Backdoored WordPress Plugins Removed After Malicious Code Attack

Malicious WordPress Plugins Went Offline After a Backdoor Was Found

Dozens of plugins for WordPress, the widely used open source blogging and website software, were taken offline after a backdoor was discovered inside them. That backdoor was used to deliver malicious code to any website relying on the affected plugins.

The issue came to light after a new corporate owner acquired the plugins. According to Anchor Hosting founder Austin Ginder, the incident was a supply chain attack involving a WordPress plugin maker called Essential Plugin. He said someone bought Essential Plugin last year, and the backdoor was added to the plugins’ source code soon after the purchase.

What makes this especially serious is that the backdoor did not trigger right away. It remained inactive until earlier this month, when it began distributing malicious code to websites with the affected plugins installed.

Essential Plugin Ownership Change and Supply Chain Risk

New Ownership Was Followed by Source Code Changes

Ginder said the compromise started after Essential Plugin changed hands. After the acquisition, a backdoor was inserted into the codebase of the company’s plugins. That sequence matters because it points to a software supply chain attack, where the trust users place in a product is turned against them.

WordPress plugins are designed to extend the functionality of websites. But that same access also gives them deep reach into a site’s installation. If a plugin becomes malicious, it can create a direct path to compromise.

WordPress Users Are Not Alerted to Plugin Ownership Changes

One of the biggest concerns raised here is visibility. Ginder warned that WordPress users are not notified when a plugin changes ownership. And that creates a real opening for takeover-style attacks by new owners.

Here’s the problem in plain terms: site owners may continue trusting and updating a plugin as usual, even though control of that plugin has moved to someone else. If that new owner alters the code in a harmful way, many websites can be exposed before anyone realizes what happened.

How Many WordPress Sites Were Affected

Essential Plugin says on its website that it has more than 400,000 plugin installs and over 15,000 customers.

At the same time, WordPress’ plugin install page says the affected plugins are present in more than 20,000 active WordPress installations.

Those figures show why this incident matters. Even a relatively small number of compromised plugins can create a wide blast radius when they are installed across thousands of websites.

Why Backdoored Plugins Are So Dangerous

Plugins Have Broad Access Inside WordPress Installations

Plugins help WordPress site owners add features and expand site functionality. But they also receive access to the websites where they are installed. That means a malicious or compromised plugin is not just a faulty add-on. It can become an attack path.

In this case, the backdoor enabled the distribution of malicious code to websites that had the affected plugins installed. That turns a routine plugin relationship into a security risk.

A Single Compromise Can Spread Across Many Websites

This kind of attack is dangerous because it scales. Instead of targeting one website at a time, an attacker can compromise the plugin itself and then reach every site using it. That is the core risk of a supply chain attack.

Security researchers have long warned about this pattern: malicious actors can buy software and then change its code to compromise large numbers of computers around the world.

WordPress Plugin Hijacks Are Becoming a Bigger Concern

According to Ginder, this was the second hijack of a WordPress plugin discovered in as many weeks.

That detail suggests this was not an isolated concern. It also reinforces the broader warning around plugin trust, ownership changes, and the risk that software can be weaponized after it is acquired.

For WordPress site owners, the bigger issue is not just one compromised vendor. It is the possibility that a plugin can appear normal, remain installed, and only later become dangerous.

What Happened to the Affected Plugins

The affected plugins have been removed from the WordPress directory. Their status now shows as “permanent” closure.

That removal limits further exposure through the official directory, but it does not automatically protect websites that still have the plugins installed. Ginder warned that WordPress site owners should check whether any of the malicious plugins are still present on their websites and remove them.

He also published a list of the affected plugins in his blog post.

What WordPress Site Owners Should Do

Check Installed Plugins

Website owners should review their WordPress installations and determine whether any of the affected Essential Plugin products are still active or present.

Remove Malicious Plugins

If one of the malicious plugins is installed, it should be removed. The key warning here is straightforward: plugins may already be gone from the WordPress directory, but they can still remain on live websites unless the site owner takes action.

Treat Plugin Ownership Changes as a Security Event

This incident highlights a weak point in the WordPress plugin ecosystem. Because users are not notified when plugin ownership changes, a transfer of ownership can quietly become a security issue. For site owners, that means ownership changes deserve scrutiny, especially when a plugin has broad access to a production website.