We have recently identified a potential supply chain breach affecting the Advanced Custom Fields (ACF) plugin due to a change in control of the update servers responsible for delivering updates to WordPress installations.
Message from the Plugin Developers
Our ACF plugin has been taken over forcibly by wordpressdotorg without our consent.
If you are a WP Engine, Flywheel or ACF PRO customer, you do not need to take any action and will continue to get the latest from the ACF team.
If you have a site managed elsewhere using ACF, in order to get ACF updates you must perform a 1-time download of the genuine 6.3.8 version to remain safe in the future. The update servers for wordpressdotorg are no longer controlled by the ACF team.
You’ve been trusting ACF for over a decade. The experts that maintain ACF will continue to support and enhance the capabilities that our users love and trust.
Actions Taken by Falls Technology Group
To address this issue and safeguard our clients, we have taken the following steps:
- Deactivated all instances of Advanced Custom Fields, including both up-to-date and out-of-date versions, to prevent any unauthorized actions.
- Identified and removed all traces of the ‘Secure Custom Fields’ plugin fork that had been uploaded in place of the legitimate ACF plugin by the compromised update servers.
- Manually uploaded a certified ZIP of the official ACF plugin, directly provided by WP Engine developers, and reactivated the plugin across all relevant installations.
- Performed thorough validation checks on all sites to ensure plugin stability and functionality post-update.
- Issued a global cache purge to clear any caching errors that may have been created during this process.
We have disabled future automatic updates for this plugin until the situation is fully resolved and will continue to monitor for any further developments.
Thank you for your trust in Falls Technology Group. We will provide ongoing updates through this post as the situation evolves.
Please stay tuned to this post for further updates on the situation below this line.
Announcement Updates
October 14th, 2024 – 2:20 AM CT
A note from Falls Technology Group on the ongoing WordPress Conflict. As many of you know, we at Falls Technology Group have a passion for open-source technology, and the communities and values they espouse. It is our belief that open-sourcing technology, and inviting community development helps lay the foundation for stronger development practices, easier contributions from developers all over the world, and advancing technologies that power every reach of the most fundamental parts of our internet.
The recent developments between WordPress[dot]com and WP Engine bring up rising concerns about the nature of open-sourced software as a whole and the involvement of corporate companies within these projects. Staying true to our mission of ensuring that the internet can remain easily accessible to everyone, we will continue to work to democratize access to WordPress for our clients and to ensure that the continued and retained ownership of their intellectual property and control of their website remains within the hands of our clients, and not at the mercy or whims of a corporate company and the leadership driving it.
We remain confident that the future of WordPress as an open source content management system is positive, and look forward to contributing to the WordPress community and ecosystem in a positive way to help further development of the internet as a whole.
October 16th, 2024 – 5:30 PM CT
Update. The Advanced Custom Fields development team has released a few resources that we want to ensure are available to our clients and other WordPress users. It is recommended that users install the WPE Secure Update Plugin utilizing the latest version available on their site here. Our team will continue to perform manual updates until we can certify internally that a batch installation of this plugin will not interrupt sites on our infrastructure.