A long running security attack has been uncovered in the WordPress ecosystem after malicious code was found inside popular plugins that were trusted by hundreds of thousands of websites. The issue stayed hidden for about eight months before being used in active attacks.
The case began after a WordPress plugin company changed ownership through a public sale. The business, Essential Plugin, was originally built around 2015 by the India-based developer team WP Online Support. It grew to more than 30 free plugins used for design and marketing features on websites.
By late 2024, the business saw a sharp drop in revenue. Founder Minesh Shah listed the company for sale on the marketplace Flippa, where it was later acquired by a buyer known as “Kris,” who reportedly has a background in SEO and online marketing.
After the takeover, the plugins continued to receive updates, but a hidden change had already been introduced. Security researchers later found that the first malicious modification appeared soon after the acquisition, inside updates for a plugin called Countdown Timer Ultimate.
At first, the change looked harmless. The update note only mentioned compatibility improvements with a newer WordPress version. But behind this simple change, attackers inserted hidden code that created a remote access channel to the affected websites.
The situation escalated when researchers from Anchor received a warning from the WordPress.org Plugins Team. The alert pointed to suspicious activity in one of the plugins and triggered a full investigation.
The deeper audit showed that the problem was not limited to plugin files. Attackers also modified the wp-config.php file on infected websites. This file is a core part of WordPress and controls how the site loads. The hidden code allowed spam pages, fake content, and search engine specific redirects to be generated without the site owner noticing.
The malicious system stayed inactive for months. This delay made it harder to detect because no obvious damage was visible during normal site use. Only search engines were targeted, which helped the attackers avoid early discovery.
In April 2026, the full campaign was activated. A command system linked to analytics.essentialplugin.com began sending instructions to infected sites. The malware used a decentralized control method based on an Ethereum smart contract. This allowed the attacker to change control servers without shutting down the system. This made takedowns more difficult.
On April 7, 2026, all 31 plugins from the Essential Plugin portfolio were removed from WordPress.org. The action affected a large number of active installations across different websites. A forced update removed the main malicious plugin code, but it did not clean the infected configuration files on the servers. This left many sites still compromised even after the patch.
Security researchers say the attack closely resembles a past incident in 2017, when a similar plugin takeover led to spam injection across hundreds of thousands of websites. In both cases, the attacker gained control through ownership transfer rather than direct hacking.
The infection is believed to have started with version 2.6.7 of Countdown Timer Ultimate, released in August 2025. That update quietly introduced a backdoor that allowed remote code execution. It remained dormant until early April 2026, when it was activated.
Website owners are now being advised to check if any of the affected plugins are installed and remove them immediately. Experts also suggest manually inspecting wp-config.php for unexpected code and looking for unusual file size changes that could signal hidden modifications.
