Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

AndyC 17 April 2026

Image: Justin Morgan/Unsplash

A web developer discovered dozens of malicious WordPress plugins with buried backdoors that had compromised thousands of WordPress websites after receiving a notice from a concerned user.

Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites
WordPress dashboard 'Add Plugins' page showing popular extensions like Classic Editor, Akismet Anti-Spam, and Gutenberg.
Image: Justin Morgan/Unsplash

A web developer discovered dozens of malicious WordPress plugins with buried backdoors that had compromised thousands of WordPress websites after receiving a notice from a concerned user.

The affected plugins, which are part of the Essential Plugin portfolio, were reportedly modified with a backdoor after their ownership quietly changed. According to Austin Ginder, founder of Anchor Hosting, the modified plugins lay dormant for eight months to evade quick detection while allowing thousands of WordPress users to install them before activating.

Instead of directly hacking the websites, the attackers simply controlled the plugins they rely on, demonstrating a classic example of a supply-chain attack. WordPress, on its end, has permanently closed the affected plugins, preventing them from being installed.

Behind the scenes of this malware

What began as an alert on a WordPress website dashboard managed by a digital marketing agency and reported to Ginder led to a full security audit of the website, uncovering an attack whose origins date back months and has compromised 31 WordPress plugins.

Ginder, in his blog post, said that the reported plugin known as Countdown Timer Ultimate was flagged to contain code that can potentially enable unauthorized third-party access to websites on which it was installed. At the time of reporting, this plugin had over 20,000 active installations.

He further wrote that although the plugin had been through a WordPress forced update, the malicious code remained intact.

Further investigation by Ginder using forensic and snapshot imaging showed that the plugin had been operating legitimately until August 8, 2025. Its version 2.6.7, which was on the surface meant to introduce compatibility with WordPress version 6.8.2, added 191 lines of code that granted the attacker a backdoor into the sites.

When Ginder traced the malware, he found that the attacker used the alias Kris to buy an entire plugin portfolio, Essential Plugin, for an undisclosed amount, but confirmed to be in six figures. At the time, the Essential Plugin was a dying portfolio of 31 plugins, and the original owners had listed it on Flippa.

The buyer has a background in SEO, crypto, and online gambling, which is consistent with the likely background of the attacker. That is because all compromised plugins under the Essential Plugin were found to resolve their Command and Control (C2) servers via an Ethereum smart contract, enabling the attacker to persistently update their C2 server each time the old one gets blocked.

Ginder also found that within the plugins’ malicious code, the backdoor allowed the attacker to cause URL redirects to spam links and fake pages that were invisible to the website admins.

What is the current state of affairs with this incident?

WordPress, through its WordPress.org Plugins Team, has now permanently closed every plugin under the Essential Plugin portfolio. This prevents new installations from happening. Ginder also published a list of all 31 affected plugins, so site owners and admins can check whether they have any of them installed on their site.

The best thing to do is delete these plugins and find an alternative. As an optional step, Ginder has also made a quick guide on how to patch yours if you want to keep using the plugins. You can also check his blog to see if yours falls under the list of plugins he patched himself.

Breaching trust instead of credentials

While WordPress websites have been historically known to be subject to brute-force attacks, attackers are now increasingly targeting its vast repository of plugins as entry points. By purchasing these popular and trusted plugins, these attackers are buying user trust, ensuring that when they hit, it affects a significant number of sites.

What’s more concerning is that WordPress doesn’t inform users when a plugin changes ownership. That makes it easier for any attacker to silently take over plugins and push malware without users even knowing that their trusted plugin has changed hands.

Since users have no way to know when a plugin has been compromised until it is typically too late, site owners and admins should constantly audit their sites, including reviewing installed plugins at least once a month.

Also read: A third-party Android vulnerability exposed 50 million users by abusing trusted software components.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , ,

What do you feel about this?

More Stories

McGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked

McGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked

AndyC 17 April 2026
NTT Research Launches Scale Academy to Bring Lab Technology to Market

NTT Research Launches Scale Academy to Bring Lab Technology to Market

AndyC 17 April 2026

QEMU abused to evade detection and enable ransomware delivery

AndyC 17 April 2026
Identity Protection in the AI Era

Identity Protection in the AI Era

AndyC 16 April 2026
Comcast’s 7.5M Breach Settlement: Up to 30M People May Qualify

Comcast’s $117.5M Breach Settlement: Up to 30M People May Qualify

AndyC 16 April 2026
Massive Chrome Extension Scam Exposes 20,000 Users to Data Theft

Massive Chrome Extension Scam Exposes 20,000 Users to Data Theft

AndyC 16 April 2026

You may have missed

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 17 April 2026
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 17 April 2026
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 17 April 2026
Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

AndyC 17 April 2026
Beyond the Spreadsheet: Why Manual AI Audits Are an EU AI Act Compliance Liability – FireTail Blog

Article 12 and the Logging Mandate: What the EU AI Act Actually Requires – FireTail Blog

AndyC 17 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.