Malicious Backdoor Found in Dozens of WordPress Plugins After Developer Acquisition, Tools Pulled Offline

Dozens of plugins for WordPress, the world’s most widely used open-source website building and blogging platform, have been taken offline after a hidden backdoor was discovered in the tools. The vulnerability allows threat actors to push malicious code to any website running the affected plugins, and it was added to the codebase shortly after a new corporate owner purchased the full collection of plugins.

Last week, Anchor Hosting founder Austin Ginder first raised the alarm in a public blog post, detailing a supply chain attack targeting WordPress plugin developer Essential Plugin. Ginder explained that an unknown buyer acquired Essential Plugin last year, and the backdoor was immediately inserted into the plugins’ source code. The backdoor lay dormant and undetected until earlier this month, when it activated and began distributing malicious code to every website with the vulnerable tools installed.

Essential Plugin reports on its official website that its tools have accumulated more than 400,000 total installs and serve over 15,000 active customers. Data from WordPress’s official plugin directory confirms the affected tools are currently active on more than 20,000 WordPress installations globally.

Plugins let WordPress site owners add custom features and extend the platform’s core functionality, but this extended capability also grants plugins broad access to a site’s entire WordPress installation. This level of access leaves sites open to compromise if a plugin is altered to host malicious code. Ginder highlighted a critical gap in WordPress’s default security practices that exacerbates this risk: site owners do not receive any automatic notification when a plugin changes ownership, leaving users exposed to takeover attacks by malicious new owners.

According to Ginder’s analysis, this incident marks the second hijacking of a popular WordPress plugin discovered in just two weeks. Security researchers have warned of this specific risk for decades: malicious actors routinely acquire widely used existing software, then alter its code to compromise thousands of connected sites and devices across the world.

While all affected plugins have been removed from the official WordPress plugin directory, with their closures marked as permanent, Ginder is urging all WordPress site owners to audit their installed plugins and remove any compromised tools immediately. A full list of affected plugins is published in Ginder’s original alert blog post.

Representatives for Essential Plugin have not responded to requests for comment on the incident.