Supply chain attack targets plugins linked to WordPress, exposing thousands of websites to malware
Dozens of WordPress plugins have been compromised with backdoors that distribute malicious code to thousands of websites using these extensions. The issue was discovered after the plugins were sold to a new corporate owner, who identified the hidden backdoors in the source code.
The alert was raised by Austin Ginder, founder of Anchor Hosting, in a blog post published last week.
🧩 Supply Chain Attack After Ownership Change
According to Ginder, the incident appears to be a supply chain attack targeting the plugin developer Essential Plugin. He explained that the company was acquired last year, and shortly after the acquisition, a backdoor was inserted into the plugins’ source code.
The malicious code remained dormant until earlier this month, when it was activated and began distributing malware to websites running the affected plugins.
Essential Plugin claims to have over 400,000 plugin installations and more than 15,000 customers. Meanwhile, WordPress data indicates that the affected plugins were active on more than 20,000 websites.
⚠️ Ownership Changes Increase Security Risks
WordPress plugins allow website owners to extend functionality, but they also require deep access to site systems — making them a potential entry point for malicious actors.
Ginder warned that WordPress users are not notified when plugin ownership changes, exposing them to takeover risks by new, potentially malicious owners.
He also noted that this is the second WordPress plugin hijacking incident discovered in just two weeks, reinforcing long-standing concerns among security researchers.
🧠 Growing Concerns Over Software Supply Chain Attacks
Security experts have repeatedly warned about the risks of malicious actors acquiring legitimate software and modifying it to compromise a large number of systems globally.
This type of attack is particularly dangerous because it leverages trusted tools already installed by users.
❌ Plugins Removed from WordPress Directory
The affected plugins have been removed from the WordPress directory and are now marked as “permanently closed.”
Ginder advises WordPress site owners to immediately check whether any of the compromised plugins are installed and remove them as soon as possible. A full list of affected plugins was shared in his blog post.
So far, representatives of Essential Plugin have not issued a public statement.
📌 SEO Keywords
WordPress plugins hacked, WordPress malware backdoor, supply chain attack plugins, WordPress security risk, compromised plugins WordPress, website malware attack, plugin takeover risk, cybersecurity WordPress
More Stories
📈 Tesla Shares Surge After Elon Musk Reveals New AI Chip Milestone
🚨 Booking.com Hit by Cyberattack Exposing Sensitive Customer Data
🚀 Artemis 2 and ISS Astronauts Make the Most Distant Voice Call in History