Someone bought 30 WordPress plugins and planted backdoors in all of them

An attacker bought 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for six figures, planted a PHP deserialization backdoor in August 2025, then activated it eight months later to serve cloaked SEO spam exclusively to Googlebot. WordPress.org closed 31 plugins on 7 April 2026. The same week, Smart Slider 3 Pro (800,000+ installations) was separately compromised via its update infrastructure. Both attacks expose a structural gap: WordPress has no mechanism to review plugin ownership transfers or require code signing for updates.

Someone bought more than 30 WordPress plugins on the open market, quietly injected backdoors into all of them, waited eight months, and then activated a payload that served hidden SEO spam to Google while the websites’ owners saw nothing wrong. The attack, which WordPress.org shut down on 7 April by permanently closing every plugin from the Essential Plugin author, is one of the most methodical supply chain compromises the platform has ever faced – and it exploited a structural vulnerability that WordPress has no mechanism to prevent.

The buyer, identified only as “Kris” and linked to a background in SEO, cryptocurrency, and online gambling marketing, purchased the entire Essential Plugin portfolio for a six-figure sum through Flippa, the marketplace for digital businesses, in early 2025. Flippa was sufficiently pleased with the transaction that it published a case study about the sale in July 2025. By that point, the backdoor had already been planted.

Eight months of silence

The malicious code was introduced in version 2.6.7 of the plugins, released on 8 August 2025 with a changelog entry that read “Check compatibility with WordPress version 6.8.2.” That innocuous note concealed 191 additional lines of PHP, including a deserialization backdoor that would allow remote code execution. The code sat dormant for eight months, accruing the trust that comes with no visible misbehaviour, before activating on 5 and 6 April 2026.

The injection window on 6 April lasted six hours and 44 minutes, between 04:22 and 11:06 UTC. During that period, a command-and-control domain, analytics.essentialplugin.com, began distributing payloads to every website running one of the compromised plugins. The plugins’ internal wpos-analytics module downloaded a file called wp-comments-posts.php and used it to inject PHP code directly into wp-config.php, one of the most sensitive files in any WordPress installation.

What the payload did was sophisticated in its restraint. It fetched spam links, redirects, and fake pages from the C2 server and served them exclusively to Googlebot. Site owners browsing their own pages saw nothing unusual. Only search engine crawlers received the malicious content, a technique known as cloaking that is designed to manipulate search rankings while evading human detection for as long as possible.

The C2 infrastructure itself was built to resist takedown. Rather than relying on a conventional domain that could be seized or blacklisted, the payload resolved its command server through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain seizure, the standard tool for disrupting botnets and spam operations, would not work.

The ownership gap

The attack exploited what amounts to a policy vacuum at the heart of the WordPress ecosystem. WordPress.org reviews new plugin submissions before they appear in the directory. But when an existing plugin changes hands, when an established developer sells their portfolio to a stranger on Flippa, no additional code review is triggered. There is no “change of control” notification sent to the hundreds of thousands of sites running the affected plugins. The new owner inherits the previous developer’s commit access, reputation, and the implicit trust of every site administrator who enabled automatic updates.

This is not a theoretical vulnerability. It is an architectural one. WordPress powers roughly 43 per cent of all websites on the internet. Its plugin ecosystem contains more than 60,000 plugins, many of them maintained by solo developers or small teams who may sell their projects when they lose interest, need money, or simply move on. Every one of those transactions is an opportunity for the same attack: buy trust, wait, weaponise.

WordPress.org’s response to the Essential Plugin compromise was swift once the attack was detected. On 7 April, the plugins team permanently closed 31 plugins from the affected author. A subsequent update, version 2.6.9.1, neutralised the phone-home mechanism. But it did not touch the injected code in wp-config.php, meaning that sites which had already been compromised continued to serve hidden spam to search engines even after updating. Full remediation requires manual inspection of wp-config.php,  a step that many site operators running small businesses on WordPress are unlikely to know how to perform.

Not an isolated incident

The Essential Plugin compromise arrived in the same week as a separate supply chain attack on Smart Slider 3 Pro, a WordPress slider plugin with more than 800,000 active installations. In that case, attackers compromised the update infrastructure of Nextend, the company behind the plugin, and pushed a weaponised version, 3.5.1.35,  through the official update channel. Any site that auto-updated during the roughly six-hour window before detection received a complete remote access toolkit capable of creating rogue administrator accounts, exfiltrating database credentials, and dropping persistent backdoors in multiple locations across the file system.

The two attacks used different methods, one exploited an ownership transfer, the other a server compromise, but they share the same underlying weakness: the WordPress update pipeline trusts the source implicitly once a plugin is established. There is no code-signing requirement for plugin updates. There is no mandatory two-factor authentication for developer accounts. And there is no regulatory framework that compels WordPress.org to implement the kind of supply chain verification that other software ecosystems have adopted under pressure.

The npm ecosystem, which distributes JavaScript packages, faced a similar reckoning after a series of supply chain attacks in the early 2020s and responded with mandatory two-factor authentication for maintainers of high-impact packages, provenance attestation, and automated security scanning. PyPI, the Python package index, followed a comparable path. WordPress, despite powering a larger share of the internet than either, has not.

The 26 affected plugins in the Essential Plugin portfolio, including Countdown Timer Ultimate, Popup Anything on Click, WP Testimonial with Widget, WP Team Showcase and Slider, WP FAQ, and SP News and Widget, each had thousands of active installations. Collectively, they represent a footprint large enough to make the attack commercially viable as an SEO spam operation and dangerous enough to raise questions about whether WordPress’s plugin governance model can survive a world in which trust is a commodity that can be purchased on a marketplace for six figures.