The WordPress Backdoor Scandal: Why 30+ “Trusted” Plugins Just Turned Malicious

wordpress-plugins-backdoor-malicious-security-issues

This recent security breach in the WordPress ecosystem is a massive wake-up call for website owners. A portfolio of over 30 plugins was sold to a new owner who immediately weaponized them with backdoors.

If you use UltimateWB, you are in a much safer position than the average WordPress user – and here is why.

The Attack: What Happened?

A portfolio of 30+ plugins (formerly under “WP Online Support,” now “Essential Plugin”) was sold on Flippa for a six-figure sum. For eight months, the new owner kept a backdoor dormant in the code. In April 2026, they activated it.

The malware was sophisticated:

  • Stealth SEO Spam: It injected code into wp-config.php that served spam links and fake pages only to Googlebot. Site owners couldn’t see it, but their search rankings were being destroyed.
  • Blockchain C2: The attackers used Ethereum smart contracts to update their command-and-control servers, making it nearly impossible for traditional security teams to take them down.
  • Unauthenticated Access: The “wpos-analytics” module added to these plugins allowed for arbitrary function calls, effectively giving the attacker full control over the site.

The Compromised Plugins List

If you or your clients manage WordPress sites, check for these specific plugins immediately. All of these have been closed by the WordPress.org team due to these security concerns:

  • Accordion and Accordion Slider (accordion-and-accordion-slider)
  • Album and Image Gallery Plus Lightbox (album-and-image-gallery-plus-lightbox)
  • Audio Player with Playlist Ultimate (audio-player-with-playlist-ultimate)
  • Blog Designer for Post and Widget (blog-designer-for-post-and-widget)
  • Countdown Timer Ultimate (countdown-timer-ultimate)
  • Featured Post Creative (featured-post-creative)
  • Footer Mega Grid Columns (footer-mega-grid-columns)
  • Hero Banner Ultimate (hero-banner-ultimate)
  • HTML5 VideoGallery Plus Player (html5-videogallery-plus-player)
  • Meta Slider and Carousel with Lightbox (meta-slider-and-carousel-with-lightbox)
  • Popup Anything on Click (popup-anything-on-click)
  • Portfolio and Projects (portfolio-and-projects)
  • Post Category Image with Grid and Slider (post-category-image-with-grid-and-slider)
  • Post Grid and Filter Ultimate (post-grid-and-filter-ultimate)
  • Preloader for Website (preloader-for-website)
  • Product Categories Designs for WooCommerce (product-categories-designs-for-woocommerce)
  • Responsive WP FAQ with Category (sp-faq)
  • SlidersPack – All in One Image Sliders (sliderspack-all-in-one-image-sliders)
  • SP News And Widget (sp-news-and-widget)
  • Styles for WP PageNavi – Addon (styles-for-wp-pagenavi-addon)
  • Ticker Ultimate (ticker-ultimate)
  • Timeline and History Slider (timeline-and-history-slider)
  • Woo Product Slider and Carousel with Category (woo-product-slider-and-carousel-with-category)
  • WP Blog and Widgets (wp-blog-and-widgets)
  • WP Featured Content and Slider (wp-featured-content-and-slider)
  • WP Logo Showcase Responsive Slider and Carousel (wp-logo-showcase-responsive-slider-slider)
  • WP Responsive Recent Post Slider (wp-responsive-recent-post-slider)
  • WP Slick Slider and Image Carousel (wp-slick-slider-and-image-carousel)
  • WP Team Showcase and Slider (wp-team-showcase-and-slider)
  • WP Testimonial with Widget (wp-testimonial-with-widget)
  • WP Trending Post Slider and Widget (wp-trending-post-slider-and-widget)

Related: Why Avoiding Third-Party Plugins Makes Your Website Faster, Safer, and Easier to Manage

Why WordPress is Vulnerable

WordPress relies on a “Lego-brick” philosophy. If you want a slider, you install a plugin. If you want a testimonial wall, you install another. Every time you add a plugin, you are essentially inviting a stranger to run code on your server.

As seen in this case, even if a plugin is safe today, it can be sold to a malicious actor tomorrow. WordPress.org currently has no mechanism to alert users when a plugin changes ownership or to trigger a fresh security audit upon sale.

Related; Why Relying on WordPress Plugins Can Backfire (And How to Avoid It)

Why do WordPress websites and blogs get hacked so much?

The UltimateWB Advantage: Control Over “Bloat”

This is exactly why we built UltimateWB the way we did. WordPress relies on a “Lego-brick” philosophy where every basic feature requires a third-party plugin. Every time you add one, you are inviting a stranger to run code on your server.

  1. Massive Native Power: While UltimateWB already includes powerful built-in features for social networking, memberships, and e-commerce, it doesn’t force you into a “walled garden” of risky third-party plugins for the small stuff.
  2. Easy Customization Without the Risk: Want a specific slider, countdown timer, or popup? You don’t need to download a plugin from a developer who might sell their business to a hacker. These elements are very easy to add via custom coding within UltimateWB.
  3. The AI Edge: Don’t know how to code? You don’t have to. You can simply ask an AI to generate the specific CSS or JavaScript for a tool like a “Countdown Timer,” then copy and paste it directly into your site.

By using custom code or native features, you maintain 100% ownership of your site’s functionality. You aren’t waiting for a third-party developer to push an update – or worse, a backdoor.

Related: Why WordPress Users Are Switching to UltimateWB: 10 Data-Driven Reasons

What to do if you are affected

If you have these plugins installed, deleting them may not be enough. The malware frequently appends itself to the wp-config.php file on the same line as require_once ABSPATH . 'wp-settings.php';. This makes it very easy to miss. If your config file is significantly larger than usual (around 6KB of extra code), your site requires a full forensic cleanup.

Related: Do WordPress plugins sometimes leave stuff on your website after uninstalling the plugin?

WordPress website hacked? How to fix it…!

In Summary

Security isn’t just about having a good password; it’s about reducing your “attack surface.” By choosing an all-in-one builder like UltimateWB, you eliminate the need for the “plugin bloat” that leads to these types of supply chain attacks.

Keep your sites lean, keep your features native, and stay safe.

Related: Why WordPress Sites Score Low on PageSpeed – and How UltimateWB Fixes That

What Makes UltimateWB Easier to Use Than WordPress

Do you really own your WordPress website?

What are the Most Bloated and Sluggish Website Builders of Today?

Transitioning from a Hacked WordPress Site to UltimateWB: A Seamless Rebuild

Ready to design & build your own website? Learn more about UltimateWB! We also offer web design packages if you would like your website designed and built for you.

Got a techy/website question? Whether it’s about UltimateWB or another website builder, web hosting, or other aspects of websites, just send in your question in the “Ask David!” form. We will email you when the answer is posted on the UltimateWB “Ask David!” section.

This entry was posted in Compare Website Builders and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *