Advanced Custom Fields
It is strongly recommended that WordPress sites with the Advanced Custom Fields (ACF) plugin enabled take several additional steps to improve security for ACF, and avoid unexpected issues with performance and functionality.
- Disable custom fields editing in the WordPress Admin dashboard with the filter:
add_filter( 'acf/settings/show_admin', '__return_false' );
- Register fields via PHP.
- Never use
the_field()
. Only useget_field()
if combined with an escaping function such asesc_url
,esc_attr
, orwp_kses_post
. - Apply HTML escaping wherever HTML is rendered by ACF.
- Because intermediate image sizes are not created as separate files on the VIP File System, fields that interact with images must interact with images based on image ID to retrieve the correct URL.
- Directly accessing a preferred file size for an image URL with
get_field('image')['sizes']['large']
; will not work. Instead, access the image by ID and request the size withwp_get_attachment_image_src( $my_image_field['ID'], 'large' )[0] );
. - Similarly,
update_field('image', $image_url, $post_id);
will not work, andupdate_field('image', $attachment_id, $post_id);
should be used instead.
- Directly accessing a preferred file size for an image URL with
Last updated: December 26, 2022