Backdoor Hidden in Plugin Suite Since August 2025
More than 30 WordPress plugins distributed under the EssentialPlugin brand have been found to contain malicious code that grants unauthorized access to any website running them. The threat actor responsible for planting the backdoor did so quietly last year but only recently flipped the switch, pushing the weaponized code through routine plugin updates and using it to generate spam pages, fake content, and unwanted redirects.
The compromise was first spotted by Austin Ginder, founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about a single add-on containing code that enabled third-party access. Ginder's deeper investigation confirmed that the backdoor had been present across every plugin in the EssentialPlugin package since August 2025 — coinciding with the project's acquisition by a new owner in a six-figure deal.
What Is EssentialPlugin?
EssentialPlugin traces its roots back to 2015, when it operated under the name WP Online Support. The company rebranded under its current name in 2021 and has since positioned itself as a full-service WordPress development firm. Its catalog spans a wide range of products including sliders, galleries, marketing tools, WooCommerce extensions, SEO and analytics utilities, and themes. The plugins in the compromised suite collectively account for hundreds of thousands of active installations.
How the Attack Worked
According to Ginder, the backdoor remained dormant for months after it was introduced. Once activated, it silently reached out to external infrastructure to retrieve a file named wp-comments-posts.php — deliberately named to resemble the legitimate WordPress file wp-comments-post.php — which then injected malicious code into the site's wp-config.php file.
The injected malware operates with a notable degree of stealth. It leverages Ethereum-based command-and-control (C2) address resolution as an evasion technique, making it harder to block via conventional domain-based filtering. Once in contact with the C2 server, the malware receives instructions that can include the delivery of spam links, redirects, and entirely fabricated pages.
"The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners." — Austin Ginder, Anchor Hosting
That last point is particularly damaging: by targeting only Googlebot with the spam content, the malware avoids detection by the website's administrators while still manipulating search engine indexing — a classic SEO poisoning technique.
PatchStack Analysis Adds Technical Context
WordPress security platform PatchStack conducted its own analysis and found that the backdoor's execution was conditional: it would only proceed if the endpoint analytics.essentialplugin.com returned a malicious serialized payload. This design helped the backdoor stay hidden during routine security scans that did not interact with the C2 infrastructure.
WordPress.org Response and Remaining Risks
WordPress.org acted swiftly once reports of the malicious activity surfaced. The platform closed the affected plugins in its repository and pushed a forced update to websites to neutralize the backdoor's communication channel and disable its execution path.
However, developers issued an important caveat: the forced update did not clean the wp-config.php core configuration file. This file is critical to every WordPress installation — it connects websites to their databases and stores essential configuration settings. Any malicious code already written into it would persist after the forced update.
The WordPress.org Plugins Team also warned administrators running EssentialPlugin products that while wp-comments-posts.php is one known location for the backdoor, the malware may also be lurking in other files on affected systems. Site owners were urged to conduct thorough manual inspections rather than relying solely on the automated remediation.
Key Indicators and Recommended Actions
- Check for the presence of a file named wp-comments-posts.php — note the extra 's' compared to the legitimate wp-comments-post.php
- Inspect wp-config.php for any unauthorized or unexpected code injections
- Review all files within affected EssentialPlugin directories for signs of tampering
- Monitor server logs for outbound connections to analytics.essentialplugin.com or any Ethereum-based endpoints
- Consider restoring wp-config.php from a known-clean backup if modification dates appear suspicious
No Response from EssentialPlugin
BleepingComputer reached out to EssentialPlugin for comment regarding the malicious commit that was introduced following the acquisition of the plugin suite. As of publishing time, no response had been received.
The incident underscores the ongoing risk posed by plugin acquisitions in the WordPress ecosystem. When established plugins change hands — particularly through large financial transactions — new ownership can introduce supply-chain threats that affect hundreds of thousands of websites before any malicious activity is detected. Site administrators are strongly advised to audit all third-party plugins regularly and treat ownership changes as a trigger for heightened scrutiny.
Source: BleepingComputer