Someone Bought 30 WordPress Plugins and Backdoored All of Them for Eight Months

The Setup

In early 2025, someone identified only as "Kris" or "Chris," with a documented background in SEO, cryptocurrency, and online gambling marketing, purchased the entire Essential Plugin portfolio on the Flippa marketplace for a six figure sum. The portfolio included over 30 WordPress plugins with a combined 400,000 installs and 15,000 customers.

Essential Plugin, originally founded as WP Online Support in 2015 and rebranded in 2021, offered sliders, galleries, marketing tools, WooCommerce extensions, SEO utilities, and themes. The kind of everyday tools that site owners install and forget.

WordPress users are never notified when a plugin changes ownership. There is no flag, no warning, no review. The buyer inherits the plugin's update channel and every site that has it installed.

Eight Months of Silence

On August 8, 2025, the new owner pushed version 2.6.7 of the plugins with a changelog entry that read "Check compatibility with WordPress version 6.8.2." That innocuous note concealed 191 additional lines of PHP, including a deserialization backdoor that would allow remote code execution on any site running the plugin.

Then the code sat dormant. For eight months. No malicious behavior, no suspicious network traffic, no red flags in any security scan. The dormancy period served a purpose: it accrued the trust that comes with no visible misbehavior, letting the backdoor survive update cycles, security audits, and plugin reviews.

The Activation

On April 5 and 6, 2026, the backdoor activated. A command and control domain, analytics.essentialplugin.com, began distributing payloads to every website running one of the compromised plugins.

The plugins' internal analytics module downloaded a file called wp-comments-posts.php, deliberately named to resemble WordPress's legitimate wp-comments-post.php. This file injected PHP code directly into wp-config.php, one of the most sensitive files in any WordPress installation.

The injected code fetched spam links, redirects, and fake pages from the C2 server. Critically, the malicious content was served exclusively to Googlebot, remaining completely invisible to site administrators browsing their own websites. This cloaking technique ensured the compromise could run for days or weeks before anyone noticed.

Blockchain as a Bulletproof Vest

The most technically innovative aspect of the attack was how the malware resolved its C2 infrastructure. Instead of hardcoding a domain or IP address, the malware queried an Ethereum smart contract through public blockchain RPC endpoints to find the current C2 server address.

This made traditional domain takedowns ineffective. If security researchers or law enforcement seized the C2 domain, the attacker could simply update the smart contract to point to a new domain at any time. The blockchain record is immutable and publicly accessible, but the pointer stored in the contract can be changed by whoever controls the contract's private key.

This is the same technique used in the CanisterWorm blockchain supply chain attack discovered in March 2026, suggesting a shared playbook or even a shared threat actor.

The Incomplete Cleanup

On April 7, the WordPress.org plugins team permanently closed all 31 affected plugins and forced updates to neutralize the C2 communication channel. But the forced update did not touch the injected code in wp-config.php.

That means sites that had already been compromised continued to serve hidden spam to search engines even after updating. Cleaning the infection requires manually inspecting and editing wp-config.php, a step that many site owners do not know how to perform and may not realize is necessary.

Austin Ginder, founder of Anchor Hosting who first reported the attack, warned that this was the second plugin hijack discovered within two weeks, suggesting a broader pattern of marketplace acquisitions targeting WordPress's plugin ecosystem.

Why Plugin Supply Chains Are Fundamentally Broken

This attack exploits a structural weakness in the WordPress ecosystem. Plugin ownership transfers happen silently. There is no verification process, no cooling off period, and no notification to the hundreds of thousands of site owners who depend on the code. The new owner immediately inherits the ability to push updates to every installation.

The same pattern has plagued other ecosystems. npm packages have been backdoored through ownership changes, browser extensions have been purchased and weaponized, and even security scanners have been compromised through their supply chains.

For WordPress site owners, the immediate actions are clear:

• Check if any Essential Plugin products are installed and remove them immediately
• Inspect wp-config.php for any code you did not add
• Search your file system for wp-comments-posts.php (note the extra 's') and delete it
• Monitor Google Search Console for unexpected indexing of spam pages
• Consider using a file integrity monitoring plugin that alerts you when core files change

The Bigger Picture

A six figure investment gave one buyer control over 400,000 websites. The attack was patient, technically sophisticated, and designed to evade detection at every stage. The blockchain based C2 infrastructure ensures that even if the current campaign is disrupted, the attacker can reactivate at will.

Until plugin marketplaces implement ownership transfer notifications, mandatory security reviews after transfers, and cooling off periods before new owners can push updates, this attack will be repeated. The economics are too favorable for attackers to ignore.