Dozens of plug ins linked to the widely used open source platform WordPress have been taken offline after security experts uncovered a hidden backdoor used to distribute malicious code to websites. The breach, described as a supply chain attack, affected plug ins developed by Essential Plugin, a provider whose tools are installed on tens of thousands of websites globally.
The issue came to light following an alert by Austin Ginder, founder of Anchor Hosting, who revealed in a blog post that the plug in maker had been acquired last year, after which the backdoor was quietly inserted into its source code. According to Ginder, the malicious code remained dormant for months before activating earlier this month, enabling attackers to push harmful payloads to websites running the affected plug ins.
Essential Plugin reportedly has more than 400,000 installs and over 15,000 customers, while data from WordPress shows the compromised plug ins were active on more than 20,000 websites. Because plug ins require deep access to a site’s backend to function, they can become powerful attack vectors if compromised. Ginder warned that WordPress does not currently notify users when a plug in changes ownership, leaving site owners exposed to risks when new owners alter the software’s code.
Security analysts say the incident highlights a growing trend of attackers acquiring trusted software tools to infiltrate large numbers of systems. Although the affected plug ins have now been permanently removed from the WordPress directory, experts advise users to immediately audit their installations and delete any compromised extensions. The case marks the second such hijack in recent weeks, underscoring the need for stronger oversight and vigilance in managing third party software components.