WordPress websites under attack — expert report says dozens of plugins hijacked to target thousands of sites

Austin Ginder, founder of Anchor Hosting, reported how a client recently alerted him of a known plugin suddenly allowing unauthorized third-party access. The investigation led him to a somewhat troubling discovery: a company that developed 31 WordPress plugins, both free and premium versions, was sold in early 2025, to a person calling themselves “Kris”.

That person then added malicious code to all plugins and pushed the update to the WordPress websites actively using them.

Injecting sophisticated code

The malicious company is called Essential Plugin, and claims its products have been installed more than 400,000 times and were being actively used by more than 15,000 customers. The official WordPress repository shows more than 20,000 active WordPress installations.

The malware was essentially a backdoor that granted the attacker full access to the websites. The goal seems to have been to propagate existing spam campaigns:

“The injected code was sophisticated,” Ginder explained. “It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners. And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time.”

The full list of compromised plugins can be found on this link. If you are using any of these, it would be wise to replace them with a safer alternative. Ginder also shared a patching method on his blog.

In the meantime, WordPress removed all of the malicious plugins from the repository.

Via TechCrunch