Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
A buyer identified only as 'Kris' purchased a portfolio of 30+ WordPress plugins called 'Essential Plugin' on Flippa for six figures, then planted a PHP deserialization backdoor in all of them. The backdoor was hidden in a wpos-analytics module added in version 2.6.7 (August 2025) and sat dormant for 8 months before activating in April 2026. Once triggered, it downloaded a malicious file, injected spam code into wp-config.php, and used an Ethereum smart contract to resolve its C2 domain — making traditional takedowns ineffective. WordPress.org force-closed all 30+ plugins on April 7, 2026. The author details forensic analysis using backup diffs to pinpoint the exact infection window, explains the attack mechanics, and provides patched plugin versions with the backdoor module fully stripped. The post also highlights a systemic gap: WordPress.org has no mechanism to review or flag plugin ownership transfers, allowing the attack to go undetected for 8 months.
Table of contents
A client reported a security notice they found in wp-admin.The malware was hiding in wp-config.php.I used backup forensics to pinpoint the exact injection window.The backdoor was planted 8 months before it was activated.The plugin was sold on Flippa.WordPress.org closed 30+ plugins in a single day.This has happened before.I patched every affected plugin in my fleet.If you have an Essential Plugin plugin I did not patch, you can do it yourself.The WordPress plugin marketplace has a trust problem.Sort: