More than 30 **WordPress** plugins within the **EssentialPlugin** package have been compromised with malicious code, enabling unauthorized access to websites using them. A malicious actor introduced the backdoor code last year but only recently began distributing it to users via updates, generating spam pages and redirects based on instructions from a command-and-control (C2) server. The compromise affects plugins with hundreds of thousands of active installations and was discovered by **Austin Ginder**, founder of managed **WordPress** hosting provider **Anchor Hosting**, after receiving a tip about an add-on containing code that allowed third-party access. Further investigation by **Ginder** revealed that a backdoor had been present in all plugins within the **EssentialPlugin** package since August 2025, following the project's acquisition by a new owner in a six-figure deal. **EssentialPlugin**, established in 2015 as WP Online Support and rebranded in 2021, is a **WordPress** development firm offering sliders, galleries, marketing tools, **WooCommerce** extensions, SEO/analytics utilities, and themes. According to **Ginder**, the backdoor remained inactive until recently, when it silently contacted external infrastructure to fetch a file ('wp-comments-posts.php') that injects malware into 'wp-config.php.' The downloaded malware is designed to be invisible to site owners and uses Ethereum-based C2 address resolution for evasion. Depending on the received instructions, the malware can retrieve "spam links, redirects, and fake pages". "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to **Googlebot**, making it invisible to site owners,” [explained Ginder](https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/). Analysis from **WordPress** security platform **PatchStack** [shows](http://patchstack.com/articles/critical-supply-chain-compromise-on-20-plugins-by-essentialplugin/) that the backdoor only worked if the 'analytics.essentialplugin.com' endpoint returned with malicious serialized content. ### WordPress Action and Infection Status WordPress.org responded swiftly to the reports of malicious activity by closing the plugins and pushing a forced update to websites to neutralize the backdoor’s communication and disable its execution path. However, the developers warned that the action did not clean the wp-config core configuration file, which connects websites to their databases and includes critical settings. The WordPress.org Plugins Team also cautioned administrators with websites running an **EssentialPlugin** product that while one known location for the backdoor is a file named `wp-comments-posts.php`, which resembles the legitimate `wp-comments-post.php`, the malware may also hide in other files. **BleepingComputer** has contacted **EssentialPlugins** for comment on the reported malicious commit that occurred after the acquisition, but has not received a response as of publishing time.