{"id":8929,"date":"2026-04-16T17:41:22","date_gmt":"2026-04-17T00:41:22","guid":{"rendered":"https:\/\/www.ultimatewb.com\/blog\/?p=8929"},"modified":"2026-04-16T18:57:14","modified_gmt":"2026-04-17T01:57:14","slug":"the-wordpress-backdoor-scandal-why-30-trusted-plugins-just-turned-malicious","status":"publish","type":"post","link":"https:\/\/www.ultimatewb.com\/blog\/8929\/the-wordpress-backdoor-scandal-why-30-trusted-plugins-just-turned-malicious\/","title":{"rendered":"The WordPress Backdoor Scandal: Why 30+ &#8220;Trusted&#8221; Plugins Just Turned Malicious"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\">    <picture>\n                <source type=\"image\/webp\" srcset=\"https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-150x82.webp 150w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-500x273.webp 500w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-800x437.webp 800w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues.webp 1200w\" sizes=\"(max-width: 600px) 100vw, (max-width: 1200px) 75vw, 1200px\">\n                <img src=\"https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues.jpg\"\n             srcset=\"https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues.jpg 1200w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-500x273.jpg 500w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-768x419.jpg 768w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-150x82.jpg 150w, https:\/\/www.ultimatewb.com\/blog\/wp-content\/uploads\/wordpress-plugins-backdoor-malicious-security-issues-800x437.jpg 800w\"             sizes=\"(max-width: 600px) 100vw, (max-width: 1200px) 75vw, 1200px\"\n             width=\"1200\"\n             height=\"655\"\n             alt=\"wordpress-plugins-backdoor-malicious-security-issues\"\n             loading=\"lazy\"             decoding=\"async\"\n             class=\"wp-image-8933\" >\n    <\/picture>\n    <\/figure>\n\n\n\n<p>This recent security breach in the WordPress ecosystem is a massive wake-up call for website owners. A portfolio of over 30 plugins was sold to a new owner who immediately weaponized them with backdoors.<\/p>\n\n\n\n<p>If you use <strong><a href=\"https:\/\/www.ultimatewb.com\">UltimateWB<\/a><\/strong>, you are in a much safer position than the average WordPress user &#8211; and here is why.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Attack: What Happened?<\/strong><\/h2>\n\n\n\n<p>A portfolio of 30+ plugins (formerly under &#8220;WP Online Support,&#8221; now &#8220;Essential Plugin&#8221;) was sold on Flippa for a six-figure sum. For eight months, the new owner kept a backdoor dormant in the code. In April 2026, they activated it.<\/p>\n\n\n\n<p>The malware was sophisticated:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stealth SEO Spam:<\/strong> It injected code into <code>wp-config.php<\/code> that served spam links and fake pages only to Googlebot. Site owners couldn&#8217;t see it, but their search rankings were being destroyed.<\/li>\n\n\n\n<li><strong>Blockchain C2:<\/strong> The attackers used Ethereum smart contracts to update their command-and-control servers, making it nearly impossible for traditional security teams to take them down.<\/li>\n\n\n\n<li><strong>Unauthenticated Access:<\/strong> The &#8220;wpos-analytics&#8221; module added to these plugins allowed for arbitrary function calls, effectively giving the attacker full control over the site.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Compromised Plugins List<\/strong><\/h2>\n\n\n\n<p>If you or your clients manage WordPress sites, check for these specific plugins immediately. All of these have been closed by the WordPress.org team due to these security concerns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accordion and Accordion Slider<\/strong> (accordion-and-accordion-slider)<\/li>\n\n\n\n<li><strong>Album and Image Gallery Plus Lightbox<\/strong> (album-and-image-gallery-plus-lightbox)<\/li>\n\n\n\n<li><strong>Audio Player with Playlist Ultimate<\/strong> (audio-player-with-playlist-ultimate)<\/li>\n\n\n\n<li><strong>Blog Designer for Post and Widget<\/strong> (blog-designer-for-post-and-widget)<\/li>\n\n\n\n<li><strong>Countdown Timer Ultimate<\/strong> (countdown-timer-ultimate)<\/li>\n\n\n\n<li><strong>Featured Post Creative<\/strong> (featured-post-creative)<\/li>\n\n\n\n<li><strong>Footer Mega Grid Columns<\/strong> (footer-mega-grid-columns)<\/li>\n\n\n\n<li><strong>Hero Banner Ultimate<\/strong> (hero-banner-ultimate)<\/li>\n\n\n\n<li><strong>HTML5 VideoGallery Plus Player<\/strong> (html5-videogallery-plus-player)<\/li>\n\n\n\n<li><strong>Meta Slider and Carousel with Lightbox<\/strong> (meta-slider-and-carousel-with-lightbox)<\/li>\n\n\n\n<li><strong>Popup Anything on Click<\/strong> (popup-anything-on-click)<\/li>\n\n\n\n<li><strong>Portfolio and Projects<\/strong> (portfolio-and-projects)<\/li>\n\n\n\n<li><strong>Post Category Image with Grid and Slider<\/strong> (post-category-image-with-grid-and-slider)<\/li>\n\n\n\n<li><strong>Post Grid and Filter Ultimate<\/strong> (post-grid-and-filter-ultimate)<\/li>\n\n\n\n<li><strong>Preloader for Website<\/strong> (preloader-for-website)<\/li>\n\n\n\n<li><strong>Product Categories Designs for WooCommerce<\/strong> (product-categories-designs-for-woocommerce)<\/li>\n\n\n\n<li><strong>Responsive WP FAQ with Category<\/strong> (sp-faq)<\/li>\n\n\n\n<li><strong>SlidersPack \u2013 All in One Image Sliders<\/strong> (sliderspack-all-in-one-image-sliders)<\/li>\n\n\n\n<li><strong>SP News And Widget<\/strong> (sp-news-and-widget)<\/li>\n\n\n\n<li><strong>Styles for WP PageNavi \u2013 Addon<\/strong> (styles-for-wp-pagenavi-addon)<\/li>\n\n\n\n<li><strong>Ticker Ultimate<\/strong> (ticker-ultimate)<\/li>\n\n\n\n<li><strong>Timeline and History Slider<\/strong> (timeline-and-history-slider)<\/li>\n\n\n\n<li><strong>Woo Product Slider and Carousel with Category<\/strong> (woo-product-slider-and-carousel-with-category)<\/li>\n\n\n\n<li><strong>WP Blog and Widgets<\/strong> (wp-blog-and-widgets)<\/li>\n\n\n\n<li><strong>WP Featured Content and Slider<\/strong> (wp-featured-content-and-slider)<\/li>\n\n\n\n<li><strong>WP Logo Showcase Responsive Slider and Carousel<\/strong> (wp-logo-showcase-responsive-slider-slider)<\/li>\n\n\n\n<li><strong>WP Responsive Recent Post Slider<\/strong> (wp-responsive-recent-post-slider)<\/li>\n\n\n\n<li><strong>WP Slick Slider and Image Carousel<\/strong> (wp-slick-slider-and-image-carousel)<\/li>\n\n\n\n<li><strong>WP Team Showcase and Slider<\/strong> (wp-team-showcase-and-slider)<\/li>\n\n\n\n<li><strong>WP Testimonial with Widget<\/strong> (wp-testimonial-with-widget)<\/li>\n\n\n\n<li><strong>WP Trending Post Slider and Widget<\/strong> (wp-trending-post-slider-and-widget)<\/li>\n<\/ul>\n\n\n\n<p>Related: <a href=\"https:\/\/www.ultimatewb.com\/blog\/6683\/why-avoiding-third-party-plugins-makes-your-website-faster-safer-and-easier-to-manage\/\">Why Avoiding Third-Party Plugins Makes Your Website Faster, Safer, and Easier to Manage<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why WordPress is Vulnerable<\/strong><\/h2>\n\n\n\n<p>WordPress relies on a &#8220;Lego-brick&#8221; philosophy. If you want a slider, you install a plugin. If you want a testimonial wall, you install another. Every time you add a plugin, you are essentially inviting a stranger to run code on your server.<\/p>\n\n\n\n<p>As seen in this case, even if a plugin is safe <em>today<\/em>, it can be sold to a malicious actor <em>tomorrow<\/em>. WordPress.org currently has no mechanism to alert users when a plugin changes ownership or to trigger a fresh security audit upon sale.<\/p>\n\n\n\n<p>Related; <a href=\"https:\/\/www.ultimatewb.com\/blog\/7414\/why-relying-on-wordpress-plugins-can-backfire-and-how-to-avoid-it\/\">Why Relying on WordPress Plugins Can Backfire (And How to Avoid It)<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/463\/why-do-wordpress-websites-and-blogs-get-hacked-so-much\/\">Why do WordPress websites and blogs get hacked so much?<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The UltimateWB Advantage: Control Over &#8220;Bloat&#8221;<\/strong><\/h2>\n\n\n\n<p>This is exactly why we built UltimateWB the way we did. WordPress relies on a &#8220;Lego-brick&#8221; philosophy where every basic feature requires a third-party plugin. Every time you add one, you are inviting a stranger to run code on your server.<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Massive Native Power:<\/strong> While UltimateWB already includes <strong><a href=\"https:\/\/www.ultimatewb.com\/features\">powerful built-in features<\/a><\/strong> for social networking, memberships, and e-commerce, it doesn&#8217;t force you into a &#8220;walled garden&#8221; of risky third-party plugins for the small stuff.<\/li>\n\n\n\n<li><strong>Easy Customization Without the Risk:<\/strong> Want a specific slider, countdown timer, or popup? You don\u2019t need to download a plugin from a developer who might sell their business to a hacker. These elements are very easy to add via custom coding within UltimateWB.<\/li>\n\n\n\n<li><strong>The AI Edge:<\/strong> Don&#8217;t know how to code? You don&#8217;t have to. You can simply ask an AI to generate the specific CSS or JavaScript for a tool like a &#8220;Countdown Timer,&#8221; then copy and paste it directly into your site.<\/li>\n<\/ol>\n\n\n\n<p>By using custom code or native features, you maintain <strong>100% ownership<\/strong> of your site&#8217;s functionality. You aren&#8217;t waiting for a third-party developer to push an update &#8211; or worse, a backdoor.<\/p>\n\n\n\n<p>Related: <a href=\"https:\/\/www.ultimatewb.com\/blog\/7602\/why-wordpress-users-are-finally-switching-to-ultimatewb-10-data-driven-reasons\/\">Why WordPress Users Are Switching to UltimateWB: 10 Data-Driven Reasons<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What to do if you are affected<\/strong><\/h2>\n\n\n\n<p>If you have these plugins installed, deleting them may not be enough. The malware frequently appends itself to the <code>wp-config.php<\/code> file on the same line as <code>require_once ABSPATH . 'wp-settings.php';<\/code>. This makes it very easy to miss. If your config file is significantly larger than usual (around 6KB of extra code), your site requires a full forensic cleanup.<\/p>\n\n\n\n<p>Related: <a href=\"https:\/\/www.ultimatewb.com\/blog\/4950\/do-wordpress-plugins-sometimes-leave-stuff-on-your-website-after-uninstalling-the-plugin\/\">Do WordPress plugins sometimes leave stuff on your website after uninstalling the plugin?<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/429\/wordpress-website-hacked-how-to-fix-it\/\">WordPress website hacked? How to fix it\u2026!<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>In Summary<\/strong><\/h2>\n\n\n\n<p>Security isn&#8217;t just about having a good password; it&#8217;s about reducing your &#8220;attack surface.&#8221; By choosing an all-in-one builder like UltimateWB, you eliminate the need for the &#8220;plugin bloat&#8221; that leads to these types of supply chain attacks.<\/p>\n\n\n\n<p>Keep your sites lean, keep your features native, and stay safe.<\/p>\n\n\n\n<p>Related: <a href=\"https:\/\/www.ultimatewb.com\/blog\/7578\/why-wordpress-sites-score-low-on-pagespeed-and-how-ultimatewb-fixes-that\/\">Why WordPress Sites Score Low on PageSpeed \u2013 and How UltimateWB Fixes That<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/7540\/what-makes-ultimatewb-easier-to-use-than-wordpress\/\">What Makes UltimateWB Easier to Use Than WordPress<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/8137\/do-you-really-own-your-wordpress-website\/\">Do you really own your WordPress website?<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/3650\/what-are-the-most-bloated-and-sluggish-website-builders-of-today\/\">What are the Most Bloated and Sluggish Website Builders of Today?<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.ultimatewb.com\/blog\/3568\/transitioning-from-a-hacked-wordpress-site-to-ultimatewb-a-seamless-rebuild\/\">Transitioning from a Hacked WordPress Site to UltimateWB: A Seamless Rebuild<\/a><\/p>\n\n\n\n<p>Ready to design &amp; build your own website? Learn more about&nbsp;<a href=\"https:\/\/www.ultimatewb.com\/\">UltimateWB<\/a>! We also offer&nbsp;<a href=\"https:\/\/www.ultimatewb.com\/web-design-packages\">web design packages<\/a>&nbsp;if you would like your website designed and built for you.<\/p>\n\n\n\n<p><em>Got a techy\/website question? Whether it\u2019s about UltimateWB or another website builder, web hosting, or other aspects of websites, just send in your question in the&nbsp;<a href=\"https:\/\/www.ultimatewb.com\/ask-david\">\u201cAsk David!\u201d form<\/a>. We will email you when the answer is posted on the UltimateWB \u201cAsk David!\u201d section.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This recent security breach in the WordPress ecosystem is a massive wake-up call for website owners. A portfolio of over 30 plugins was sold to a new owner who immediately weaponized them with backdoors. If you use UltimateWB, you are &hellip; <a href=\"https:\/\/www.ultimatewb.com\/blog\/8929\/the-wordpress-backdoor-scandal-why-30-trusted-plugins-just-turned-malicious\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[94],"tags":[5168,2863,6656,4388,2804,1914,12,2262,2808,425,4326,206,109],"class_list":["post-8929","post","type-post","status-publish","format-standard","hentry","category-website-builder-software-comparison","tag-backdoor","tag-bloat","tag-ethereum","tag-googlebot","tag-malware","tag-plugins","tag-search-engine-ranking","tag-security-risks","tag-seo-spam","tag-spam","tag-third-party-plugins-3","tag-website-security","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/posts\/8929"}],"collection":[{"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/comments?post=8929"}],"version-history":[{"count":4,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/posts\/8929\/revisions"}],"predecessor-version":[{"id":8934,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/posts\/8929\/revisions\/8934"}],"wp:attachment":[{"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/media?parent=8929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/categories?post=8929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ultimatewb.com\/blog\/wp-json\/wp\/v2\/tags?post=8929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}