Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

In April 2026, a widespread supply chain attack targeting WordPress websites was uncovered after a web developer discovered dozens of malicious plugins containing hidden backdoors. The compromised plugins, part of the Essential Plugin portfolio, had been silently modified following a change in ownership, allowing attackers to gain unauthorized access to thousands of websites.

According to Austin Ginder, founder of Anchor Hosting, the backdoor was embedded in plugin code as early as August 8, 2025, but remained dormant for eight months to evade detection. The malicious code was activated earlier in April 2026, enabling unauthorized third-party access to any site where the plugins were installed. At the time of discovery, one of the flagged plugins, Countdown Timer Ultimate, had over 20,000 active installations.

WordPress has since permanently removed the affected plugins from its directory, blocking recent installations. However, website administrators are urged to check for and remove any instances of the compromised plugins that may still be active on their sites. Ginder emphasized that WordPress users are not notified when plugin ownership changes, leaving them vulnerable to such takeover attacks.

Security researchers note that this incident highlights the risks associated with software supply chains, particularly when trusted plugins are acquired by new owners who alter their code for malicious purposes. Even as the plugins are no longer available for download, the incident serves as a reminder of the importance of monitoring plugin behavior and ownership changes.

Key Takeaways

• Dozens of WordPress plugins in the Essential Plugin portfolio were compromised via a supply chain attack after ownership changed.
• The backdoor remained dormant for eight months before activating in April 2026, affecting thousands of websites.
• WordPress has permanently blocked the malicious plugins from its directory, but existing installations must be manually removed.
• Users are not alerted to changes in plugin ownership, creating a security gap that attackers exploited.

Frequently Asked Questions

What is a supply chain attack in the context of WordPress plugins?

A supply chain attack occurs when attackers compromise a trusted software component—in this case, WordPress plugins—by infiltrating its development or distribution process. By modifying the plugin code after an ownership change, attackers were able to distribute malware to thousands of websites that relied on the plugins.

How can I tell if my WordPress site is affected?

Check your WordPress dashboard for any of the Essential Plugin portfolio plugins listed in Austin Ginder’s security advisory. If any are installed, remove them immediately, even if they appear to be functioning normally, as the backdoor may remain inactive until triggered.

Are the malicious plugins still available for download?

No. WordPress has permanently closed the affected plugins in its official plugin directory, preventing new installations. However, sites that previously installed the plugins may still have them active and should remove them.