Someone hide a dangerous PHP backdoor inside a six-figure purchase of over 30 trusted WordPress plugins in 2025, remained silent for eight months and then destroyed the data and SEO of thousands of websites simultaneously in April 2026. This is the most calculated supply chain attack in WordPress history.
More than 810 million websites worldwide run on WordPress and the secret to their strength lies in plugins. These are the small software tools that transform a simple website into a powerful platform. But that trust has been the biggest betrayal this time.
Someone with just the name Kris bought an entire plugin company in 2025 hide a weapon inside that remained silent for 8 months, and then, overnight in April 2026, took down thousands of websites. This wasnot a random hack it was a carefully planned, patient and extremely dangerous supply chain attack that exposed the biggest weakness in the WordPress ecosystem.
In early 2025, an individual named Kris with a background in SEO, crypto, and online gambling purchased an entire portfolio of Essential Plugins on the digital marketplace Flippa for a six-figure sum. The sale was so successful that Flippa published its own case study of the deal in July 2025 even though a backdoor had already been planted.
Essential Plugin was a portfolio containing over 30 free WordPress plugins for sliders, countdown timers, FAQs, galleries and audio players all tools that millions of website owners use daily without wondering who is actually managing these plugins.
When Kris took ownership, the first thing he did was change the original author headers but there was no notification, no email no user knew. Plugin ownership changes happen on WordPress.org and no one in the world knows this was the foundation of this attack.
Kris first SVN commit was the backdoor itself version 2.6.7 released on August 8, 2025 with the changelog stating Check compatibility with WordPress version 6.8.2 but it added 191 lines of malicious PHP code, including a PHP deserialization backdoor an unauthenticated REST API endpoint and a remote code execution mechanism that allowed control of function names, arguments and execution from the attackers server.
The most genius and terrifying thing about this attack was that after planting the backdoor, Kris did nothing for 8 months. No activation, no malicious payload and no suspicious traffic. This dormant period was deliberately kept so that the ownership transition would appear old and no incident responder or security researcher could connect the dots between this new buyer and the attack.
The more time passed, the more normal it seemed. The attacker stored the address of their C2 (Command and Control) server in an Ethereum smart contract. This means that if a server gets blocked and the attacker simply updates the blockchain contract and the malware automatically finds the new address. This is an untraceable infrastructure that has been used on this scale for the first time in mainstream web compromises.
On April 5, 2026 after 8 months of silence the backdoor was activated. The C2 server started distributing payloads and in just 6 hours and 44 minutes the wp-config.php file of thousands of websites was rewritten. This is the most critical configuration file of WordPress its rewriting means complete attacker control over the site.
The injected code created hidden SEO spam which was visible only to Googlebot everything looked normal to actual website visitors, but search engines were being served fake pages, spam links, and redirect URLs. This was a cloaked parasite SEO the attacker was silently renting the Google ranking of 70,000 websites for his spam operations.
Austin Ginder founder of Anchor Hosting only found out when 12 infected sites in his fleet triggered a security alert. He conducted a full security audit and found that WordPress.org had already pushed a forced auto-update to version 2.6.9.1 but this cleanup didn’t reach wp-config.php meaning sites that had already been hit continued to serve hidden spam to Googlebot until administrators performed a manual cleanup.
Quick Redirect Plugin Backdoor Found
This week, researchers discovered another, even older case the Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites in its official versions 5.2.1 and 5.2.2 released between 2020 and 2021 had a hidden self-update mechanism that pointed to the third-party domain anadnet[.]com which could push arbitrary code outside the control of WordPress.org.
In March 2021 sites running Quick Page/Post Redirect 5.2.1 and 5.2.2 silently received a tampered 5.2.3 build from an external server that introduced a passive backdoor triggered only for logged-out users so admins wouldn’t notice. This backdoor was being used for SEO spam operations the attacker was silently renting the Google rankings of 70,000 websites.
Ginder even sent a direct message to the people behind the plugin, saying Do the right thing publish a static update manifest that will automatically move all affected sites to the clean version but there was no response. There are still 70,000 installs whose update checks are pointing to the Adnet server domain is active backdoor mechanism is alive and only the C2 subdomain is not resolving
This incident with the Essential Plugin wasn’t isolated that same week the official update infrastructure of the Smart Slider 3 Pro Plugin, which has over 800,000 active installations, was hacked to push a weaponized version that installed a remote access toolkit.
Two different methods, same root cause blind trust in the official update pipeline. This pattern also occurred in 2017 when the alias Daley Tias purchased the Display Widgets Plugin with 200,000 installs for $15,000 and injected instant payday loan spam nine years later the same playbook only with more sophisticated and more patient execution.
Other major software ecosystems like npm and PyPI implemented code signing and mandatory two-factor authentication after similar crises WordPress is still devoid of these foundational security protocols. There is no formal mechanism to review plugin ownership transfer no mandatory user notification when a plugin is sold no automatic security review when a new committer takes over the entire portfolio.
If you have any Essential Plugin plugin installed on your site remove it immediately manually check wp-config.php file to ensure it is not roughly 6KB larger than the expected size if it is a full cleanup is necessary just updating the plugin will not suffice. This attack proves that trusted plugin reputation and plugin safety are not the same thing and the WordPress ecosystem needs to understand this difference now.
