WordPress users faced a security incident with direct supply-chain implications: dozens of WordPress plugins were taken offline after a backdoor was discovered in them. According to TechCrunch, the backdoor was used to push malicious code to websites that relied on the affected plugins. The trigger for the campaign appears to have been a change in ownership of the plugin maker.
The incident: dormant backdoors activated after ownership changed
Anchor Hosting founder Austin Ginder described the attack in a blog post, detailing a supply-chain attack on a WordPress plugin maker called Essential Plugin. According to Ginder’s account, someone purchased Essential Plugin last year, after which a backdoor was added to the plugins’ source code. The backdoor remained dormant until earlier this month, when it activated and began distributing malicious code to websites with the plugins installed.
WordPress plugins run with access to the website they are installed on. As TechCrunch notes, plugins “extend the site’s functionality,” but in doing so they also grant the plugin access to the installation. This combination means that a malicious plugin can affect not just a single site but potentially many sites running the same plugin.
Ginder highlighted a communication gap: WordPress users are not notified of changes in plugin ownership. In a supply-chain context, this absence of notification could make it harder for site operators to recognize that a plugin’s code lineage has changed and to take preventive action.
Scale of the attack: installations and active deployments
Essential Plugin reports on its website that it has over 400,000 plugin installs and more than 15,000 customers. WordPress’ plugin install page indicates the affected plugins are in over 20,000 active WordPress installations.
These numbers illustrate the supply-chain risk: a single code change introduced through a backdoor in a widely installed plugin can affect a large number of websites. Even if not every installation is actively used, the presence of the plugins on thousands of active WordPress sites provides a surface for malicious code distribution.
According to TechCrunch, the backdoor campaign was discovered after the new corporate owner acquired the plugins. This timeline—purchase, code modification, dormancy, and later activation—follows a pattern that security researchers have long warned about: malicious actors acquiring software and modifying it to compromise many computers globally.
WordPress ecosystem response: plugins removed and marked permanent
After the backdoor was discovered, the affected plugins were removed from the WordPress directory and now list their closure as “permanent.”
This directory action is an important operational step, but it does not automatically remove the software from already-installed sites. Ginder called on WordPress site owners to check whether they still have one of the malicious plugins installed and remove it. Ginder has published a list of the affected plugins in his blog post.
Representatives for Essential Plugin did not respond to a request for comment from TechCrunch. This means the public record is currently dominated by Ginder’s account of the acquisition and the subsequent addition of a backdoor to the plugins’ source code.
Implications for plugin supply chains and site operators
From a security perspective, the incident demonstrates that WordPress’s extensibility model—where plugins run with access to the site—creates a high-value target for supply-chain attacks. When a plugin’s source code can be changed after a purchase, the resulting risk extends beyond the plugin maker’s infrastructure to every WordPress installation that includes the compromised component.
Ginder’s observation about the lack of user notification when plugin ownership changes is significant. If operators are not informed that a plugin has been acquired, they may continue to treat it as having the same trust boundary as before the purchase. This could delay detection and remediation, especially when a backdoor remains dormant for months.
TechCrunch notes this is the second hijack of a WordPress plugin discovered in as many weeks. The repeated timing suggests a pattern that observers may monitor: recurring attempts to compromise popular plugins through acquisition and code changes.
For engineers and security teams running WordPress sites, the immediate steps align with the remediation described in the source: inventory installed plugins, compare them to the affected list in Ginder’s blog post, and remove the malicious plugins. More broadly, the incident suggests that plugin management workflows—especially around ownership changes—may need stronger verification to reduce the window between a supply-chain change and the moment site operators can respond.
Source: TechCrunch