logo
Major Security Breach: Backdoors Found in Popular WordPress Plugins
Technology iconTechnology14 Apr 2026

Major Security Breach: Backdoors Found in Popular WordPress Plugins

Security experts are sounding the alarm after backdoors were found in numerous WordPress plugins, endangering thousands of websites.

Security Breach in WordPress Plugins

A serious security issue has been identified in dozens of WordPress plugins, with a backdoor found that allows attackers to inject malicious code into any website using the compromised plugins. This vulnerability follows the acquisition of the plugin maker, Essential Plugin, and has left numerous sites exposed.

The Discovery of the Backdoor

Austin Ginder, founder of Anchor Hosting, revealed the situation in a recent blog post, detailing how the backdoor was introduced to the plugins' source code after Essential Plugin was purchased. Although dormant for a time, the backdoor activated earlier this month, enabling the distribution of malicious code across affected websites.

Essential Plugin boasts over 400,000 plugin installs and more than 15,000 customers, according to its website. The WordPress plugin directory further states that the plugins in question are active on over 20,000 installations worldwide.

The Implications for Website Owners

WordPress plugins enhance website functionality, but they also require owners to grant them access to their installations. This access can inadvertently expose sites to vulnerabilities, especially during ownership changes. Ginder emphasized that users are often unaware of changes in ownership, which can lead to security compromises.

This incident marks the second instance of WordPress plugin hijacking reported in the last few weeks, raising alarms among cybersecurity experts. They have long cautioned about the dangers posed by malicious actors acquiring software and altering its code to distribute malware globally.

Recommendations for Website Security

The affected plugins have been removed from the WordPress directory and their closure is now permanent. Ginder urges all WordPress administrators to check their sites for the malicious plugins and remove them immediately. His blog features a list of the compromised plugins for site owners to reference.

Representatives from Essential Plugin have not responded to inquiries regarding the matter, leaving questions about the extent of the security breach.

Popular news

Trump declares a three-day ceasefire in the Russia-Ukraine war, with both sides agreeing. A prisoner exchange is also set in motion.

Trump Announces Historic Three-Day Ceasefire in Ukraine-Russia Conflict
Business iconBusiness

Trump Announces Historic Three-Day Ceasefire in Ukraine-Russia Conflict

09 May 2026
Inflation Drumbeat Persists for Unnerved US Consumers
Business iconBusiness

Inflation Drumbeat Persists for Unnerved US Consumers

09 May 2026
Niger Halts Operations of Nine French Media Outlets Amidst Press Freedom Concerns
World iconWorld

Niger Halts Operations of Nine French Media Outlets Amidst Press Freedom Concerns

09 May 2026
Trump Announces Three-Day Ceasefire Between Russia and Ukraine
World iconWorld

Trump Announces Three-Day Ceasefire Between Russia and Ukraine

08 May 2026
Costa Rica Swears in Right-Wing President Laura Fernandez
World iconWorld

Costa Rica Swears in Right-Wing President Laura Fernandez

08 May 2026

Subscribe to
our news

Get the most important updates and top stories in your inbox.

mail