Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic.

A trusted name, acquired by a new owner, turned into something malicious.

It happened again.

This time at a much larger scale.

A client reported a security notice they found in wp-admin.

Ricky from Improve & Grow emailed us about an alert he saw in the WordPress dashboard for a client site.

The notice was from the WordPress.org Plugins Team, warning that a plugin called Countdown Timer Ultimate contained code that could allow unauthorized third-party access.

I ran a full security audit on the site.

The plugin itself had already been force-updated by WordPress.org to version 2.6.9.1, which was supposed to clean things up.

But the damage was already done.

The malware was hiding in wp-config.php.

The injected code was sophisticated.

It fetched spam links, redirects, and fake pages from a command-and-control server.

It only showed the spam to Googlebot, making it invisible to site owners.

And here is the wildest part.

It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints.

Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time.

I used backup forensics to pinpoint the exact injection window.

CaptainCore keeps daily restic backups.

I extracted wp-config.php from 8 different backup dates and compared file sizes.

Binary search style.

The injection happened on April 6, 2026, between 04:22 and 11:06 UTC.

A 6-hour 44-minute window.

The backdoor was planted 8 months before it was activated.

Then came version 2.6.7, released August 8, 2025.

The changelog said, “Check compatibility with WordPress version 6.8.2.” What it actually did was add 191 lines of code, including a PHP deserialization backdoor.

The class-anylc-admin.php file grew from 473 to 664 lines.

The new code introduced three things:
That is a textbook arbitrary function call.

The remote server controls the function name, the arguments, everything.

It sat dormant for 8 months before being activated on April 5-6, 2026.

This is where it gets interesting.

The original plugin was built by Minesh Shah, Anoop Ranawat, and Pratik Jain.

An India-based team that operated under “WP Online Support” starting around 2015.

They later rebranded to “Essential Plugin” and grew the portfolio to 30+ free plugins with premium versions.

By late 2024, revenue had declined 35-45%.

Minesh listed the entire business on Flippa.

A buyer identified only as “Kris,” with a background in SEO, crypto, and online gambling marketing, purchased everything for six figures.

Flippa even published a case study about the sale in July 2025 .

The buyer’s very first SVN commit was the backdoor.

WordPress.org closed 30+ plugins in a single day.

On April 7, 2026, the WordPress.org Plugins Team permanently closed every plugin from the Essential Plugin author.

At least 30 plugins, all on the same day.

Here are the ones I confirmed:
All permanently closed.

The author search on WordPress.org returns zero results.

The analytics.essentialplugin.com endpoint now returns {"message":"closed"} .

In 2017, a buyer using the alias “Daley Tias” purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam.

That buyer went on to compromise at least 9 plugins the same way.

The Essential Plugin case is the same playbook at a larger scale.

30+ plugins.

Hundreds of thousands of active installations.

A legitimate 8-year-old business acquired through a public marketplace and weaponized within months.

I patched every affected plugin in my fleet.

I scanned my entire fleet and found 12 of the 26 Essential Plugin plugins installed across 22 customer sites.

I patched 10 of them (one had no backdoor module, one was a different “pro” fork by the original authors).

Here are the patched versions, hosted permanently on B2:
Each patched version removes the entire wpos-analytics directory, deletes the loader function from the main plugin file, and bumps the version to -patched .

The plugin itself continues to work normally.

If you have an Essential Plugin plugin I did not patch, you can do it yourself.

The process is straightforward with Claude Code.

Point it at this article for context, tell it which plugin you need patched, and it can strip the wpos-analytics module the same way I did.

The pattern is identical across all of the Essential Plugin plugins:
The WordPress plugin marketplace has a trust problem.

Two supply chain attacks in two weeks.

Both followed the same pattern.

Buy a trusted plugin with an established install base, inherit the WordPress.org commit access, and inject malicious code.

The Flippa listing for Essential Plugin was public.

The buyer’s background in SEO and gambling marketing was public.

And yet the acquisition sailed through without any review from WordPress.org.

WordPress.org has no mechanism to flag or review plugin ownership transfers.

There is no “change of control” notification to users.

No additional code review triggered by a new committer.

The Plugins Team responded quickly once the attack was discovered.

But 8 months passed between the backdoor being planted and being caught.

If you manage WordPress sites, search your fleet for any of the 26 plugin slugs listed above.

If you find one, patch it or remove it.

And check wp-config.php.