Security

As one of the largest plugins in the WordPress ecosystem, we take the security of ACF extremely seriously and we work hard to ensure the plugin is as safe as possible.

We are committed to patching security vulnerabilities in the plugin as they are reported to us, in a responsible and timely manner. We typically patch security issues in minor versions of ACF and ACF PRO. We document the security releases in blog posts about each release, often with extended detail about any changes required after updating.

Security is paramount. No one wants to deal with a hacked site. However, in the attempt to make ACF as secure as possible, this does sometimes result in making changes that impact ACF field data. We do our best to avoid and mitigate breaking changes in that case.

We reserve whole number major versions for especially significant major versions of ACF. For these versions, we will backport security fixes to the previous major version for up to a year after the release of the current version. For example, ACF 6.x will continue to receive critical security updates for a year after the launch of ACF 7.

Plugin Security

Plugins in Scope

Reporting a Vulnerability

If you have found a security vulnerability or other security issue with the plugins please submit the vulnerability via our Vulnerability Disclosure Program.

Security Companies

If you are a security company and have had an ACF vulnerability reported to you, please contact the team directly with the report details –
acf-security@wpengine.com

Website Security

If you have found a vulnerability or security issue on the advancedcustomfields.com website please submit the vulnerability via our Vulnerability Disclosure Program.

Please ensure the website vulnerability meets the ‘In Scope’ requirements of our VDP program.