A major cybersecurity incident has compromised more than 20,000 websites built on WordPress after several popular plugins were found to contain hidden backdoors used to distribute malicious code.
Security researcher Austin Ginder uncovered the issue, identifying it as a supply chain attack linked to a plugin developer known as “Essential Plugin.” According to his findings, the developer was acquired last year, after which attackers allegedly inserted malicious code into the plugins’ source.
The backdoor reportedly remained dormant for months before being activated earlier this month. Once triggered, it began injecting harmful code into websites that had the compromised plugins installed, potentially exposing sensitive data and site functionality to attackers.
The scale of the breach is significant. While Essential Plugin claims over 400,000 installations and more than 15,000 customers, data indicates that at least 20,000 websites were actively affected at the time of the attack.
Plugins play a critical role in extending the functionality of WordPress websites, but their deep access to system files also makes them a high-risk vector if compromised. Experts warn that such attacks can lead to widespread damage, including data breaches, unauthorized access, and malware distribution.
A key concern highlighted by Ginder is the lack of transparency when plugin ownership changes. WordPress users are not automatically notified if a plugin is sold or transferred, creating an opportunity for malicious actors to take control of trusted software and exploit it.
This marks the second known case in recent weeks where attackers have reportedly acquired legitimate plugins to distribute malware at scale, raising concerns about growing supply chain vulnerabilities in the open-source ecosystem.
In response, the affected plugins have been removed from the WordPress directory and are now listed as permanently closed. Website owners are strongly advised to audit their installations, remove any compromised plugins immediately, and follow security best practices to safeguard their systems.
The developers behind Essential Plugin have not issued an official response to the incident.
