Someone Bought 30 WordPress Plugins and Quietly Backdoored Every One

Thirty plugins. Hundreds of thousands of installations. One buyer, whose first code commit was a backdoor.

An unidentified buyer operating under the name “Kris” purchased the entire Essential Plugin portfolio — formerly WP Online Support, an eight-year-old business with 30+ WordPress plugins — through the marketplace Flippa for a six-figure sum. Flippa even published a case study celebrating the sale.

The buyer’s first move was to inject malicious code into every plugin. On August 8, 2025, a commit labeled “Check compatibility with WordPress version 6.8.2” actually added 191 lines of backdoor code hidden inside the plugins’ existing analytics module, according to security analysis by Anchor Hosting and mySites.guru.

The code phoned home to an attacker-controlled server. For eight months, it returned normal responses. Then on April 5–6, 2026, it activated — downloading a backdoor disguised as a WordPress core file and injecting SEO spam into wp-config.php. The spam displayed only for Googlebot, invisible to site owners. The command-and-control domain resolved through an Ethereum smart contract, rendering traditional takedowns useless.

WordPress.org responded on April 7, permanently closing all 30+ plugins, and force-pushed updates on April 8 that disabled the phone-home function. But the update does not remove code already injected into wp-config.php. Sites that ran these plugins before April 8 may still be compromised.

The core failure is procedural. WordPress.org verifies that a seller authorizes a plugin transfer but does not vet the buyer, review the new owner’s first commit, or notify users of the change. According to mySites.guru, the transfer process “worked exactly as designed. It just was not designed for this.”

WordPress runs roughly 40% of the web. Its plugin ecosystem operates on inherited trust, with no mechanism to re-verify it when ownership changes hands.

Sources

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them — Anchor Hosting
Essential Plugin WordPress Backdoor — mySites.guru
Warning from WordPress.org Plugins Team — WordPress.org

Discussion (6)

janne_k

Thirty plugins!!! That's so many!! I can't believe nobody checked the code for eight whole months. WordPress really needs to do better about this!!!

3 ↑

sarah_webdev

Does anyone have a list of which specific plugins were in the Essential Plugin portfolio? I've used WP Online Support stuff for years and I have no idea if any of my client sites are affected. The part about SEO spam only showing for Googlebot is terrifying — how would you even know?

19 ↑

definitely_not_a_bot

"Its plugin ecosystem operates on inherited trust." This reads like it was written by ChatGPT. Nobody talks like this. The whole article has that AI polish to it. Just saying.

7 ↑

mike_r

This is why I switched to Squarespace. WordPress is a security nightmare and always has been. Open source means anyone can do whatever they want with your site.

2 ↑

timothy_c

Did you read past the headline? The issue isn't open source. A malicious actor BOUGHT legitimate plugins through a marketplace and injected code. Squarespace doesn't even let you install third party plugins so yeah no kidding this can't happen there. That's not the flex you think it is.

14 ↑

jenny_adventures

This reminds me of when I was backpacking in Laos and bought a prepaid SIM card from a random shop in Luang Prabang. Worked perfectly for like three months, then suddenly all my data started routing through some weird proxy in Cambodia. Same exact energy — you inherit trust from the previous setup and have zero idea when the handoff happens. Hope everyone checks their wp-config.php!

5 ↑

Sources

Discussion (6)

More Stories