Trusted WordPress plugins carried a hidden backdoor for months before malware went live

A supply chain attack hit the WordPress plugin ecosystem after a buyer acquired a portfolio of widely used plugins and slipped in malicious code that stayed dormant for about eight months. Security reporting from Anchor says the code first appeared in an August 8, 2025 update and only activated on April 6, 2026, when affected sites started receiving a payload that modified wp-config.php, one of the most sensitive files in any WordPress installation.

The case centers on plugins published under the Essential Plugin name, formerly WP Online Support. Anchor’s analysis says the malicious update landed in version 2.6.7 of Countdown Timer Ultimate under a harmless changelog note about WordPress compatibility, while later reporting says WordPress.org shut down the affected plugins on April 7 and forced version 2.6.9.1 to stop the phone-home behavior.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The bigger problem is that the forced update did not fully clean infected sites. Multiple reports say the patch disabled the callback mechanism inside the plugin files, but it did not remove the malicious PHP already injected into wp-config.php, which means some sites could remain compromised even after updating.

How the attack worked

Anchor says the first public clue came from a WordPress admin warning tied to Countdown Timer Ultimate. That led to a deeper audit, which found the real damage outside the plugin file itself. According to the report, the plugin’s wpos-analytics module contacted analytics.essentialplugin.com, downloaded a file named wp-comments-posts.php, and used it to write a large block of PHP into wp-config.php.

That injected code reportedly served hidden spam links, fake pages, and redirects only to Googlebot. Human visitors and site owners would see normal pages, while search engines got manipulated content. That gave the attackers a quiet way to abuse site trust and search visibility without making the compromise obvious to the people running the site.

Anchor also says the command path was designed to resist simple takedowns. The malware reportedly resolved its command-and-control destination through an Ethereum smart contract by querying public blockchain RPC endpoints, which would let the attacker redirect traffic without relying on a normal domain setup alone.

Why this sat undetected for so long

The long delay mattered. Anchor says the malicious code sat quietly for about eight months before activation, which gave it time to blend in with normal plugin history and site maintenance. The report says the suspicious logic appeared as 191 added lines inside a file tied to an existing analytics system, not as an obvious standalone backdoor.

Backup analysis also helped narrow the activation window. Anchor says file comparisons across historical backups showed wp-config.php jumping from roughly 3.3 KB to about 9.5 KB between April 6 and April 7, 2026, which placed the injection in a 6 hour 44 minute window on April 6.

Reporting differs on the exact plugin count, which matters for accuracy. Anchor’s headline says more than 30 plugins were affected, TNW says WordPress.org closed every plugin from the Essential Plugin author, and mySites.guru says 26 plugins were impacted and permanently closed. The safe conclusion is that the attack hit a large Essential Plugin portfolio and forced a broad WordPress.org response, even though public reports do not fully agree on the exact number.

Signs your site may have been affected

• One of the affected Essential Plugin extensions was active before April 8, 2026
• wp-config.php grew by about 6 KB unexpectedly
• Unfamiliar PHP appears near the require_once ABSPATH . 'wp-settings.php' line
• Hidden SEO spam, cloaking, or odd search-engine-only redirects appear in site behavior

What WordPress site owners should do now

The first step is to find out whether any affected Essential Plugin extension is still installed or was active during the April 2026 window. WordPress.org shows Countdown Timer Ultimate at version 2.6.9.1, and outside reporting says the forced update neutralized the callback mechanism, but that alone does not remove code that already landed in wp-config.php.

Next, inspect wp-config.php directly. mySites.guru says admins should look for unexpected PHP near the wp-settings.php include and treat an extra 6 KB of content as a strong warning sign. If the file changed during the activation window, a simple plugin update is not enough. The site needs cleanup, credential review, and likely restoration from a known-clean backup if one exists.

This incident also raises a policy issue for the wider WordPress ecosystem. TNW notes that WordPress.org reviews new plugin submissions, but public reporting says it does not trigger the same kind of review or user notice when an existing plugin changes owners. That gap appears to have given the attacker a trusted route into live websites.

Immediate response checklist

• Remove affected Essential Plugin plugins instead of relying only on the forced update
• Inspect wp-config.php for unfamiliar PHP code near the WordPress settings include
• Compare current files with a clean backup from before April 6, 2026, if available
• Rotate WordPress admin, database, FTP, and hosting credentials if compromise is suspected
• Review search indexing and SEO output for hidden pages or cloaked spam behavior

FAQ