A former WordPress plugin vendor, Essential Plugin, sold through Flippa for a six‑figure sum, slipped a malicious backdoor into 31 of its free plugins. The code hid in wp‑config.php, routed traffic through a smart‑contract‑based C2 server, and served SEO spam only to Googlebot, evading normal takedowns.

The compromise began in April 2026 after a dormant RCE was activated. WordPress.org forced an auto‑update to v2.6.9.1, neutralizing the phone‑home mechanism but leaving the wp‑config injection intact. Forensic analysis traced the injection window to a 6‑hour period on April 6, 2026, eight months after the malicious code was first committed.

WordPress.org shut down all 31 plugins in a single day on April 7, 2026, after the backdoor’s activity was confirmed. Site owners discovered the hidden spam only after the update, illustrating how supply‑chain attacks can remain covert for months. The incident underscores the need for vigilant plugin auditing and tighter update safeguards.

This case demonstrates that even widely used, free WordPress plugins can become vectors for sophisticated attacks, highlighting the importance of monitoring plugin repositories and enforcing strict security review processes.