More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them.

A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server.

The compromise affects plugins with hundreds of thousands of active installations and was spotted by Austin Ginder, the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access.

Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.

EssentialPlugin, established in 2015 as WP Online Support and rebranded in 2021, is a WordPress development firm offering sliders, galleries, marketing tools, WooCommerce extensions, SEO/analytics utilities, and themes.

According to Ginder, the backdoor sat inactive until it was recently activated and silently contacted external infrastructure to fetch a file (‘wp-comments-posts.php’) that injects malware into ‘wp-config.php.’

The downloaded malware is invisible to site owners and uses Ethereum-based C2 address resolution for evasion. Depending on the received instructions, the malware can retrieve "spam links, redirects, and fake pages".

“The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners,” explained Ginder.

Analysis from WordPress security platform PatchStack shows that the backdoor worked only if the 'analytics.essentialplugin.com' endpoint returned with a malicious serialized content.

WordPress action and infection status

WordPress.org responded quickly to the reports of the malicious activity by closing the plugins and pushing a forced update to websites to neutralize the backdoor’s communication and disable its execution path.

However, the developers warned that the action did not clean the wp-config core configuration file, which connects websites to their databases and includes important settings.

The WordPress.org Plugins Team also cautioned administrators with websites running an EssentialPlugin product that while one known location for the backdoor is a file named wp-comments-posts.php, which resembles the legitimate wp-comments-post.php, the malware may also hide in other files.

BleepingComputer has contacted EssentialPlugins for a comment on the reported malicious commit that occurred after the acquisition, but we have not received a response by publishing time.