For one of WordPress’ core plugins, that this is not resolved is quite concerning. I didn’t even know it was a thing.
We have a multi-language multisite and flexible content fields disappear without any sense of consistency. We are not using particularly complicated page structures.
I have max_input_vars at 5000, our server admin is reluctant to up it any more.
Surely there should not be a limit on the number of fields available, or at the very least, some kind of warning. Page builders liek Elementor and even Gutenberg use far more variables than simple ACF compounds.
Why is this happening and is there any fresh thinking on the issue?
ACF works more simply than other “page builders”. ACF is not really a page builder. ACF works by sending all of the data in $_POST in a single request. Other systems use AJAX to update data as you work, ACF does not. ACF is built on the idea of using only what core WP offers for managing custom fields. It does not do anything that you could not do by creating and managing your own custom fields with your own processing using WP add_meta_box().
I routinely set max_input_vars to 10,000 or even higher on ACF heavy sites. But 10,000 is my general starting point when I’m building a custom site using ACF.
This plugin has not been updated in a long time, but it still work, and give a warning when the inputs on a page exceed max_input_vars https://wordpress.org/plugins/wp-max-submit-protect/
Thanks @hube2.
Our server admin are reluctant to go over 5,000. I don’t quite understand the link with DDOS but I hear it.
I’ll try the plugin, at least it will give some confirmation of the issue.
I’ve been using ACF for years, it’s quite a disappointment to find its limitations.
Well, I just did some reading about max_input_vars and DDOS, it was enlightening. Now I understand the emails I get from WordFence about increased attack rates with increasing numbers of $_POST values. Quite honestly, I was not aware of the reason for PHP to limit this, but now I know something new I did not know yesterday.
At any rate, a good security plugin, like WordFence does a decent job a blocking these types of attacks, and depending on what country they are coming from I simply block the IP address permanently.
