Thirty-one WordPress plugins were removed from WordPress.org in a single day. Not because they were abandoned or outdated, but because the portfolio they came from was compromised following a change of ownership and used to distribute malicious code to sites running them.

The story is straightforward and deeply troubling. Essential Plugin, a collection of free plugins with premium versions built by an Indian team starting in 2015, was put up for sale on Flippa in late 2024 after revenue declined. The buyer, identified only as “Kris” with a profile linked to SEO, cryptocurrency, and online gambling marketing, paid a six-figure sum. The first commit in the plugin source code was the backdoor.

Eight months of silence, then activation

The malicious update arrived on August 8, 2025, disguised as a routine WordPress 6.8.2 compatibility note. Inside were 191 additional lines of PHP, including a deserialization mechanism that allowed remote code execution. For eight months, nothing happened. Then, between April 5 and 6, 2026, the command server began distributing payloads.

The malware injected spam links and fake pages directly into wp-config.php, but displayed them only to Googlebot, Google’s crawler. Site owners saw nothing unusual. To make cleanup even harder, the control server domain was resolved through a smart contract on Ethereum: taking down the domain wouldn’t have stopped it, since the attacker could update the contract and point elsewhere.

WordPress.org responded on April 7 by permanently closing all plugins from the author. The next day, April 8, it forced an automatic update that disabled the malicious server callback mechanism, but without cleaning wp-config.php. Already-compromised sites continued serving spam to Google without knowing it.

The plugin checklist

If you manage WordPress sites, search your installation for these plugins:

• WP Trending Post Slider and Widget
• Accordion and Accordion Slider
• Album and Image Gallery Plus Lightbox
• Audio Player with Playlist Ultimate
• Blog Designer for Post and Widget
• Countdown Timer Ultimate
• Featured Post Creative
• Footer Mega Grid Columns
• Hero Banner Ultimate
• HTML5 VideoGallery Plus Player
• Meta Slider and Carousel with Lightbox
• Popup Anything on Click
• Portfolio and Projects
• Post Category Image with Grid and Slider
• Post Grid and Filter Ultimate
• Preloader for Website
• Product Categories Designs for WooCommerce
• Responsive WP FAQ with Category
• SlidersPack – All in One Image Sliders
• SP News and Widget
• Styles for WP PageNavi – Addon
• Ticker Ultimate
• Timeline and History Slider
• Woo Product Slider and Carousel with Category
• WP Blog and Widgets
• WP Featured Content and Slider
• WP Logo Showcase Responsive Slider and Carousel
• WP Responsive Recent Post Slider
• WP Slick Slider and Image Carousel
• WP Team Showcase and Slider
• WP Testimonial with Widget

If you find one, simply removing it isn’t enough. Open wp-config.php and check that it hasn’t grown by roughly 6 KB: the injected code appends itself to the same line as require_once ABSPATH . 'wp-settings.php'; and can go unnoticed. Also look for a file named wp-comments-posts.php (with the “s”, different from the legitimate wp-comments-post.php). If you find either of these signals, your site has been compromised and needs thorough cleanup, not just plugin removal.

The real problem isn’t this single attack

In the same period, a similar case emerged with Smart Slider 3 Pro, compromised through the vendor’s official update server. A second supply chain attack in the same week, different in method but similar in effect: malicious code distributed through an update channel trusted as secure.

The real issue is that transferring plugin ownership doesn’t trigger, at least based on this case, any notification to users or an automatic additional review of the new owner’s first commit. WordPress.org has a transfer process in place, especially for larger plugins, but this episode shows the mechanism alone isn’t enough to prevent supply chain abuse.

The practical lesson is single: fewer plugins you install, smaller your attack surface becomes. A plugin that does something nice but isn’t essential is a risk vector you’re not getting for free. Keep it updated, keep it monitored, or don’t keep it at all.