Title: 安全自定义字段 Author: WordPress.org Published: 2024 年 11 月 21 日 Last modified: 2026 年 6 月 12 日 --- 搜索插件 ![](https://ps.w.org/secure-custom-fields/assets/banner-772x250.jpg?rev=3194494) ![](https://ps.w.org/secure-custom-fields/assets/icon.svg?rev=3194494) # 安全自定义字段 作者:[WordPress.org](https://profiles.wordpress.org/wordpressdotorg/) [下载](https://downloads.wordpress.org/plugin/secure-custom-fields.6.8.9.zip) [实时预览](https://cn.wordpress.org/plugins/secure-custom-fields/?preview=1) * [详情](https://cn.wordpress.org/plugins/secure-custom-fields/#description) * [评价](https://cn.wordpress.org/plugins/secure-custom-fields/#reviews) * [开发进展](https://cn.wordpress.org/plugins/secure-custom-fields/#developers) [支持](https://wordpress.org/support/plugin/secure-custom-fields/) ## 描述 安全自定义字段(SCF)扩展了 WordPress 的权限,将其转化为灵活的内容管理工具。有了 SCF,管理自定义数据变得简单而高效。 **按需轻松创建字段。** SCF 生成器可以轻松地将字段添加到 WordPress 编辑屏幕,无论 您是为菜谱添加新的「成分」字段,还是为专业网站设计复杂的元数据。 **灵活放置。**字段可应用于整个 WordPress–文章、页面、用户、分类法、媒体、评论,甚至 自定义选项页面–按照您的意愿组织数据。 **无缝显示。**使用 SCF 功能,您可以在模板中显示自定义字段数据,使所有级别的开发人员 都能轻松实现内容集成。 **全面的内容管理解决方案。**除自定义字段外,SCF 还允许您直接从 SCF 界面注册新的文章 类型和分类法,从而提供更多控制,而无需额外的插件或自定义代码。 **易于访问和用户友好的设计。**字段界面与 WordPress 的本地设计保持一致,为内容创建 者创造了一种易于访问和使用的体验。 安装此插件将停用功能名称/功能相匹配的插件,特别是高级自定义字段、高级自定义字段专业 版和传统的安全自定义字段插件,以避免代码错误(这与 ACF 专业版的行为相同)。 有关安全自定义字段的更多信息,请访问 [developer.wordpress.org/secure-custom-fields](https://developer.wordpress.org/secure-custom-fields/)。 #### 功能 * 清晰易用的设置 * 强大的内容管理功能 * 30 多种字段类型 ## 屏幕截图 [⌊添加自定义字段组。⌉⌊添加自定义字段组。⌉[ 添加自定义字段组。 [⌊在写作时轻松添加自定义内容。⌉⌊在写作时轻松添加自定义内容。⌉[ 在写作时轻松添加自定义内容。 [⌊需要新的文章类型?只需添加即可!⌉⌊需要新的文章类型?只需添加即可!⌉[ 需要新的文章类型?只需添加即可! [⌊轻松浏览各种字段类型。⌉⌊轻松浏览各种字段类型。⌉[ 轻松浏览各种字段类型。 ## 评价 ![](https://secure.gravatar.com/avatar/34ba86a5dbfdf2c37564fc4070700bda72105481dc9a766d5a1b9be794a897f0? s=60&d=retro&r=g) ### 󠀁[Great plugin](https://wordpress.org/support/topic/great-plugin-41499/)󠁿 [hfaridul](https://profiles.wordpress.org/hfaridul/) 2026 年 5 月 16 日 It unlocks many pro features of acf ![](https://secure.gravatar.com/avatar/5a3c7fa91d24b070853e6d77f30b2a7e7ce7039bd6e2defa6ba54bc4456e3ea8? s=60&d=retro&r=g) ### 󠀁[Most needed plugin.](https://wordpress.org/support/topic/most-needed-plugin/)󠁿 [Usman Ahmed](https://profiles.wordpress.org/syedusmanahmed/) 2026 年 4 月 12 日 It is the most needed plugin for any WordPress website in my opinion. I prefer it on ACF because it is a community edition. ![](https://secure.gravatar.com/avatar/ea4720c9ce81ba0c28c0ce0f7d96c5808be7b77420ce6caff5598f10a5c74cb1? s=60&d=retro&r=g) ### 󠀁[Excellent plugin](https://wordpress.org/support/topic/excellent-plugin-9812/)󠁿 [sibony88](https://profiles.wordpress.org/sibony88/) 2026 年 2 月 27 日 Excellent plugin, works smoothly with the system, great with Elementor ![](https://secure.gravatar.com/avatar/269137198aecb27e9025de71538c5d94d4b4e27eb7b7b07898f8b06a61b18937? s=60&d=retro&r=g) ### 󠀁[do not use this plugin](https://wordpress.org/support/topic/do-not-use-this-plugin-67/)󠁿 [createscape](https://profiles.wordpress.org/createscape/) 2026 年 1 月 28 日 1 回复 The owners of this plugin used poor methods when they stole the plugin repository for ACF, and renamed it Secure Custom Fields, instead of forking and starting a new plugin. At the time they also took all ACF’s positive reviews with them. They seem to have remedied that situation, however they also removed all the bad reviews from people who noticed what they did. If you are looking for a custom fields plugin, use ACF where you can get reliable support and the option to upgrade to ACF pro. ![](https://secure.gravatar.com/avatar/9216ea2f2d26247a3914fa82e4c3c6608525d72a9764d970c5aac3386d43bb40? s=60&d=retro&r=g) ### 󠀁[Great fork](https://wordpress.org/support/topic/great-fork-2/)󠁿 [boykottke](https://profiles.wordpress.org/boykottke/) 2025 年 12 月 19 日 Yeah, it’s a fork. Yeah, it kills WP Engine’s business model. But that’s precisely why it’s necessary: ​​WP Engine built a business for a very long time based on free software with truly useful extensions, without giving anything back to the community. At the same time, they violated the WordPress Codex standards and put users at risk. SCF is what I need. It’s open source, freely available, and secure. Because I’m storing personal data with it, I need a secure solution, not one that thinks what it offers is enough. So thank you for taking a WP standard established by WP Engine and securing it according to community standards. ![](https://secure.gravatar.com/avatar/4ad982b9b9e52bae9da50e1fd7d27cb70e4a05e6a7ae2d2f30d3ddb53770fcd5? s=60&d=retro&r=g) ### 󠀁[Thank you](https://wordpress.org/support/topic/thank-you-3705/)󠁿 [koqpe](https://profiles.wordpress.org/koqpe/) 2025 年 12 月 5 日 Great plugin — lightweight, reliable, and truly secure. Secure Custom Fields protects sensitive data without slowing down the site and integrates smoothly with WordPress workflows. Clean, simple, and does exactly what it promises. Recommended. [ 阅读所有61条评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/) ## 贡献者及开发者 「安全自定义字段」是开源软件。 以下人员对此插件做出了贡献。 贡献者 * [ WordPress.org ](https://profiles.wordpress.org/wordpressdotorg/) 「安全自定义字段」插件已被翻译至 13 种本地化语言。 感谢[所有译者](https://translate.wordpress.org/projects/wp-plugins/secure-custom-fields/contributors) 为本插件所做的贡献。 [帮助将「安全自定义字段」翻译成简体中文。](https://translate.wordpress.org/projects/wp-plugins/secure-custom-fields) ### 对开发感兴趣吗? 您可以[浏览代码](https://plugins.trac.wordpress.org/browser/secure-custom-fields/), 查看[SVN仓库](https://plugins.svn.wordpress.org/secure-custom-fields/),或通过[RSS](https://plugins.trac.wordpress.org/log/secure-custom-fields/?limit=100&mode=stop_on_copy&format=rss) 订阅[开发日志](https://plugins.trac.wordpress.org/log/secure-custom-fields/)。 ## 更新日志 #### 6.8.9 _Release Date 15th June 2026_ _Security_ * Hardened the escaping of wp_options LIKE queries used when loading option-page meta and during taxonomy term cleanup, switching to esc_like() so option-name prefixes are always matched as literals rather than as patterns. _Fixes_ * The URL, text, textarea, and select-style fields no longer raise PHP errors when a non-scalar value (such as an array) is submitted; such input is now treated as invalid. #### 6.8.8 _Release Date 11th June 2026_ _Security_ * AJAX field handlers now validate that the request nonce was created for the expected field type, so a nonce minted for one field type can no longer be replayed against another field type’s AJAX handler. The gallery field was also aligned with the typed nonce scheme used by all other AJAX fields. * `acf_decrypt()` now treats malformed payloads as a decrypt failure and returns` false` instead of emitting PHP 8 warnings. _Enhancements_ * `acf_inline_toolbar_editing_attrs()` now accepts a `return_array` argument that returns the attributes as an escaped array suitable for use with `wp_get_attachment_image()`. _Fixes_ * `acf_form()` with `'post_id' => 'new_post'` and a `fields` list of field names no longer fatal errors when `acf_form_head()` runs before WordPress’s main query is built. * Multiple `acf_form()` calls wrapped inside a single outer form tag with one submit button no longer silently drop field values, `post_title`, or `post_content` from the non-last forms. A new `acf/form/meta_ttl` filter controls how long per- form metadata remains valid. * Duplicating a V3 block with identical attributes no longer displays corrupted preview content in the duplicate. * Switching between tabs containing WYSIWYG fields no longer leaves the admin menu pinned against a shorter page, which could lock page scroll. #### 6.8.7 _Release Date 8th June 2026_ _Fixes_ * SCF’s Abilities API integration for its internal post types no longer triggers PHP warnings, notices, or a fatal error (500) on block editor and REST API requests when another active plugin builds the WordPress abilities registry earlier in the request; registration is skipped cleanly in that case and normal abilities behavior is otherwise unchanged. #### 6.8.6 _Release Date 27th May 2026_ _Security_ * Hardened the oEmbed field’s AJAX preview handling by restricting provider discovery for visitors and users without content-authoring capability while preserving previews from WordPress’s registered oEmbed providers. * Hardened front-end `acf_form()` submission processing so the `post_title` and` post_content` form options are respected on save, and the save pipeline only accepts values for fields the rendered form exposed. A new `acf/form/allowed_field_keys` filter is available for sites that legitimately extend a form at runtime. #### 6.8.5 _Release Date 19th May 2026_ _功能_ Backports 6.8.1 feature work into SCF. #### 6.8.4 _Release Date 30th April 2026_ _功能_ * Backports 6.8.0 and 6.8.0.1 feature work into SCF. * AI integration: SCF now integrates with the WordPress Abilities API, allowing external consumers, including AI tools, to manage field groups, post types, and taxonomies when explicitly enabled via the `enable_acf_ai` feature flag. * Structured data: SCF can now generate JSON-LD structured data fields when explicitly enabled via the `enable_schema` feature flag. * WP-CLI: Added `wp scf json` and backward-compatible `wp acf json` commands for importing, exporting, syncing, and checking the status of SCF JSON files. * Post types: SCF custom post types now support the WordPress 6.9+ Notes editor feature via a new Notes checkbox in the Supports settings. * JSON Schemas: Added v1 schemas for supported field types and updated field group, post type, and taxonomy schemas. _Enhancements_ * Blocks V3: The Open in Expanded Editor button text can now be customized via a new `acf.expandedEditorButtonText` block.json property. * Blocks V3: Added an `acf/blocks/default_expanded_editor_button_text` PHP filter to customize the default Open in Expanded Editor button text. * Blocks V3: The edit and Open in Expanded Editor buttons can now be hidden via a new `acf.expandedEditorButtons` block.json property. * Blocks V3: Added a `blocks/expanded_editor_overlay_class` JavaScript filter for customizing the Expanded Editor modal overlay class. * Blocks V3: The block form HTML is now preloaded alongside the preview, eliminating an extra AJAX call on mount. * Blocks V3: Expanded Editor buttons are now hidden for V3 blocks that have no fields assigned. * SCF inline script tags now use `wp_print_inline_script_tag()` for Content Security Policy (CSP) compliance and nonce support. _Fixes_ * V3 blocks with WYSIWYG fields no longer enqueue TinyMCE editor assets on the frontend. * V3 blocks with identical attributes and different InnerBlocks content no longer return cached output from the first block on the frontend. * Flexible Content fields now properly clean up nested postmeta when a parent layout containing nested Flexible Content fields is deleted. * The Expanded Editor Done button now stays disabled until the AJAX save completes, preventing data loss. * Pressing Escape while the Expanded Editor is saving will no longer close the modal, preventing data loss. * InnerBlocks content containing backslashes or dollar signs now renders correctly. * Auto Inline Editing now only applies to SCF Blocks V3, resolving incorrect hover/ focus borders appearing on V2 blocks. * Auto Inline Editing blocks now receive block context variables in render templates. * Auto Inline Editing now works with blocks using `renderCallback`. * Validation errors in the V3 Expanded Editor no longer cause a dead-end state. * Icon Picker selections in Repeater fields no longer disappear. * Range field number input now syncs to the slider and correctly updates V3 block previews. * Message field Name and Instructions settings are no longer shown in the field group editor. * Image field no longer crashes in WordPress 7.0 release candidates. * V3 blocks registered via PHP now correctly show the Open in Expanded Editor button. * Flexible Content disabled layouts now work correctly in Blocks V3. #### 6.8.3 _Release Date 22th April 2026_ _Fixes_ * Fix command palette type error on wp-admin. * Plugins requiring ACF are also validated for SCF. * REST API calls now honor the user’s `unfiltered_html` capability. * Block Preview rendering now verifies the user can edit the target post. * Paginated Repeater fields now verify the user can edit the target post. * Flexible Content layout title AJAX requests now validate a security nonce. * Clone field AJAX endpoints now enforce SCF admin permissions on field group listings. #### 6.8.2 _Release Date 24th March 2026_ _Fixes_ * AJAX Handlers: Prefix field-specific nonces to resolve an issue where third-party nonces could be treated as valid for AJAX calls. * Block Preview: Verify that user has access to post specified via block context. * Repeater Field: Verify that user has access to specified post. * REST API: Apply KSES sanitization to field content saved by users without `unfiltered_html` capabilities. * REST API: Respect `show_in_rest` setting for field groups in `/types` endpoint. #### 6.8.1 _Release Date 11th March 2026_ _Backports from 6.7.1_ * Security – User field AJAX queries now enforce field-configured role restrictions and validate search permissions. * Security – Post Object, Relationship, and Page Link field AJAX queries now enforce field-configured restrictions for post status, post type, and taxonomy. * Site Health – Track blocks using auto inline editing. #### 6.8.0 _Release Date 30 Dec 2025_ _功能_ * Abilities integration: addded field abilities for Field Groups. * Abilities integration: added trash/untrash abilities for internal post types. * All backports up to 6.7.0.2. * JSON Schemas: Added several fields schemas. * WooCommerce HPOS: Added support for custom fields on any WooCommerce Order Types. * Added PHPUnit tests. _Fixes_ * Hide duplicated Command Palette Commands on WP 6.9+. * Fix field schema validation for WP Rest API. * Fix checkbox toggle functionality. #### 6.7.0 #### 6.7.1 _Release Date 10 Dec 2025_ _功能_ * JSON Schemas: Added Options Pages schema. _Fixes_ * Fixed too-early validation of schemas causing a fatal error. * Fix block validation on WordPress 6.2. #### 6.7.0 _Release Date 3 Dec 2025_ _功能_ * Tested compatibility up to WordPress 6.9. * Abilities support. Taxonomy abilities. * JSON schemas. Taxonomy schema. #### 6.6.0 _Release Date 19 Nov 2025_ _功能_ * Backported features up to 6.6.0. * Abilities API integration. Post Type abilities. * JSON schemas validation infrastructure. _Fixes_ * Fixed Function in network.php * SCF label in “More” menu. * Get the formatted_value from the original field value. * Blocks V3: Fix flexible content not working in sidebar – modal. * Use specific entity prefixes for key generation when duplicating entities. #### 6.5.7 _Release Date 28 Aug 2025_ _功能_ * 灵活的内容布局现在可以在帖子编辑器中重命名,使内容编辑器在管理布局时更加清晰。 * 现在可以禁用灵活的内容布局,使其无法在前端呈现,而无需删除其数据。 * 灵活的内容布局现在可以批量折叠和展开,以加快内容编辑速度。 * Editing a Flexible Content layout now highlights the layout being edited, making it easier to identify. * 日期和日期时间选择器字段现在可以配置为默认为当前日期。 * 在 ACF 块内使用自定义图标选取器选项卡时,现在可以正确工作。 * 使用俄语翻译时,复制字段组不再会导致致命错误。 * ACF 类不再使用动态类属性,从而提高了与 PHP 8.2+ 的兼容性。 * Field group metabox collapse and expand buttons are no longer misaligned in the post editor. * HTML 现在可从字段验证错误和工具提示中转义。 * 为 /wp/v2/types REST API 端点添加了一个新的源参数,允许按来源过滤帖子类型:核心( WordPress 内置)、SCF(SCF 管理的类型)或其他 CPT。 _Security_ – 对于有条件加载的字段组,字段组标签中的不安全 HTML 现在可正确转义,从而解决了经典 编辑器中的一个 JS 执行漏洞。 – 在 ACF 管理器中输出时,字段组标签中的 HTML 现在已 转义。 – 双向和条件逻辑 Select2 元素不再在字段标签或帖子标题中呈现 HTML。 – acf. escHtml 函数现在使用第三方 DOMPurify 库来确保删除所有不安全的 HTML。新的 esc_html_dompurify_config JS 过滤器可用于修改默认行为。 – 现在,只要是由 ACF 代码输出的文章标题,都会正确转 义。感谢 LAC Co., Ltd. 的 Shogo Kumamaru 负责信息披露。 – 在使用第 3 版 Select2 库时,现在会显示管理通知,因为该库已被弃用,转而使用第 4 版。 #### 6.5.6 因 SVN 错误而放弃发布。 #### 6.5.5 _Release Date 31 Jul 2025_ _功能_ * Connect block attributes with custom fields via UI. * Remove the word ‘New’ from default `add-new*` label values. _Bug Fixes_ * Bug fix: Prevent fatal if class does not exist on Beta Features. #### 6.5.4 _Release Date 30 Jul 2025_ Revert from 6.5.2. #### 6.5.2 _Release Date 30 Jul 2025_ _功能_ * Connect block attributes with custom fields via UI. * Remove the word ‘New’ from default `add-new*` label values. #### 6.5.1 _Release Date 2 Jul 2025_ _Bug Fixes_ * Command Palette: Use `@wordpress\icons` instead of Dashicons. #### 6.5.0 _Release Date 23 Jun 2025_ _Enhancements & Features_ * 已添加命令调色板支持。 * 为 acf-field 源代码添加了编辑器预览。 * 添加了一个端点,用于检索帖子类型的自定义字段。 * 添加了导航菜单作为字段类型。 * Added compatibility with Woo HPOS for order fields and subscriptions. ( Ported from ACF ) * Create new options when editing a fields value on Selector. ( Ported from ACF) * The “Escaped HTML” warning notice is now disabled by default. ( Ported from ACF) * Added new `acf/fields/icon_picker/{tab_name}/icons` filter ( Ported from ACF ) _Bug Fixes_ * Update initialization of the acfL10n object to ensure it’s available globally. * SCF Blocks are now forced into preview mode when editing a synced pattern. ( Ported from ACF ) * SCF no longer causes an infinite loop in bbPress when editing replies. ( Ported from ACF ) * Changing a field type no longer enables the “Allow Access to Value in Editor UI” setting. ( Ported from ACF ) * Blocks registered via acf_register_block_type() with a `parent` value of `null` no longer fail to register. ( Ported from ACF ) * Fix AJAX repeater pagination. ( Ported from ACF ) * Paginated Repeater fields no longer save duplicate values when saving to a WooCommerce Order with HPOS disabled ( Ported from ACF ) _Testing_ * 添加了第一批 e2e 测试。 #### 6.4.2 _Release Date 14 Apr 2025_ * 解决了简码翻译无法正确解析的问题。 * 改进字段管理中的 URL 验证。 #### 6.4.1 _Release Date 7 Mar 2025_ * 从 Advanced Custom Fields® 分叉 * 对编码标准进行各种更新。 * 已更新为依靠 WordPress.org 翻译包来翻译所有字符串。 #### 6.3.9 _发布日期 2024 年 10 月 22 日_ * 版本更新发布 #### 6.3.6.3 _发布日期 2024年10月15日_ * 安全性 – 在字段组编辑器中编辑字段不再执行存储的 XSS 漏洞。感谢来自 Viettel Cyber Security 的 Duc Luong Tran (janlele91) 负责披露 * 安全性–文章类型和分类元方框回调不再能够访问任何超全局值,从而进一步加强了 6.3.6.2 中的原始修复。 * 修复–在块编辑器中使用并附加到侧边栏的 SCF 字段现在可正确验证。 #### 6.3.6.2 _发布日期 2024年10月12日_ * 安全性 – 6.3.6.1 中的加固修复也涵盖 $_REQUEST。 * 分叉 – 将插件更名为安全自定义字段。 #### 6.3.6.1 _发布日期 2024 年 10 月 7 日_ * 安全性 – SCF 定义的「文章类型」和「分类法元框」回调不再能够访问 $_POST 数据。( 感谢 Automattic 安全团队的披露) ## 社区插件 该插件由社区开发和支持。 [为该插件贡献](https://github.com/wordpress/secure-custom-fields/) ## 额外信息 * 版本 **6.8.9** * 最后更新:**6 天前** * 活跃安装数量 **80,000+** * WordPress 版本 ** 6.2 或更高版本 ** * 已测试的最高版本为 **6.9.4** * PHP 版本 ** 7.4 或更高版本 ** * 语言 * [Bengali (Bangladesh)](https://bn.wordpress.org/plugins/secure-custom-fields/)、 [Chinese (China)](https://cn.wordpress.org/plugins/secure-custom-fields/) 、 [Dutch](https://nl.wordpress.org/plugins/secure-custom-fields/) 、 [Dutch (Belgium)](https://nl-be.wordpress.org/plugins/secure-custom-fields/)、 [English (US)](https://wordpress.org/plugins/secure-custom-fields/) 、 [Korean](https://ko.wordpress.org/plugins/secure-custom-fields/)、 [Polish](https://pl.wordpress.org/plugins/secure-custom-fields/) 、 [Portuguese (Brazil)](https://br.wordpress.org/plugins/secure-custom-fields/)、 [Russian](https://ru.wordpress.org/plugins/secure-custom-fields/) 、 [Spanish (Chile)](https://cl.wordpress.org/plugins/secure-custom-fields/)、 [Spanish (Ecuador)](https://es-ec.wordpress.org/plugins/secure-custom-fields/)、 [Spanish (Spain)](https://es.wordpress.org/plugins/secure-custom-fields/) 、 [Swedish](https://sv.wordpress.org/plugins/secure-custom-fields/) 和 [Vietnamese](https://vi.wordpress.org/plugins/secure-custom-fields/). * [翻译成简体中文](https://translate.wordpress.org/projects/wp-plugins/secure-custom-fields) * 标签 * [custom fields](https://cn.wordpress.org/plugins/tags/custom-fields/)[fields](https://cn.wordpress.org/plugins/tags/fields/) [meta](https://cn.wordpress.org/plugins/tags/meta/)[scf](https://cn.wordpress.org/plugins/tags/scf/) * [高级视图](https://cn.wordpress.org/plugins/secure-custom-fields/advanced/) ## 评级 4.7 星(最高 5 星)。 * [ 57 条 5 星评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/?filter=5) * [ 0 条 4 星评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/?filter=4) * [ 0 条 3 星评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/?filter=3) * [ 0 条 2 星评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/?filter=2) * [ 4 条 1 星评价 ](https://wordpress.org/support/plugin/secure-custom-fields/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/secure-custom-fields/reviews/#new-post) [查看全部评论](https://wordpress.org/support/plugin/secure-custom-fields/reviews/) ## 贡献者 * [ WordPress.org ](https://profiles.wordpress.org/wordpressdotorg/) ## 支持 最近两个月解决的问题: 总计 1,已解决 0 [查看支持论坛](https://wordpress.org/support/plugin/secure-custom-fields/)