49 AM View in Forum
  
  The alternative is called Pods https://pods.io/. Which was sponsored by Automattic for almost 10 years. You think they would remember it. A great FREE and powerful alternative to ACF.
  Reply
  Loading…
- Will
  October 9, 2024 at 10:49 AM View in Forum
  
  Matt is becoming a sort of off-brand Elon Musk. I do agree that WP Engine should contribute more to WP, but these sorts of childish antics are harmful to the community and it clearly impacts more than just those hosted with WPE.
  Reply
  Loading…
- Steven Gliebe
  October 9, 2024 at 10:49 AM View in Forum
  
  This blog should disclose ownership in articles reporting on Audrey Capital and Automattic entities and their leadership, or their competitors. WP Engine is a competitor of WordPress.com for example. Transparency is important.
  Reply
  Loading…
- Drew
  October 9, 2024 at 10:49 AM View in Forum
  
  “we could auto-migrate all current users of the plugin into our core functionality”
  
  It was only a matter of time before King Matt decided to embrace, extend and extinguish.
  
  If he interferes with ACF Pro then WordPress and I are done. I have 40+ sites running ACF Pro but am already doing all new development in ProcessWire and am starting to migrate some existing sites from WP to PW. The primary reason? Matt.
  Reply
  Loading…
- Matthew
  October 13, 2024 at 7:55 AM View in Forum
  
  Wow. Seeing that idea of just taking people of products and merging them into core is an absolutely horrible thing to be contemplating.
  
  Basically just stealing their work because its legal, doesn’t make it ethical.
  
  It could absolutely destroy small businesses, and it’s a real threat as they have the developer resources to thrown at it merging. Why would anyone bother to put their time in if this is how he sees community code? It sounds like he wouldn’t have a problem to start up an official nulled plugin repository then, with that attitude.
  
  Not only is that a terrible thing to read, it’s also a terrible idea on the whole. There are tons of paid plugins that Woo and WP have absorbed over the years, and they are absolutely languishing with prices being increased and no features being added, no bugs fixed, no acknowledgement of the piles of feature requests.
  
  That is actually really really bad behaviour to be talking like that. I’ve been trying to wait and see what this is actually all about at a legal level and give him the benefit of the doubt, but bringing all the eyes of the internet onto him is not a smart move if he has been going around saying abhorrent things like this.
  Reply
  Loading…
- ibhuiyan
  October 14, 2024 at 1:38 PM View in Forum
  
  On a personal level, I stopped using WP for my personal blog site ever since Block editor was introduced but I don’t mind using WP for my clients sites.
  Reply
  Loading…
  - Matthew
    January 2, 2025 at 10:33 PM View in Forum
    
    Yeah I did not take a liking to the block editor when it was first released.
    
    I have slowly got some use out of it by letting it be the default editor for the blog posts, and still sticking with page builders for the actual site layout.
    
    If you haven’t done it recently, spin up a new wp install and go through the set up steps. It has totally changed now, with a really slick onboarding experience. You wouldn’t even recognise it as WordPress.
    
    Plus the block editor isn’t that bad for basic editing and actually can even manage some advanced scenarios now.
    
    I think this is difficult for existing users to adjust to as its a “who moved my cheese” type situation, but from a clients point of view where they might already have tried out Wix or Squarespace, this kind of slick interface is what they are looking for.
    Reply
    Loading…
- Mark Quigg
  November 26, 2024 at 12:19 PM View in Forum
  
  I sincerely hope Matt and the leadership at WordPress are taking careful note of responses like these. He is on a mission to destroy or seriously punish WPEngine, at all costs evidently. Why? Because he doesn’t believe they contribute enough to WordPress as an open source project. Maybe they don’t, I don’t know, but I do know that he is putting the entire project at risk — and probably billions of dollars worth of human investment in time and money into WordPress websites — all to punish WPEngine. There ARE other open source platforms out there, and people will get fed up with this drama, and the potential risk of their own investments into the WordPress ecosystem, and just move on. Maybe he’ll succeed at punishing or destroying WPEngine, but it will just be a massive pyrrhic victory with everybody being the losers.
  Reply
  Loading…
- Bruce
  January 2, 2025 at 10:32 PM View in Forum
  
  Just logged into wordpress.org to log a plugin bug report. The login form now includes a checkbox which says ‘I am not affiliated with WP Engine in any way, financially or otherwise.’
  
  Does this mean WPE customers are no longer welcome at wordpress.org ???
  Reply
  Loading…
Author

Posts