Backdoors discovered in dozens of WordPress plugins affecting thousands of websites
Original: Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites
Why This Matters
Highlights critical supply chain vulnerabilities in WordPress ecosystem affecting thousands of sites
Security researchers found backdoors planted in dozens of WordPress plugins after Essential Plugin was acquired by unknown buyers in 2025. The malicious code affected over 20,000 active installations before plugins were removed from WordPress directory.
Austin Ginder of Anchor Hosting discovered a supply chain attack targeting Essential Plugin after its acquisition by unknown buyers in 2025. The backdoors remained dormant until April 2026 when they activated, distributing malicious code to websites using the affected plugins. Essential Plugin claims over 400,000 plugin installs and 15,000 customers. WordPress's plugin directory shows the compromised plugins were active on more than 20,000 installations. The affected plugins have been permanently removed from WordPress's directory. Ginder warns this represents the second WordPress plugin hijacking in two weeks and highlights that WordPress users aren't notified when plugins change ownership, creating security vulnerabilities.