Hidden Backdoor Found In Dozens Of WordPress Plugins, Site Owners Told To Check Installations

A supply-chain breach in a popular WordPress plugin vendor has left thousands of websites exposed after a newly added backdoor began distributing malicious code, security researchers say. The affected extensions, which were quietly purchased by a new owner last year, were pulled from WordPress’ official directory this week after the hidden functionality activated and started delivering unauthorized updates to sites that had the plugins installed.

The problem was flagged by Austin Ginder, founder of Anchor Hosting, who outlined the incident on his blog and identified the plugin author as Essential Plugin. According to the company’s public materials, its products have been installed on more than four hundred thousand sites and it reports serving over fifteen thousand customers. WordPress’ own listings indicate the compromised packages were active on in excess of twenty thousand installations before removal.

Plugins give site administrators extra features but also run with broad access to a site’s files and database, which makes them a tempting entry point when control changes hands. Ginder warned that WordPress does not notify users when a plugin’s ownership transfers, meaning operators can unwittingly receive harmful code pushed by a new maintainer. A cybersecurity consultant who reviewed the case said attackers increasingly buy existing projects to quietly modify code and reach large numbers of targets in a single move.

WordPress has marked the items as permanently closed in the plugin directory, but removal from the store does not clear installations already present on servers. Site administrators should search their dashboards for the affected plugin names, delete any copies, run a full malware scan, and rotate admin and database credentials. Forensic checks of access logs and outbound connections are also recommended to determine whether any additional payloads were installed.

This incident follows another recent report of a tampered WordPress extension, underscoring a pattern security experts have warned about for years: commercial transactions in maintained software can introduce risk if vetting and monitoring are lax. Some researchers say the platform could reduce danger by informing users about ownership changes or requiring a brief review period before new maintainers can publish updates.

Representatives for Essential Plugin did not reply to requests for comment. Ginder published a list of the affected plugins on his site and urged WordPress site operators to verify their installs immediately.