As you may be aware, Automattic, the parent corporation behind WordPress, have in recent months been involved in an increasingly hostile battle with WP Engine, the company behind the WP Engine hosting platform and the immensely popular Advanced Custom Fields plugin.
This culminated in unprecedented action this week by Automattic that:
- Blocked WP Engine accounts from updating their plugins;
- Issued a warning for them not updating the plugins they could no longer access;
- Completed a hostile takeover of those plugins, renaming them and stripping out any link to WP Engine
What this means for users?
If you update your version of Advanced Custom Fields through the normal means (the WordPress plugins screen), you will be forcibly moved onto the hijacked version Secure Custom Fields. Besides the moral issues, this could also cause you issues in the future if you want to access the PRO version of ACF.
Note: If you’re already using Advanced Custom Fields PRO, no action is needed, you’re already using the official update channel for the plugin
What to do
Full instructions are available at https://www.advancedcustomfields.com/blog/installing-and-upgrading-to-the-latest-version-of-acf/ but we’ll summarise the key points below.
- Download the latest zip file from https://www.advancedcustomfields.com/latest/
- Log in to your site
- Navigate to Plugins > Add new
- Upload the zip file
- Click ‘Activate Plugin’,
And job done. You’ll only need to do this once (per site) since then the plugin will be directed to use the ACF servers to get any future updates.
Our clients
Any of our clients using our managed or supported hosting will have this automatically done by us as part of our maintenance service.
How this happened?
When you install WordPress, all updates for themes and plugins are, by default, accessed through a repository hosted on wordpress.org
. Think of it like using the App Store or Play Store on your mobile phone. This was promoted as a safe way for businesses and programmers to deliver timely updates to their users without having to worry about the delivery process themselves.
Since Automattic controls wordpress.org
, they can also control who is able to have developer accounts on the service. Because of the dispute, access to WP Engine’s developer accounts was blocked and rather than allowing WP Engine to deliver updates to their plugins, Automattic instead delivered their own versions to unsuspecting users. Imagine if you updated WhatsApp on your phone one day and suddenly had it replaced with Google WotsApp… essentially this.
If you follow the instructions above, you’ll get an ACF plugin that no longer contacts wordpress.org
for updates, but instead uses an advancedcustomfields.com
domain thus resolving the issue.