Advanced Custom Fields vs. Secure Custom Fields: Is my website safe?

Alex Hackett

Group Director of Digital

What is going on?

 Millions of websites around the world just saw one of their key components – Advanced Custom Fields (ACF) – change its name to “Secure Custom Fields”.

Who cares?

This could make more of an impact than you’d think. This is a sign that the plugin has changed owner – from WP Engine to WordPress.org. This may dramatically affect the way millions of websites work around the world as it would mean that your website no longer receives “official” updates for a core plugin, which could (as a worst case scenario) cause your website to go down completely unless safeguards are put in place.

Why is this happening?

This is the latest move in the ongoing WordPress Wars. WP Engine, the major hosting provider of millions of WordPress websites, has been in conflict with the creators of WordPress – Automattic/WordPress.org – over essentially a trademark licencing dispute. This has caused Automattic to block access to the WordPress repository where all software built on WordPress is readily accessed (think of this like “if Google blocking access to their app store for all Samsung devices”). WP Engine quickly found a workaround for this, but the damage has been done and thousands of pages of legal paperwork have been filled by both sides.
This is the latest escalation in this battle. WP Engine owns ACF, which is a piece of software that allows additional fields to be added to WordPress websites. For example if you ran an estate agency website, with hundreds of pages related to the properties you had for sale, you would need a field that displays each property’s address and asking price. ACF provides this functionality and as such is a core component of many sites.
WordPress.org, citing “security issues” with the ACF plugin – has taken the alarming action of cloning the ACF software, renaming it “Secure Custom Fields” and replacing it in their “app store”. By doing this, they are also making the functionality free for all users, which will undoubtedly have an impact on ACF and WP Engine’s ability to sell premium versions of their plugin (now it is both harder to install and has been undercut by a new cloned competitor).

Is that legal?!

We will see… It’s hard to imagine a similar scenario playing out in any other industry. If Apple and Meta had a falling out, it’s unlikely that Apple would have legal grounds to copy Instagram exactly, block direct access to the original app and launch their own cloned version of the product at the exact same address on their own app store. WordPress.org however maintains that similar actions have been taken in the past, where central plugins have been under threat by a security issue that could compromise the entire WordPress community – by stepping in they argue that they are doing what is best to safeguard the open-source WordPress world for which they are the appointed caretakers.

What does all this mean for my website

In short, if you are hosting your website on WP Engine and you are using ACF, no action needs to be taken. Your direct relationship with the original plugin has been maintained by its creators so your website should be unaffected.
If your website is not hosted by WP Engine but you are using ACF, your plugin is going to update to WordPress.org’s cloned “SCF” unless you take action. It may be that you are happy to continue with Secure Custom Fields, but over time it’s likely that with two different development teams working on these plugins, the services may become very different over time and you may not be able to switch between the two. A compatibility issue between ACF/SCF and the other plugins running on your site could cause elements to break over time, which would be costly and time-consuming to put right. If you have an existing ACF account and would like to stay with the original plugin, you will need to manually update the plugin using the ACF website.

This is all so confusing, what do I do in my specific case? Which should I choose?

Every website is different and the best option is to call our digital team at PLMR and we can help navigate you through all the options available to you. Our team can put safeguards in place to futureproof your WordPress site from whatever new challenges occur in this ongoing dispute. PLMR Digital is keeping a constant eye on these developments and can provide up-to-the-minute advice and guidance for any website that might become affected.
To talk to our team and discuss your website email us at info@plmr.co.uk

Leon Emirali on Sky News discussing Gregg Wallace’s PR issues

Making award submissions stand out from your competitors

Add PLMR to your contacts

PLMR’s crisis communications experience is second to none, and includes pre-emptive and reactive work across traditional and social media channels. We work with a range of organisations to offer critical communication support when they are faced with difficult and challenging scenarios.