Advanced Custom Fields (5)
Advanced Custom Fields (ACF) is a popular plugin that many VIP clients choose to use on their sites. However, ACF is not available for clients on the WordPress VIP platform, and has not undergone a full, line-by-line review for use on VIP Go. Clients wishing to use ACF on VIP Go accept the security and performance risks of using it. This page outlines some additional steps needed to make ACF more secure and performant, but should not be interpreted as the equivalent of a line-by-line review, or VIP’s approval of the plugin.
Please note that while ACF 5 can be used on most VIP Go sites, ACF 4 is unavailable. If in doubt about whether ACF is allowed for use on your VIP site, please contact us.
Steps to avoid performance issues
When using ACF 5 and ACF 5 Pro, several additional steps are needed in order to make ACF secure, and avoid performance issues:
- Hide the Admin UI
- Define fields in PHP
- Use taxonomies for searchable fields
- Avoid
the_fieldand escape - Secure fields that allow arbitrary output
Hide the ACF Admin UI
The fields UI can be used to add arbitrary fields, including unsafe fields. For example it can allow an admin to display the passwords of users. You can disable the UI using this filter:
add_filter( 'acf/settings/show_admin', '__return_false' );Define fields in PHP
In order to make sure that all ACF usage is secure, define the fields in PHP or local json, rather than at runtime. This way they remained versioned and safe. This can be done via the import export menu of a local developer environment to setup the fields available and export them to PHP.
Documentation on how to do this can be found here on the ACF website.
Alternatively, fields can be defined via the local JSON feature as described here, but keep in mind that saving local JSON will not work in production as the filesystem is read only, nor is it desirable as it would bypass the security benefits.
Being mindful of taxonomy term storage
If an ACF field is going to be queried, filtered, or searched for in a post query, use the taxonomy data checkbox so that the field is stored as a term, not a post meta value. This ensures performance is not impacted by expensive meta queries on the frontend
the_field and escaping
the_field has no context as to when or where it is called. So how is it to know if it should be using esc_url, esc_attr or wp_kses_post? It doesn’t, which makes it dangerous from a security point of view. Instead, use get_field in combination with an escaping function, e.g.
$url = get_field( 'custom_link' );
echo esc_url( $url );Flexible content is the exception to this, and should be clearly marked on usage via comments
Fields that use arbitrary output
If the field types that allow arbitrary output are to be used, they must be accounted for in the acf/format_value and equivalent filters such as acf/format_value/type=textarea.
For example:
function vip_make_acf_text_areas_safe( $value, $post_id, $field ) {
return wp_kses_post( $value );
}
add_filter( 'acf/format_value/type=textarea', 'vip_make_acf_text_areas_safe', 10, 3 );This way different escaping can be applied via different `$field` values. Alternatively, if all fields of that type use the same escaping, this can be done instead:
add_filter( 'acf/format_value/type=textarea', 'wp_kses_post', 10, 1 );More information
For more information, see: https://www.advancedcustomfields.com/resources/acf-format_value/