Critical Backdoor Hidden in WordPress Plugins for 8 Months
Key Takeaways A sophisticated supply chain attack compromised 31 popular WordPress plugins from “Essential Plugin.” The attacker, after acquiring the plugin portfolio, embedded a PHP...
Key Takeaways
- A sophisticated supply chain attack compromised 31 popular WordPress plugins from “Essential Plugin.”
- The attacker, after acquiring the plugin portfolio, embedded a PHP deserialization backdoor that remained dormant for eight months.
- Once activated, the backdoor injected hidden spam, fake pages, and redirects into affected websites, specifically targeting Googlebot to evade detection by site owners.
- Hundreds of thousands of active WordPress installations were impacted, with WordPress.org subsequently closing all 31 vulnerable plugins.
- While an auto-update removed the initial malicious code from plugin files, the deeply embedded malware in
wp-config.phprequires manual intervention for complete remediation.
Covert Supply Chain Attack Compromises Hundreds of Thousands of WordPress Sites
A sophisticated supply chain attack, meticulously planned and executed, successfully embedded a critical backdoor into numerous widely used WordPress plugins. This malicious code lay dormant for an alarming eight months before its activation began to compromise websites globally. Cybersecurity researchers have recently published a detailed analysis of this incident, highlighting its calculated nature and extensive impact.
Table Of Content
The operation did not commence with a direct breach but rather through the strategic acquisition of a legitimate plugin business. This calculated move set the stage for one of the most significant supply chain compromises observed within the WordPress ecosystem in recent years.
The Acquisition of “Essential Plugin”
At the heart of this incident was “Essential Plugin,” a portfolio of over 30 free WordPress plugins developed by an India-based team, originally operating as “WP Online Support” since approximately 2015. Their offerings spanned various functionalities, including countdown timers, image sliders, hero banners, and post grids.
By late 2024, facing a reported revenue decline of 35% to 45%, founder Minesh Shah decided to list the entire business for sale on the online marketplace Flippa. The portfolio was subsequently acquired for a six-figure sum by an individual identified only as “Kris,” who reportedly had a background in SEO, cryptocurrency, and online gambling marketing. Flippa even featured this transaction in a case study published in July 2025.
Discovery and Malicious Payload
The attack came to light when analysts and researchers at Anchor detected suspicious activity after a client received a security alert within their WordPress administration dashboard. This warning originated from the WordPress.org Plugins Team, indicating that the “Countdown Timer Ultimate” plugin contained code facilitating unauthorized third-party access.
A comprehensive security audit revealed that the primary malware was not directly within the plugin files themselves. Instead, it was deeply entrenched within the site’s wp-config.php file. This hidden code was designed to inject covert spam links, create fake pages, and implement redirects exclusively for Googlebot. Crucially, this made the malicious activity invisible to site owners, allowing it to persist undetected for an extended period.

The widespread nature of this compromise was particularly concerning. On April 7, 2026, WordPress.org took decisive action, permanently closing all 31 plugins associated with Essential Plugin. This move affected hundreds of thousands of active installations. While a forced auto-update to version 2.6.9.1 successfully removed the initial “phone-home” mechanism from the plugin files, it did not address the malicious code embedded in wp-config.php. Consequently, compromised sites continued to silently serve hidden spam to search engines long after the supposed “patch” was applied.
A Familiar Attack Pattern
This incident bears striking similarities to a 2017 event where an individual using the alias “Daley Tias” acquired the Display Widgets plugin and subsequently injected payday loan spam across approximately 200,000 websites. Both cases followed an identical playbook: purchase a trusted plugin via a public marketplace, gain commit access to its codebase, and then introduce malicious code. A critical vulnerability in this process is WordPress.org’s lack of a formal mechanism to flag or review plugin ownership transfers, meaning no user notifications or code audits occur when new committers assume control.
The Infection Mechanism: Eight Months of Silence
The attacker’s very first commit after acquiring the Essential Plugin business was the point of infection. Version 2.6.7 of Countdown Timer Ultimate, released on August 8, 2025, introduced 191 lines of malicious code under the innocuous changelog entry: “Check compatibility with WordPress version 6.8.2.” This hidden code constituted a PHP deserialization backdoor, providing the attacker’s server with complete control over function names, arguments, and execution on affected sites.
This backdoor remained dormant until April 5–6, 2026, when it was activated. The domain analytics.essentialplugin.com began pushing malicious payloads to every compromised site. To complicate takedown efforts and ensure resilience, the malware resolved its command-and-control (C2) domain through an Ethereum smart contract. This innovative approach allowed the attacker to redirect traffic to new servers simply by updating the smart contract on public blockchain RPC endpoints, making traditional blocking methods less effective.
What You Should Do
- Identify and Remove Affected Plugins: Immediately scan your WordPress installations for any of the 31 closed Essential Plugin plugins. Remove and replace them with reputable alternatives.
- Manually Inspect
wp-config.php: Critically, manually examine yourwp-config.phpfile for any injected code, particularly near therequire_oncecall forwp-settings.php. - Check File Size: If your
wp-config.phpfile is approximately 6KB larger than expected, it is a strong indicator of compromise and necessitates a full site cleanup, not just a plugin update. - Perform a Full Site Audit: If any Essential Plugin component was installed, conduct a comprehensive security audit of your entire WordPress installation to identify and eliminate any lingering malicious code or unauthorized changes.
- Consider a Clean Restore: For heavily compromised sites, a full restoration from a clean backup (taken before August 2025) may be the safest course of action, followed by immediate patching and security hardening.
- Advocate for Platform Changes: Support calls for WordPress.org to implement a formal review process for plugin ownership transfers to prevent similar supply chain attacks in the future.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.