Someone bought 30 WordPress plugins and planted backdoors in all of them

An attacker bought 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for six figures, planted a PHP deserialization backdoor in August 2025, then activated it eight months later to serve cloaked SEO spam exclusively to Googlebot. WordPress.org closed 31 plugins on 7 April 2026. The same week, Smart Slider 3 Pro (800,000+ installations) was separately compromised via its update infrastructure. Both attacks expose a structural gap: WordPress has no mechanism to review plugin ownership transfers or require code signing for updates.

Someone bought more than 30 WordPress plugins on the open market, quietly injected backdoors into all of them, waited eight months, and then activated a payload that served hidden SEO spam to Google while the websites’ owners saw nothing wrong. The attack, which WordPress.org shut down on 7 April by permanently closing every plugin from the Essential Plugin author, is one of the most methodical supply ...