Backdoors discovered in multiple WordPress plugins affecting thousands of websites

Dozens of plugins built for the widely used open-source platform WordPress have been taken offline after researchers uncovered a hidden backdoor that delivered malicious code to websites relying on them. The issue surfaced after a new corporate owner acquired the plugins.

The alarm was first raised by Austin Ginder, founder of Anchor Hosting, who detailed the incident in a blog post last week. He described the situation as a supply chain attack involving a WordPress plugin developer known as Essential Plugin. According to Ginder, the company was purchased last year, and shortly afterwards, a backdoor was quietly introduced into the plugins’ source code. That backdoor remained inactive for months before being triggered earlier this month, at which point it began distributing malicious code to websites that used the affected plugins.

Essential Plugin states on its website that its software has been installed more than 400,000 times and serves over 15,000 customers. Meanwhile, WordPress’ official plugin directory indicates that the compromised plugins were actively running on more than 20,000 websites.

Plugins are a key part of the WordPress ecosystem, allowing site owners to expand functionality and customise their websites. However, they also require elevated access to the site’s system, which can create vulnerabilities if the plugins themselves are compromised. Ginder highlighted that WordPress users are not owners of a platform, which creates a risk of silent takeovers by malicious actors who can alter the code without users’ knowledge.

According to Ginder, this marks the second known case of a WordPress plugin hijack identified within just a few weeks. Security experts have long warned about this type of threat, where attackers acquire legitimate software projects and modify them to spread malware at scale.

Although the affected plugins have now been removed from the WordPress directory and are marked as “permanently closed,” Ginder cautioned that the risk may persist for websites that already have the plugins installed. He advised site owners to review their installations immediately and remove any affected plugins. A full list of compromised plugins has been provided in his original report.