Skip to content

JOBUZO

  • News
  • Indonesia
  • Toggle search form
Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites

Posted on 14 April 2026 By jobuzo

Dozens of plug-ins for the widely used open source web blogging software WordPress are now offline after a backdoor was discovered in them, used to push malicious code to any website that relied on the plug-ins. The backdoor was discovered after a new corporate owner bought these plug-ins.

Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week describing a supply chain attack on a WordPress plug-in maker called Essential Plugin. Ginder said someone last year bought Essential Plugin and the backdoor was soon added to the plug-ins’ source code. The backdoor sat dormant until earlier this month when it activated and began distributing malicious code to any website with the plug-ins installed.

Essential Plugin says on its website that it has over 400,000 plug-in installs and more than 15,000 customers. WordPress’ plug-in install page says the affected plug-ins are in over 20,000 active WordPress installations.

Plug-ins allow owners of WordPress-based websites to extend the site’s functionality, but in doing so grant the plug-ins access to their installations, which can open these websites to malicious extensions and potential compromise. But Ginder warned that WordPress users are not notified of any plug-ins’ change in ownership, exposing users to potential takeover attacks by their new owners.

According to Ginder, this is the second hijack of a WordPress plug-in discovered in as many weeks. Security researchers have long warned of the risks of malicious actors buying software and changing its code in order to compromise a large number of computers around the world.

While the plug-ins have been removed from WordPress’ directory and now list their closure as “permanent,” Ginder warned that WordPress owners should check if they still have one of the malicious plug-ins installed and remove it. Ginder has a list of the affected plug-ins in the blog post.

News :<div>12 weeks' jail for school IT support technician who took upskirt videos of teachers</div>

Representatives for Essential Plugin did not respond to a request for comment.

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites


News

Post navigation

Previous Post: Why Sigenergy’s IPO ignited market frenzy with oversubscription of 1,000 times
Next Post: AI data center startup Fluidstack in talks for $1B round at $18B valuation months after hitting $7.5B, says report

Related Posts

Nepal PM backs squatter settlement demolitions in Kathmandu, rights groups decry displacement Nepal PM backs squatter settlement demolitions in Kathmandu, rights groups decry displacement News
Polygamous sect's sway has dwindled in twin towns on Arizona-Utah line. Residents enjoy new freedoms Polygamous sect’s sway has dwindled in twin towns on Arizona-Utah line. Residents enjoy new freedoms News
Sure, take MC - but stay home or else: Certis Cisco's new rule sparks debate Sure, take MC – but stay home or else: Certis Cisco’s new rule sparks debate News

Latest

  • Credit card outage disrupts payments at stores across Japan
  • The AI Backlash Has Tech Executives Fearing for Their Lives
  • Flyers lock up Trevor Zegras with a 4-year deal worth $9.125M per year
  • US imposing a 25% tariff on some Brazilian imports starting July 22, citing unfair trade practices
  • Leaked First Real Life Look at the Samsung Galaxy Z Fold 8 Ultra
  • Daily roundup: CPF Board warns of impersonation scams targeting employers on CPF matters — and other top stories today
  • Kardashians’ Bodyguard Mason Haynes Dies in Traffic Accident at 52
  • Tesla driver in fatal Texas crash pressed accelerator 100%, NTSB confirms
  • Daniel Ek’s body-scanning startup Neko Health raises another $700M
  • Brain-chip milestone: China completes world’s first commercial implant

Copyright © 2025 JOBUZO. Disclaimers | Privacy Policies

Powered by PressBook Masonry Blogs