More than 30 WordPress plugins belonging to the EssentialPlugin suite have been found to contain malicious backdoor code, affecting products with hundreds of thousands of active installations across the web. The backdoor was quietly planted following EssentialPlugin’s acquisition by a new owner in a six-figure deal in August 2025, but sat dormant for months before being activated, at which point it began silently contacting external infrastructure to fetch a malware payload that injects itself into the core WordPress configuration file wp-config.php. The compromise was first identified by managed WordPress hosting provider Anchor Hosting, after receiving a tip about suspicious code in one of the suite’s add-ons. EssentialPlugin, originally founded in 2015 as WP Online Support and rebranded in 2021, offers a broad range of tools including sliders, galleries, WooCommerce extensions, and SEO utilities.
Once activated, the malware proved notably sophisticated in both its evasion and persistence techniques. It leveraged Ethereum-based command-and-control address resolution to avoid detection, and was specifically engineered to serve spam links, malicious redirects, and fake pages exclusively to Googlebot, rendering it entirely invisible to site owners during routine checks. Analysis by WordPress security platform PatchStack confirmed the backdoor only executed when the analytics.essentialplugin.com endpoint returned malicious serialized content, while the downloaded payload disguised itself with a filename — wp-comments-posts.php, designed to closely mimic the legitimate WordPress file wp-comments-post.php.
WordPress.org responded swiftly by closing the affected plugins and pushing a forced update to neutralise the backdoor’s communication channels and disable its execution path. However, administrators have been warned that this action did not clean the wp-config.php file, which stores critical database credentials and site settings, meaning manual remediation is still required. The WordPress.org Plugins Team has further cautioned that the malware may not be limited to the known payload file, and that other files across affected installations may also harbour malicious code, making thorough forensic review essential for any site that ran an EssentialPlugin product.