WordPress Plugin Supply Chain Attack Compromises 20,000+ Websites

A significant supply chain attack targeting WordPress plugins has been discovered, affecting dozens of plugins from Essential Plugin and potentially compromising over 20,000 active website installations.

The backdoor was introduced after Essential Plugin was acquired by new owners last year. The malicious code remained dormant until earlier this month when it activated and began distributing harmful code to any website with the affected plugins installed.

Anchor Hosting founder Austin Ginder first identified the attack in a blog post, warning that WordPress users are not notified when plugins change ownership, creating opportunities for malicious actors to compromise large numbers of websites through legitimate software acquisitions.

Essential Plugin claimed over 400,000 plugin installs and more than 15,000 customers before the discovery. All affected plugins have been removed from the WordPress directory with permanent closure status.

This marks the second plugin hijack discovered in two weeks, highlighting growing security concerns in the open-source plugin ecosystem. Security experts recommend WordPress administrators immediately audit their installations and remove any Essential Plugin products.

Impact: The attack demonstrates the vulnerability of supply chain dependencies in web infrastructure. Organizations relying on third-party plugins face inherent risks when ownership changes occur without transparency.

What to Watch: WordPress community response and potential policy changes around plugin ownership notifications. Website administrators should monitor for unusual activity and consider implementing additional security monitoring.