Someone has apparently snaffled up 31 WordPress plugins and wedged a backdoor in each one
Rather than juggling way too many tabs in Chrome, I sweep them all into OneTab and promptly forget about them—extensions and plugins are great. If I still had my own blog, I'd probably use them for all sorts of things, but third-party platform add-ons also represent a security concern.
It's important to double-check the provenance of anything you're considering adding, though I suspect few attackers will be quite as ambitious as the person who bought 30 WordPress plugins and then installed backdoors in all of them.
That's according to Austin Ginder, the founder of Anchor Hosting. He began to investigate after noticing the previously dormant Countdown Timer Ultimate had begun pushing out malicious code. A number of the affected plugins have since been taken offline (via TechCrunch).
Countdown Timer Ultimate was originally built by a team called Essential Plugin. Due to a decline in revenue, the founders sold their entire business on Flippa, a private marketplace for buying and selling online outfits like Essential Plugin. The platform itself shared a case study on the six-figure sale in 2025. According to Ginder's timeline, the new owner allegedly planted the backdoor barely a month after that glowing post went up on Flippa.
The backdoor wasn't weaponised until about April 5, 2026, according to the blog, with the WordPress plugins team moving to shut down all 31 of Essential Plugin's offerings. Quick action is definitely welcome in a situation like this, but Ginder criticises the fact that no users would have suspected anything was up until the attack began.
He writes, "WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no 'change of control' notification to users. No additional code review triggered by a new committer."
Worse still, Ginder reports this sort of hijack is not uncommon. Ginder shares one story from 2017 where someone "purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam." He also shares another story from earlier this very month, where someone launched a supply chain attack via the previously trusted Widget Logic WordPress plugin.
For context, the Essential plugin team's website is still live, touting "15,000+ Global Happy Customers." That's a lot of users who could have been potentially affected—how many of them would have no idea until either WordPress took the plugins down, or they independently stumbled across news coverage of the polluted plugins themselves? It's hard not to see Ginder's argument.