Attacker Buys 30+ WordPress Plugins, Plants Backdoors via Supply Chain Attack
Original: Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them
Why This Matters
Demonstrates sophisticated supply chain attacks targeting WordPress ecosystem infrastructure
Security researchers discovered a large-scale supply chain attack where someone purchased over 30 WordPress plugins and injected backdoors. The attacker paid six figures on Flippa for the plugin portfolio, planted dormant backdoors for 8 months before activation, and used Ethereum smart contracts to control command servers.
A major supply chain attack targeted WordPress plugins through acquisition and malicious modification. An unknown attacker purchased 30+ plugins on marketplace Flippa for a six-figure sum, then injected backdoors into all of them. The attack was discovered when security firm Improve & Grow noticed WordPress.org warnings about Countdown Timer Ultimate plugin. Analysis revealed the plugin's wpos-analytics module downloaded a backdoor file called wp-comments-posts.php, which injected malicious PHP code into wp-config.php. The malware served SEO spam only to Googlebot, making it invisible to site owners. Uniquely, it used Ethereum smart contracts to resolve command-and-control domains, making traditional takedowns ineffective. The backdoor was planted in version 2.6.7 in August 2025 but remained dormant for 8 months before activation in April 2026. WordPress.org has closed 31 compromised plugins from this attack.
Source
This article summarizes publicly available information from international media. It is not investment advice.