Quick Page/Post Redirect Plugin Pulled After Hidden Backdoor Was Found on WordPress Sites

A popular WordPress redirect plugin called Quick Page/Post Redirect has been temporarily removed from WordPress.org after a researcher linked some installs to a hidden backdoor that remained on sites for years.

The plugin helped site owners create redirects for posts, pages, and custom URLs. Before WordPress.org closed the listing for review, the plugin had more than 70,000 active installations.

The issue does not appear to come from the clean WordPress.org copy of the latest plugin version. Instead, researcher Austin Ginder found that some sites running version 5.2.3 had a tampered build that did not match the official WordPress.org files.

What happened

Ginder, the founder of WordPress hosting provider Anchor Hosting, found the issue after a security alert flagged 12 sites in his fleet. All 12 reported Quick Page/Post Redirect version 5.2.3, but the file hash did not match any version available from WordPress.org.

His investigation traced the problem to an external update mechanism added to plugin versions 5.2.1 and 5.2.2 in 2020 and 2021. That mechanism pointed outside WordPress.org and allowed a separate server to deliver a different build to affected sites.

In March 2021, affected installs appear to have pulled a tampered 5.2.3 build from that external update channel. The tampered build added code that could fetch remote content and inject it into pages shown to logged-out visitors.

At a glance

Item	Details
Plugin	Quick Page/Post Redirect Plugin
Main use	Redirecting posts, pages, and custom URLs in WordPress
Reported installs before closure	More than 70,000
Discovery	12 tampered installs found in Anchor Hosting’s fleet
Risk	Remote content injection and potential arbitrary code delivery
Current WordPress.org status	Temporarily closed pending review

Why the backdoor stayed hidden

The injected content targeted logged-out visitors, which helped it avoid easy discovery by site administrators. An admin checking the website while logged in could see a normal page while search crawlers or public visitors received different content.

Ginder described the mechanism as cloaked parasite SEO. In plain English, the compromised plugin could use trusted websites to show search engines injected links or content that the site owner did not approve.

The bigger risk came from the update mechanism itself. If an attacker controls the remote update path, they can push code to affected sites without using the normal WordPress.org plugin review and distribution process.

The timeline points back to 2021

The external updater appeared in version 5.2.1 on October 28, 2020. Version 5.2.2 still included it in January 2021, then the updater folder disappeared from the WordPress.org plugin trunk in February 2021.

Ginder found evidence that the tampered 5.2.3 build went live through the external update channel in March 2021. The timestamps on the affected sites in his fleet matched that period.

The issue also drew public warnings before 2026. A WordPress.org support thread in 2022 flagged suspicious code, while Imunify360 published a 2024 analysis showing different hashes between the official WordPress.org package and the externally served package.

WordPress.org has closed the plugin for review

The official WordPress.org plugin page now says Quick Page/Post Redirect has been closed since April 14, 2026. New downloads are blocked while the plugin review continues.

The page still lists version 5.2.4 as the latest version and shows the author as anadnet. WordPress.org also displays old reviews where users complained in 2022 about injected spam, malicious code, and unexpected advertising links.

This creates a difficult cleanup problem. Closing the listing blocks new installs, but it does not automatically remove tampered files from existing WordPress sites.

What site owners should do now

• Check whether Quick Page/Post Redirect exists on any WordPress site you manage.
• Uninstall the plugin if you do not need it.
• If you need redirects, replace it with a maintained redirect plugin from WordPress.org.
• Run a checksum check against the plugin files if you manage sites with WP-CLI.
• Review pages as a logged-out visitor and through a clean browser session.
• Check recent files, unknown admin users, suspicious redirects, and SEO spam pages.
• Clear caches after removing or replacing the plugin.

How to check the plugin with WP-CLI

WP-CLI includes a checksum command that compares installed plugin files against official WordPress.org checksums. This type of check matters because the affected sites reported a normal version number even though the files differed from the official package.

wp plugin verify-checksums quick-pagepost-redirect-plugin

If the command reports a checksum mismatch, treat the site as potentially compromised. Remove the plugin, restore clean files, and review the site for injected content or other changes.

Ginder also recommends replacing Quick Page/Post Redirect with alternatives such as Redirection by John Godley or Safe Redirect Manager. Redirection’s WordPress.org page says it can import from Quick Post/Pages redirects, which may help site owners migrate old rules.

Why this matters beyond one plugin

This case shows how WordPress supply chain attacks can stay quiet for years when attackers hide behind version numbers and trusted plugin names.

Site owners often assume a plugin is safe if it comes from WordPress.org and shows a normal version number. This incident shows why checksum verification, file integrity monitoring, and regular plugin audits matter.

The safest approach is to keep the plugin list small, remove abandoned tools, avoid plugins with suspicious update behavior, and verify files when security alerts mention a plugin you use.

FAQ