April 2026 WordPress Supply Chain Attack: 30 Plugins Backdoored

How the Attack Was Set Up

In early 2025, a buyer operating under the name "Kris," with a background in SEO and online marketing, purchased a portfolio of over 30 WordPress plugins from the digital marketplace Flippa. The seller was a developer operating under the brand "Essential Plugin." The sale price was reportedly a six-figure sum.

Shortly after the acquisition, the new owner pushed a seemingly routine update to all 30 plugins in August 2025. The update notes described it as a WordPress compatibility improvement. Hidden inside was a PHP deserialization backdoor capable of remote code execution, placed inside the plugins analytics module. The backdoor then lay dormant for approximately eight months.

The Activation Window

On April 5 and 6, 2026, a command-and-control server began sending payloads to every WordPress site running a compromised plugin. The active window lasted approximately six hours and 44 minutes. During this time, the payload fetched spam links and injected fake pages, but served this content exclusively to the Googlebot web crawler. Human visitors and site administrators saw a completely normal website, which is why the attack went undetected by so many site owners.

The malicious code injected itself directly into wp-config.php, making it persistent and difficult to remove without knowing exactly what to look for.

Discovery and Response

The attack was discovered by security researchers monitoring unusual patterns in Google Search Console data across client sites. WordPress.org was notified and permanently closed all 31 affected plugins on April 7, 2026. Over 20,000 active WordPress installations were affected at the time of discovery.

Which Plugins Were Affected

WordPress.org has published the full list of affected plugins in their security disclosure. The Smart Slider 3 Pro plugin was specifically named as one of the affected titles. All 31 plugins have been permanently removed from the WordPress.org repository. If you have any of these plugins installed, you should remove them immediately, clean your wp-config.php, and restore from a backup taken before August 2025 if possible.

What This Attack Teaches Us

Supply chain attacks on WordPress plugins are particularly dangerous because they exploit the trust users have in established plugins. A plugin with a long history and good reviews can become malicious the moment its ownership changes. Regular vulnerability scanning helps identify when a plugin has been flagged, but it cannot predict future ownership changes. The best additional protection is to limit the number of plugins you install, prefer plugins with active developer communities, and monitor your site files for unexpected changes.