WordPress Plug-ins Contained Backdoors After Ownership Change

Dozens of WordPress plug-ins were taken offline after a backdoor was discovered in their source code, allowing malicious code to be pushed to websites using the affected software. The backdoor was added after a new corporate owner purchased the plug-in maker Essential Plugin last year. According to security researcher Austin Ginder of Anchor Hosting, the backdoor remained dormant until earlier this month before activating to distribute malicious payloads. Essential Plugin claims over 400,000 plug-in installations across more than 15,000 customers. WordPress data indicates the affected plug-ins were active on over 20,000 websites before being removed from the official directory. The incident represents a supply chain attack where malicious actors acquire legitimate software companies to compromise their customer base. Plug-ins grant extensive access to WordPress installations, making them attractive targets for such takeovers. Ginder noted this marks the second WordPress plug-in hijack discovered in recent weeks. Security experts have repeatedly warned about the risks of software ownership changes without user notification, which can expose websites to compromise The affected plug-ins have been permanently removed from WordPress repositories. Website administrators are advised to check their installations for any remaining Essential Plugin components and remove them immediately.