Austin Ginder, the founder of Anchor Hosting, recently sounded the alarm regarding a sophisticated supply chain attack involving dozens of WordPress plugins. The breach occurred after a company named Essential Plugin was acquired by a new corporate owner last year. Shortly after the sale, backdoors were secretly integrated into the source code of approximately 30 different plugins. These malicious additions remained dormant for several months until they were finally activated earlier this month to distribute harmful code. Current data suggests that over 20,000 active WordPress installations have been compromised by this widespread security threat.

Essential Plugin previously claimed to serve over 15,000 customers with a total of 400,000 installs across its entire catalog. While only a subset of these plugins contained the malicious backdoor, the scale of the potential impact remains significant. The vulnerability stems from the way WordPress handles plugin updates and ownership transfers within its ecosystem.

The backdoor sat dormant for nearly a year before it began executing malicious commands on host servers.

A Significant Supply Chain Attack Was Detected

When a plugin is sold to a new developer, the existing user base often remains unaware of the transition. In this instance, the new owners of Essential Plugin utilized their access to push updates that included the backdoor. This method allows attackers to bypass traditional security perimeters by leveraging the trust established by the original developers over many years.

Security expert Austin Ginder noted that this is the second time in just two weeks that a plugin hijack has been discovered. This trend highlights a growing risk where malicious actors purchase established software specifically to exploit its existing user base through automated update mechanisms.

WordPress does not currently notify site owners when a plugin they use changes ownership.

The Malicious Backdoor Remained Dormant Until It Activated

Upon discovery of the malicious code, the WordPress plugin team took swift action. All affected plugins have been removed from the official directory and are now listed as permanently closed. However, simply removing them from the store does not automatically delete them from websites where they are already installed and active.

Website administrators are urged to manually review their plugin lists and cross-reference them with the affected titles identified by security researchers. If any of the Essential Plugin products are found, they should be deleted immediately to prevent further exploitation and data loss.

Site owners must manually remove the plugins as the directory closure does not affect existing installations.

The Official WordPress Directory Ensured the Software Was Removed

The situation serves as a stark reminder for developers and site managers to vet their third-party tools regularly. As supply chain attacks become more common, the security of the broader web depends on transparency regarding software ownership and the integrity of update repositories.

How do you manage plugin security on your WordPress site? Share your thoughts and safety tips in the comments below.