Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Critical Backdoor Hidden in WordPress Plugins for 8 Months
Threats

Critical Backdoor Hidden in WordPress Plugins for 8 Months

Key Takeaways A sophisticated supply chain attack compromised 31 popular WordPress plugins from “Essential Plugin.” The attacker, after acquiring the plugin portfolio, embedded a PHP...

Emy Elsamnoudy
Emy Elsamnoudy
April 15, 2026 4 Min Read
40 0

Key Takeaways

  • A sophisticated supply chain attack compromised 31 popular WordPress plugins from “Essential Plugin.”
  • The attacker, after acquiring the plugin portfolio, embedded a PHP deserialization backdoor that remained dormant for eight months.
  • Once activated, the backdoor injected hidden spam, fake pages, and redirects into affected websites, specifically targeting Googlebot to evade detection by site owners.
  • Hundreds of thousands of active WordPress installations were impacted, with WordPress.org subsequently closing all 31 vulnerable plugins.
  • While an auto-update removed the initial malicious code from plugin files, the deeply embedded malware in wp-config.php requires manual intervention for complete remediation.

Covert Supply Chain Attack Compromises Hundreds of Thousands of WordPress Sites

A sophisticated supply chain attack, meticulously planned and executed, successfully embedded a critical backdoor into numerous widely used WordPress plugins. This malicious code lay dormant for an alarming eight months before its activation began to compromise websites globally. Cybersecurity researchers have recently published a detailed analysis of this incident, highlighting its calculated nature and extensive impact.

Table Of Content

  • Key Takeaways
  • Covert Supply Chain Attack Compromises Hundreds of Thousands of WordPress Sites
  • The Acquisition of “Essential Plugin”
  • Discovery and Malicious Payload
  • A Familiar Attack Pattern
  • The Infection Mechanism: Eight Months of Silence
  • What You Should Do

The operation did not commence with a direct breach but rather through the strategic acquisition of a legitimate plugin business. This calculated move set the stage for one of the most significant supply chain compromises observed within the WordPress ecosystem in recent years.

The Acquisition of “Essential Plugin”

At the heart of this incident was “Essential Plugin,” a portfolio of over 30 free WordPress plugins developed by an India-based team, originally operating as “WP Online Support” since approximately 2015. Their offerings spanned various functionalities, including countdown timers, image sliders, hero banners, and post grids.

By late 2024, facing a reported revenue decline of 35% to 45%, founder Minesh Shah decided to list the entire business for sale on the online marketplace Flippa. The portfolio was subsequently acquired for a six-figure sum by an individual identified only as “Kris,” who reportedly had a background in SEO, cryptocurrency, and online gambling marketing. Flippa even featured this transaction in a case study published in July 2025.

Discovery and Malicious Payload

The attack came to light when analysts and researchers at Anchor detected suspicious activity after a client received a security alert within their WordPress administration dashboard. This warning originated from the WordPress.org Plugins Team, indicating that the “Countdown Timer Ultimate” plugin contained code facilitating unauthorized third-party access.

A comprehensive security audit revealed that the primary malware was not directly within the plugin files themselves. Instead, it was deeply entrenched within the site’s wp-config.php file. This hidden code was designed to inject covert spam links, create fake pages, and implement redirects exclusively for Googlebot. Crucially, this made the malicious activity invisible to site owners, allowing it to persist undetected for an extended period.

wp-config.php file size across 8 backup snapshots (Source – Anchor)

The widespread nature of this compromise was particularly concerning. On April 7, 2026, WordPress.org took decisive action, permanently closing all 31 plugins associated with Essential Plugin. This move affected hundreds of thousands of active installations. While a forced auto-update to version 2.6.9.1 successfully removed the initial “phone-home” mechanism from the plugin files, it did not address the malicious code embedded in wp-config.php. Consequently, compromised sites continued to silently serve hidden spam to search engines long after the supposed “patch” was applied.

A Familiar Attack Pattern

This incident bears striking similarities to a 2017 event where an individual using the alias “Daley Tias” acquired the Display Widgets plugin and subsequently injected payday loan spam across approximately 200,000 websites. Both cases followed an identical playbook: purchase a trusted plugin via a public marketplace, gain commit access to its codebase, and then introduce malicious code. A critical vulnerability in this process is WordPress.org’s lack of a formal mechanism to flag or review plugin ownership transfers, meaning no user notifications or code audits occur when new committers assume control.

The Infection Mechanism: Eight Months of Silence

The attacker’s very first commit after acquiring the Essential Plugin business was the point of infection. Version 2.6.7 of Countdown Timer Ultimate, released on August 8, 2025, introduced 191 lines of malicious code under the innocuous changelog entry: “Check compatibility with WordPress version 6.8.2.” This hidden code constituted a PHP deserialization backdoor, providing the attacker’s server with complete control over function names, arguments, and execution on affected sites.

This backdoor remained dormant until April 5–6, 2026, when it was activated. The domain analytics.essentialplugin.com began pushing malicious payloads to every compromised site. To complicate takedown efforts and ensure resilience, the malware resolved its command-and-control (C2) domain through an Ethereum smart contract. This innovative approach allowed the attacker to redirect traffic to new servers simply by updating the smart contract on public blockchain RPC endpoints, making traditional blocking methods less effective.

What You Should Do

  • Identify and Remove Affected Plugins: Immediately scan your WordPress installations for any of the 31 closed Essential Plugin plugins. Remove and replace them with reputable alternatives.
  • Manually Inspect wp-config.php: Critically, manually examine your wp-config.php file for any injected code, particularly near the require_once call for wp-settings.php.
  • Check File Size: If your wp-config.php file is approximately 6KB larger than expected, it is a strong indicator of compromise and necessitates a full site cleanup, not just a plugin update.
  • Perform a Full Site Audit: If any Essential Plugin component was installed, conduct a comprehensive security audit of your entire WordPress installation to identify and eliminate any lingering malicious code or unauthorized changes.
  • Consider a Clean Restore: For heavily compromised sites, a full restoration from a clean backup (taken before August 2025) may be the safest course of action, followed by immediate patching and security hardening.
  • Advocate for Platform Changes: Support calls for WordPress.org to implement a formal review process for plugin ownership transfers to prevent similar supply chain attacks in the future.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachHackerMalwarePatchSecurity

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Microsoft 365 Vulnerability Lets Attackers Intercept Business Emails

Next Post

Hackers Use Google Cloud Storage to Deliver Remcos RAT, Bypass Email Security

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us