I’m interested in finally setting this as a best practice internally: creating my own custom fields or just using ACF plugin every time.
The only good defense for not using ACF is that there might be more security risks with it.
I had a site hacked that was using only ACF, but here’s the thing, it was my fault because stupid me wasn’t sanitizing a frontend form (fields made from ACF).
Assuming I don’t continue being stupid, should using ACF be safe longterm on these sites? I know I can auto-update plugins, but even if I don’t would it be safe keeping earlier versions of ACF?
Using ACF in and of itself should not be a security risk and I cannot recall the last time I even heard of a security vulnerability in ACF. As you’ve found, it is all in the way you use anything.
As far as updating in general…. if there are no security vulnerabilities in WP and the plugins you’re using then you should not be at risk being hacked do to not updating. Frankly, that is a myth. What you do need to do is follow issues and update when a risk is found.
When it comes to the admin, I’m not usually overly concerned about ACF because the only people that can do anything are me and the people I build the site for. My company is not going to do anything malicious and I’m sure the client is not going to do anything malicious to their own site.
As far as the front end, this is where you need to be careful about what you’re allowing, again like you found out.
Long story short, I don’t have any concern about ACF causing an issue even if I don’t update it.