Thousands of WordPress Sites Hit by Malware in Suspected Supply Chain Attack
By Tanveer Ahmed :
More than 20,000 websites built on WordPress have been compromised following the discovery of hidden backdoors in widely used plugins, in what researchers describe as a significant supply chain attack.
The breach was identified by security researcher Austin Ginder, who linked the issue to a plugin developer operating under the name “Essential Plugin”. According to his findings, the developer was acquired last year, after which malicious code is believed to have been quietly embedded into the software.
The backdoor remained inactive for several months before being triggered earlier this month. Once activated, it began injecting harmful code into affected websites, potentially giving attackers access to sensitive data and administrative controls.
While the developer claimed hundreds of thousands of installations, researchers estimate that at least 20,000 websites were actively impacted when the malicious activity began.
Plugins are widely used to extend the functionality of WordPress sites, but their level of access also makes them a critical vulnerability if compromised. Experts warn that such breaches can enable data theft, unauthorised system access and the spread of malware across multiple sites.
The incident has also raised concerns about transparency within the plugin ecosystem. Researchers note that users are not automatically alerted when ownership of a plugin changes, creating an opening for attackers to take control of trusted tools and exploit them.
This is the second reported case in recent weeks involving the alleged takeover of legitimate plugins to distribute malicious code, highlighting growing risks within the open-source software supply chain.
The affected plugins have since been removed from official directories and marked as permanently closed. Website owners are being urged to review their systems, uninstall any compromised plugins and strengthen security measures.
No official statement has been issued by the developers linked to the plugins at the centre of the incident.
About Author
